Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Why every email is important SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Why every email is important

At first glance, it looked to be the same as any one of a thousand other e-mails.

The following is from an e-mail that was forwarded to us because delivery to the original sender bounced

I just wanted to make sure you know that currently most (or all) of the images and navigation on are broken.  I appreciate the project and all you do for the info sec community.   If there is something I can do for you please let me know.

We always get reports of sites that are down or somehow "wrong".  Quite often it's a localized routing problem, other times it is a browser rendering issue, but when we get a report of a site down, more often than not there is no malicious activity.

Not this time.

After investigation by ISC Handlers Don Smith and Joel Esler in combination with site owner Jay Beale, Jay issued a statement here that began:

"Dear Bastille Linux Users, On the morning of September 11th, 2007, alerted by handlers from the Internet Storm Center, I learned that one Mykhaylo Perebiynis purchased our Bastille Linux domain and is demanding $10,000 to return it to the project. He appears to be in business as a domain squatter."

Please make sure you read the full text of Jay's announcement which includes the PGP fingerprint for the key he will be using to sign any downloads and critical e-mail announcements going forward.

At SANSFIRE this year, one of the comments during the Handlers forum panel discussion was that the reader was concerned about sending in reports that turn out to be incorrect (because of a routing problem, browser issue, user error ...) and "bother us".

Don't be.

This is a perfect example of how something that you might think we consider "routine" and not important turns out to be (for Jay) a major event.

In incident handling, the sooner the compromise is detected, the sooner it can be contained, eradicated and recovered from.

This time, the issue is relatively limited.  Next time ...

And in case you're curious, the publicly available WHOIS information for the current (not Jay Beale) domain owner is available here


140 Posts
Sep 12th 2007

Sign Up for Free or Log In to start participating in the conversation!