CSIRT.DK (UK)

Danish Computer Security Incident Response Team

Klik her for den danske version

CSIRT handles cases of IT security incidents, of TDC's professional costumers. We helps the costumers with advices and information, to recover to a normal situation, and to secure the system better.

We keep us informed on the latest IT security threats.

Address

CSIRT
TDC
Sletparkvej 3
sp.3-s57
8310 Tranbjerg
Telefon: +45 66659638
Fax: +45 66659639
email: csirt@csirt.dk

You do have an opportunity to send encrypted emails, using PGP. CSIRT uses the following key:
Key Id: 0x70486034
Key Fingerprint: DE9F 1DC8 EDC3 7F32 7BC0 6E46 4C91 73F3 7048 6034

The key can be found on the usual public key servers.

Time Zone:
GMT+1 (Summertime GMT+2)

Our constituency is all ip addresses with route origin AS3292 found in the ripe database, which is not handled by abuse@post.tele.dk
See www.ripe.net whois

Normaly reports are send to our email address csirt@csirt.dk
In most cases, reports will be answered by an autoreply only.

If you wish to report an internet abuse case, then please observe the following guidelines.

Normaly only one ip address per report, where csirt@csirt.dk is found on www.ripe.net whois and not abuse@post.tele.dk

A report should normaly be a txt based email, without attachments. The subject should be the ip address, and casetype as spam, virus, scanning and the like.

If the report is about scanning, and the like, there must be a small cut from a log showing the problem:

• TCP/UDP/ICMP
• Source and destination ports and/or type
• Source and destination ip addresses
• Timestamp and time zone and time accuracy

If the report is about spam or virus, it must contain a copy of the full mailheader. ( All lines with Received: from ... ) from the unwanted email. The header must not be changed in any way.

If it is a report about virus/worm, it is good with information about which virus your system found. The report must not contain any virus attachments.

A report about spam ( unwanted commercial emails ) should contain both the full mailheader, and the body text.

Types of incidents and level of support

The level of support given by CSIRT.DK will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and CSIRT.DK's resources at the time.

Resources will be assigned according to the following priorities, listed in decreasing order:

1. Threats to the physical safety of human beings.
2. Root or system-level attacks on any machine either multi-user or dedicated-purpose.
3. Compromise of restricted confidential service accounts or software installations, in particular those with authorised access to confidential data.
4. Denial of service attacks on any of the above two items.
5. Any of the above at other sites, originating from Tele Danmark customers.
6. Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks and destructive virus outbursts. By large-scale attacks we consider multiple reports from different reporting entities and/or attacks involving several machines and/or services for a single constituent.
7. Compromise of individual user accounts, i.e. unauthorised access to a user or service account.
8. Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. Netnews and e-mail forgery, unauthorised use of IRC bots.

Types of incidents other than those mentioned above will be prioritised according to their apparent severity
and extent.