Tuesday, November 23, 2004

Kudos for Proper Incident Handling at The Register

The UK-based news site The Register was victimized by an advertisement provider, Falk AG, beginning Saturday. The ads served by Falk AG were carriers for the Bofra worm, which uses a buffer overflow in FRAME, IFRAME, and EMBED elements of pre-XP SP2 Internet Explorer.

The Register promptly issued a warning on Sunday morning, followed by a statement on restoration of service this morning. The Register estimates the number of visitors who could have been affected by this event, which is a good way to scope the extent of the incident.

Falk AG has also owned up to the incident, although its wording leaves a little to be desired. From the company's statement:

"Early Saturday morning (20.11.2004) an unauthorized individual exploited a weakness in a load balancer on the European AdSolution network. The purpose of the exploit was to establish a redirect to malicious code through a javascript component of Falk’s ad delivery... Unauthorized access was possible only as a result the intentional exploitation of a weak point of a network load balancer located in the EU datacenter. Once accessed, the individual was able to modify a configuration which forced the redirect to the malicious code."

I like the mention of a "weakness" and a "weak point." That sounds like press-speak for misconfiguration, or unpatched vulnerability. Although Falk has many clients, on Dutch news site Nu.nl has reported on the event, along with The Reg.

According to this site, Falk has a history of serving up Trojaned ads. Maybe that will give me some traffic to inspect for my next book?

No comments: