8181 theories continue
We?re still requesting binary captures of the TCP/8181. Ideally it will be in binary libpcap format which will give us the best view of what is going on.
My gut instinct tells me that the intent of this traffic is infrastructure mapping?it?s not traceroute, and it?s not the preliminary scan for a firewalk, but it is definitely modulating the TTL.
Shmoocon ends with a ?state of homographic attacks? announcement
Many readers sent in the Shmoo Group?s (of airsnort fame) announcement and proof-of-concept code that exploits many non-Internet Explorer web browsers (http://www.shmoo.com/idn/homograph.txt). The issue arises from how these browsers parse International Domain Names (RFC 3490.) Like any good handler, I?m running a non-IE web browser. Here was my experience with their proof of concept. I tried the SSL version of the demonstration, and a simple click of the link will take me to their ?0wned? page, and the URL window looks like I?m at the spoofed site. The certificate even appears to have the spoofed URL. The only difference is that the victim site?s certificate is signed by Verisign, while the fake site is signed by ?The USERTRUST Network.? If I tried to get tricky by copy/pasting the provided URL, the fake site was still reached.
More Firefox issues
Michael Krax released three new Firefox weaknesses that may aid in a Phishing attack. You can read more about his research at http://www.mikx.de/
I suppose the good news is that Firefox is gaining enough usage/popularity to get more eyes looking at its vulnerabilities and issues. He also makes up great new words for the issues, like ?Fireflashing.? Which brings me to?
Pharming: the son of Phishing
Another step in the exciting etymological developments that occur in this field was made today when I first heard the term ?Pharming.? What is it? I refer back to the February 2, 2005 diary (http://isc.sans.org/diary.php?date=2005-02-02) where a Dutch magazine released an article on DNS hijacking. Apparently the use of such a technique to bring users to your fake site is referred to as ?Pharming.?
In other non-Microsoft application news
Eudora has some important updates available: http://www.eudora.com/email/upgrade/index.html
kliston AT isc.sans.org
Feb 8th 2005
Feb 8th 2005
1 decade ago