Why every email is important
At first glance, it looked to be the same as any one of a thousand other e-mails.
The following is from an e-mail that was forwarded to us because delivery to the original sender bounced
<snip>
I just wanted to make sure you know that currently most (or all) of the images and navigation on Bastille-linux.org are broken. I appreciate the project and all you do for the info sec community. If there is something I can do for you please let me know.
</snip>
We always get reports of sites that are down or somehow "wrong". Quite often it's a localized routing problem, other times it is a browser rendering issue, but when we get a report of a site down, more often than not there is no malicious activity.
Not this time.
After investigation by ISC Handlers Don Smith and Joel Esler in combination with site owner Jay Beale, Jay issued a statement here that began:
"Dear Bastille Linux Users, On the morning of September 11th, 2007, alerted by handlers from the Internet Storm Center, I learned that one Mykhaylo Perebiynis purchased our Bastille Linux domain and is demanding $10,000 to return it to the project. He appears to be in business as a domain squatter."
Please make sure you read the full text of Jay's announcement which includes the PGP fingerprint for the key he will be using to sign any downloads and critical e-mail announcements going forward.
At SANSFIRE this year, one of the comments during the Handlers forum panel discussion was that the reader was concerned about sending in reports that turn out to be incorrect (because of a routing problem, browser issue, user error ...) and "bother us".
Don't be.
This is a perfect example of how something that you might think we consider "routine" and not important turns out to be (for Jay) a major event.
In incident handling, the sooner the compromise is detected, the sooner it can be contained, eradicated and recovered from.
This time, the issue is relatively limited. Next time ...
And in case you're curious, the publicly available WHOIS information for the current (not Jay Beale) domain owner is available here
XSIO: Cross Site Image Overlaying
I found a new paper on a vulnerability called XSIO. XSIO stands for "Cross Site Image Overlaying" and is basically the same as XSS except there is no scripting involved, but instead an image is referenced and positioned using CSS over an important part of a website.
I've seen images being used in the past to convince e.g. managers of the need to fix XSS vulnerabilities. Basically it's too hard to explain how bad XSS is without goign into some level of technical detail. It's just simpler to understand the impact of that "inappropriate" image on a website than it is to explain the website's vulnerability causes the clients to get exploited via XSS.
The defense is the same as with XSS: input and output validation, echoing back input from the user is asking for trouble.
--
Swa Frantzen -- NET2S
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago