Why every email is important
At first glance, it looked to be the same as any one of a thousand other e-mails.
The following is from an e-mail that was forwarded to us because delivery to the original sender bounced
<snip>
I just wanted to make sure you know that currently most (or all) of the images and navigation on Bastille-linux.org are broken. I appreciate the project and all you do for the info sec community. If there is something I can do for you please let me know.
</snip>
We always get reports of sites that are down or somehow "wrong". Quite often it's a localized routing problem, other times it is a browser rendering issue, but when we get a report of a site down, more often than not there is no malicious activity.
Not this time.
After investigation by ISC Handlers Don Smith and Joel Esler in combination with site owner Jay Beale, Jay issued a statement here that began:
"Dear Bastille Linux Users, On the morning of September 11th, 2007, alerted by handlers from the Internet Storm Center, I learned that one Mykhaylo Perebiynis purchased our Bastille Linux domain and is demanding $10,000 to return it to the project. He appears to be in business as a domain squatter."
Please make sure you read the full text of Jay's announcement which includes the PGP fingerprint for the key he will be using to sign any downloads and critical e-mail announcements going forward.
At SANSFIRE this year, one of the comments during the Handlers forum panel discussion was that the reader was concerned about sending in reports that turn out to be incorrect (because of a routing problem, browser issue, user error ...) and "bother us".
Don't be.
This is a perfect example of how something that you might think we consider "routine" and not important turns out to be (for Jay) a major event.
In incident handling, the sooner the compromise is detected, the sooner it can be contained, eradicated and recovered from.
This time, the issue is relatively limited. Next time ...
And in case you're curious, the publicly available WHOIS information for the current (not Jay Beale) domain owner is available here
XSIO: Cross Site Image Overlaying
I found a new paper on a vulnerability called XSIO. XSIO stands for "Cross Site Image Overlaying" and is basically the same as XSS except there is no scripting involved, but instead an image is referenced and positioned using CSS over an important part of a website.
I've seen images being used in the past to convince e.g. managers of the need to fix XSS vulnerabilities. Basically it's too hard to explain how bad XSS is without goign into some level of technical detail. It's just simpler to understand the impact of that "inappropriate" image on a website than it is to explain the website's vulnerability causes the clients to get exploited via XSS.
The defense is the same as with XSS: input and output validation, echoing back input from the user is asking for trouble.
--
Swa Frantzen -- NET2S
Comments