Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Etymology; Homographic Attacks; and other BIG words SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Etymology; Homographic Attacks; and other BIG words

8181 theories continue



We?re still requesting binary captures of the TCP/8181. Ideally it will be in binary libpcap format which will give us the best view of what is going on.

My gut instinct tells me that the intent of this traffic is infrastructure mapping?it?s not traceroute, and it?s not the preliminary scan for a firewalk, but it is definitely modulating the TTL.

Shmoocon ends with a ?state of homographic attacks? announcement



Many readers sent in the Shmoo Group?s (of airsnort fame) announcement and proof-of-concept code that exploits many non-Internet Explorer web browsers (http://www.shmoo.com/idn/homograph.txt). The issue arises from how these browsers parse International Domain Names (RFC 3490.) Like any good handler, I?m running a non-IE web browser. Here was my experience with their proof of concept. I tried the SSL version of the demonstration, and a simple click of the link will take me to their ?0wned? page, and the URL window looks like I?m at the spoofed site. The certificate even appears to have the spoofed URL. The only difference is that the victim site?s certificate is signed by Verisign, while the fake site is signed by ?The USERTRUST Network.? If I tried to get tricky by copy/pasting the provided URL, the fake site was still reached.

More Firefox issues



Michael Krax released three new Firefox weaknesses that may aid in a Phishing attack. You can read more about his research at http://www.mikx.de/

I suppose the good news is that Firefox is gaining enough usage/popularity to get more eyes looking at its vulnerabilities and issues. He also makes up great new words for the issues, like ?Fireflashing.? Which brings me to?

Pharming: the son of Phishing



Another step in the exciting etymological developments that occur in this field was made today when I first heard the term ?Pharming.? What is it? I refer back to the February 2, 2005 diary (http://isc.sans.org/diary.php?date=2005-02-02) where a Dutch magazine released an article on DNS hijacking. Apparently the use of such a technique to bring users to your fake site is referred to as ?Pharming.?

In other non-Microsoft application news



Eudora has some important updates available: http://www.eudora.com/email/upgrade/index.html

------------------------------------------------


Kevin Liston

kliston AT isc.sans.org
Kevin Liston

292 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!