If there is a domain that could be useful as a phishing site (a domain the original company allowed to expire, one that just looks right enough, etc) but is on the common blacklists, isn't that useful. If it dropped of the blacklists when registration expired then another nefarious type (or the same nefarious person if they are lucky) could re-register it and use it as a freshly useful phishing location until it once again got on the lists.
Though given how carefully people often don't check domains, or in some cases how easily they are hidden, which is why many phishing attacks work, this might not make a big difference overall.
A domain that used to be tied to the company has different considerations, but ideally it would also be blocked based on ownership changes and not wait for content.
If you buy a previous well own scam URL, cry me a river about being blacklisted. If you get the cheapest IPv4 don't come complaining that all you email gets classified as spam. _Especially_ if you claim to be an expert.
Are we talking about when it had malicious contents for a couple weeks in 2018? Come on, that's not tainted in 2024 by any reasonable metric.
> is a spelling variant of a well known large corp
It's talking about the large corp, and isn't even close to their real URL. And there's a lot of ways you could interpret "baways", including connections to the company called Baway and the unrelated stock ticker BAWAY. So I see what you're saying but I don't think it's a big deal.
> complain that a previously maliciously used DNS name is blacklisted
I don't see them complaining?
> And it is deceptive because unlike the title suggests there is no "challenge" mentioned in the article yet the wording strongly suggest some sort of rewarded hackathon.
That's the submitter's fault for using the subtitle instead of the title.
Yeah the pronouns throughout the a/b/c/d thing are confusing the heck out of me. I originally thought it was all about you (claiming expertise), then I considered perhaps me (complaining), and then perhaps the author of TFA (hosting). It could even be that the 3rd person "they" leading into a/b/c/d and the 2nd person "you" within item d are the same entity, which would be very strange grammar, but I really have no idea other than I was the only one complaining about (but also defending) filtering from what I can tell. Names, please!
Which amusingly (but not for you, since you can't see it) is one of the main topics in the article, that the security breach used that domain to exfiltrate the data to. And I'd guess that's why the company chose to buy up the domain to host this blog/ad on...
Blad?
> You have landed on baways.com. The shady stuff is gone. This domain now serves a new purpose: telling the story of what went down.
2FA would be tricky since these accounts can't be nominative anyway (at least not with the current economic model): there is so much turnover and subcontracting that it would be a nightmare to manage
The real question is how they broke out of the Common-Use Citrix session to get access to a non-airport environment, and that unfortunately isn't explained - there shouldn't be any relation whatsoever between the BA website and BA's Airport CUPPS network
I disagree. Due to all the security theatre involved with post-9/11 air travel, every air-side employee is already subject to relatively strict regulations. Employees are already given personalized RFID access cards, making those same cards 2FA-capable would be a relatively small change.
I think money is not the main driver for those people.
If someone wants to hire them, offer actual worthwhile bug bounties ($100k to $1M) on hard problems. And then try and hire those people after you pay the bounty.
I think you're forgetting the risk involved. To me, of course, it's the money because there are plenty of ways to get the satisfaction you're describing. It may not even be a crass need for money but people who live in poorer areas of the world taking a job and earning a cut as possibly the only worthwhile means of using their talent.
> amount of talent, knowledge and passion is wasted for a hack like this.
It's not as if worthwhile outlets for talent are easy to come by. It could be easier. The world we live in does not prioritize this outcome.
CC dumps -> Marketplace -> Crypto -> Money
That this was just another day in the office for the team.
I won't believe any real security professional (i.e. budget holder) will read this and think it actually conveys any trust towards c-side (the security company who wrote this entire piece)
Equally idiotic move to the Hudson Rock hit piece on Snowflake which they eventually yanked offline https://www.theregister.com/2024/06/04/snowflake_report_pull...
I was approached by BA to tender for a web performance project. I was excited because, at the time, I had Gold status with BA and I used the site on a weekly basis—I knew exactly where and why it was slow simply through using it so much!
The RFP deadline was short—really short. So, I spent the bulk of a vacation in Croatia writing up my proposal. When I was meant to be lounging by the pool or chugging Malvasia, I was buried in my laptop putting together my pitch. I got it done in time, fired it over, only to be told ‘we are focusing on web security now; this project is on hold’. Then, a few days later, the news broke.
CEO of c/side here. Sorry to keep you waiting. Answering a few points here:
1. This is not an ad, or at least it was not intended to be one. We feel like this is a microsite which like most blogs has a little "this is who we are" ending. Same concept as the Cloudflare blog which we all appreciate and love. We noticed vendors in the security space talk about the BA attack but often share misinformation about what happened. Information is scattered among various channels and old news publications but since the court documents were released no one did a proper recap. We care so we managed to buy the domain, which was not hard, but indicates that we are not just a salesy brand we are genuinely deep in client-side security and feel its important to talk about the attacks that happened otherwise companies do not take action and consumers become victims.
2. Yes, this domain name is still flagged on some DNS filter providers. Threat feeds are an outdated concept that create a false sense of security and pollute the web if not kept up to date. Especially in the case of client-side attacks they are grossly ineffective as vendors consume the threat-feeds but don't actively monitor the dataflow or served code meaning targeted attacks fly under the radar. The BAways domain has not been used in an attack for over 5 years. You've all been very helpful in flagging the DNS you use and we'll reach out to those vendors to correct the flagging of the domain. There is no malicious action on this domain anymore, it purely serves as a reminder to educate on the risks of unmonitored client-side executions.
3. To finish: Client-side security is important. When I speak to security engineers, they get it. It's a vital part of the supply-chain and it is overlooked. However, executives are often not aware of the issue and feel it is negligible. This is partly because the world has stopped covering client-side attacks for some reason and put them under umbrella terms like "data leaks". Malicious pop-ups are blocked by most browsers, but those pop-ups often originate from malicious JS. Stealthy attacks are easy to pull off so imagine a small percentage of pop-up's that were blocked stealing user credentials. Between the Polyfill attack, the data leak of Kaiser Permanente and many other attacks over 500K websites were impacted in 2024, millions in fines, millions of user credentials, sensitive information and credit cards leaked. The aim of this blogpost is to get people to talk and understand that posture management means monitoring the entire posture, not just NPM, not just a simple vulnerability scan, not just the server side and internal networking but active monitoring of all bases.
I hope this context helps and thanks for your engagement.
> thanks for your engagement
lol