skip to primary navigationskip to content
 

Reporting security incidents

Reporting incidents if you are a member of the University

Please note that if you have a virus or other malware problem, or think that you have such a problem, you should contact the .

Break-ins, attempted break-ins, probes for vulnerabilities and other security incidents in the University of Cambridge should be reported to CamCERT as soon as they are discovered. The preferred method of contact is by email to cert@cam.ac.uk. Mail to this address is monitored frequently during normal working hours and intermittently at other times. You should also contact CamCERT if you think that your password has been obtained by someone else or you suspect that someone has been misusing your email.

CamCERT may pass details of a security incident to JANET-CSIRT for investigation, follow up, to assist in another investigation or simply for the records.

Reporting incidents where an intruder is suspected of having broken in to the system

  • The system should be disconnected from the network immediately. This applies across the board, including servers. Remember that the system may well be being used to attack other machines. The computer should not be switched off or restarted because valuable evidence can be lost.
    • If the machine is your responsibility, you should also tell your Institutional Computer Officer as other systems in the institution may also be vulnerable to the attack.
    • If it is not your machine, contact the system manager. Either you or the system manager should also tell the Institutional Computer Officer.
  • Send details to cert@cam.ac.uk. Remember to leave details of
    • the machine name and/or IP address (number)
    • any information you have about the incident
    • where you can be reached - remembering that the machine has just been disconnected.
  • If the machine is yours and you do not feel that you are competent to investigate the machine yourself, ask your Institutional Computer Officer or CamCERT for advice

Reporting probes for security vulnerabilities

CamCERT welcomes reports of probes from system managers of machines on the CUDN; probes, attempted and actual break-ins should be reported to cert@cam.ac.uk, with an extract from the log including the

  • the name and/or IP address (number) of the probed machine
  • the name and IP address of the attacking machine
  • the port probed
  • the time of the probe
  • an indication whether the machine is NTP synchronised.

Reporting incidents if you are not a member of the University

The Cambridge Computer Emergency Response Team (CamCERT) co-ordinates security matters in the University of Cambridge. If you receive an unwelcome intrusion from a machine in the cam.ac.uk domain you should email cert@cam.ac.uk as soon as you notice the intrusion including the following information:

  • the IP address (number) of your machine
  • the IP address of the Cambridge machine
  • the port probed for - please ensure that this is a genuine security threat and not simply normal Internet traffic such as ident (port 113) or packets used by peer-to-peer file-sharing programs especially when your IP address is a dynamic one. In the latter case, the traffic is likely to be legitimate traffic to the machine that was using the address before you.
  • the extract from your logs in a plain text format (note that we cannot read proprietary log formats)
  • the time zone of your logs
  • an indication of whether your logs are NTP synchronised and if not, how far off true time your machine is.