I vividly remember this happening. Firstly, because I was an affected customer and I had to cancel all of my debit/credit cards days before a two-week work trip to SF, but secondly…
I was approached by BA to tender for a web performance project. I was excited because, at the time, I had Gold status with BA and I used the site on a weekly basis—I knew exactly where and why it was slow simply through using it so much!
The RFP deadline was short—really short. So, I spent the bulk of a vacation in Croatia writing up my proposal. When I was meant to be lounging by the pool or chugging Malvasia, I was buried in my laptop putting together my pitch. I got it done in time, fired it over, only to be told ‘we are focusing on web security now; this project is on hold’. Then, a few days later, the news broke.
The bit about the ground-handler agent not having 2FA is a bit of a red herring, getting access to a session is trivial - just find an empty common-use terminal in the airport. Or just bribe one of the thousands of underpaid and overworked agents working at any moment in any airport.
2FA would be tricky since these accounts can't be nominative anyway (at least not with the current economic model): there is so much turnover and subcontracting that it would be a nightmare to manage
The real question is how they broke out of the Common-Use Citrix session to get access to a non-airport environment, and that unfortunately isn't explained - there shouldn't be any relation whatsoever between the BA website and BA's Airport CUPPS network
> 2FA would be tricky since these accounts can't be nominative anyway (at least not with the current economic model): there is so much turnover and subcontracting that it would be a nightmare to manage
I disagree. Due to all the security theatre involved with post-9/11 air travel, every air-side employee is already subject to relatively strict regulations. Employees are already given personalized RFID access cards, making those same cards 2FA-capable would be a relatively small change.
Not only that, but my filtered DNS is resolving it to a page saying (if I proceed through the certificate mismatch) it "blocked access to baways.com because it’s in our database of phishing and malicious domains"
The first comment over there has a tool for checking, and this baways is still blocked by one popular service, but no longer blocked by mine according to the tool and my own experience. I guess the author proved new ownership to the maintainers of most lists over the last few hours.
> "blocked access to baways.com because it’s in our database of phishing and malicious domains"
Which amusingly (but not for you, since you can't see it) is one of the main topics in the article, that the security breach used that domain to exfiltrate the data to. And I'd guess that's why the company chose to buy up the domain to host this blog/ad on...
Would it be best practice for filter list maintainers to purge on expiration, though? Bad actors would be able to take advantage of that. Until there's a standard around this, maybe blacklisted domains should just remain unused.
If there is a domain that could be useful as a phishing site (a domain the original company allowed to expire, one that just looks right enough, etc) but is on the common blacklists, isn't that useful. If it dropped of the blacklists when registration expired then another nefarious type (or the same nefarious person if they are lucky) could re-register it and use it as a freshly useful phishing location until it once again got on the lists.
Though given how carefully people often don't check domains, or in some cases how easily they are hidden, which is why many phishing attacks work, this might not make a big difference overall.
For "just right", the domain also has to look more "just right" than the many unregistered names that are very close. And an aggressive filter trying to block on that basis should be doing it preemptively and not very much based on domain history.
A domain that used to be tied to the company has different considerations, but ideally it would also be blocked based on ownership changes and not wait for content.
They purposely purchased a tainted domain, seems a bit disingenuous to a) claim sec expertise and then b) complain that a previously maliciously used DNS name is blacklisted which c) is a spelling variant of a well known large corp and d) which you are hosting deceptive ad content on. And it is deceptive because unlike the title suggests there is no "challenge" mentioned in the article yet the wording strongly suggest some sort of rewarded hackathon.
If you buy a previous well own scam URL, cry me a river about being blacklisted. If you get the cheapest IPv4 don't come complaining that all you email gets classified as spam. _Especially_ if you claim to be an expert.
Are we talking about when it had malicious contents for a couple weeks in 2018? Come on, that's not tainted in 2024 by any reasonable metric.
> is a spelling variant of a well known large corp
It's talking about the large corp, and isn't even close to their real URL. And there's a lot of ways you could interpret "baways", including connections to the company called Baway and the unrelated stock ticker BAWAY. So I see what you're saying but I don't think it's a big deal.
> complain that a previously maliciously used DNS name is blacklisted
I don't see them complaining?
> And it is deceptive because unlike the title suggests there is no "challenge" mentioned in the article yet the wording strongly suggest some sort of rewarded hackathon.
That's the submitter's fault for using the subtitle instead of the title.
Yeah the pronouns throughout the a/b/c/d thing are confusing the heck out of me. I originally thought it was all about you (claiming expertise), then I considered perhaps me (complaining), and then perhaps the author of TFA (hosting). It could even be that the 3rd person "they" leading into a/b/c/d and the 2nd person "you" within item d are the same entity, which would be very strange grammar, but I really have no idea other than I was the only one complaining about (but also defending) filtering from what I can tell. Names, please!
It’s always interesting to see which tremendous amount of talent, knowledge and passion is wasted for a hack like this. I can understand that the constant adrenaline and intrinsic satisfaction plus elevated self esteem and confidence must be addictive. It’s depressing that we can’t establish that in a healthy way in a „normal“ job environment.
I think money is not the main driver for those people.
> I think money is not the main driver for those people.
I think you're forgetting the risk involved. To me, of course, it's the money because there are plenty of ways to get the satisfaction you're describing. It may not even be a crass need for money but people who live in poorer areas of the world taking a job and earning a cut as possibly the only worthwhile means of using their talent.
> amount of talent, knowledge and passion is wasted for a hack like this.
It's not as if worthwhile outlets for talent are easy to come by. It could be easier. The world we live in does not prioritize this outcome.
It's possible that if they are working for a nation state (sanctioned and likely cut off from what might be considered normal trade) which might have the high level goal of:
CC dumps -> Marketplace -> Crypto -> Money
That this was just another day in the office for the team.
Yeah. It’s difficult for true hackers to get a job because they tend to be wildly more
competent than their peers and their superiors, they implicitly have a low tolerance for performative bullshit meetings and jira tickets, and they often lack the expected educational and professional credentials that hiring folks look at.
If someone wants to hire them, offer actual worthwhile bug bounties ($100k to $1M) on hard problems. And then try and hire those people after you pay the bounty.
absolutely hilarious a security company would buy a domain called "baways.com" just to make rub a security breach in the face of british airways WHILST using it simultaneously as a platform to market their tool.
I won't believe any real security professional (i.e. budget holder) will read this and think it actually conveys any trust towards c-side (the security company who wrote this entire piece)
They intentionally bought / acquired the same domain that was used for the hack to tell the story of the hack. I think it's pretty clever marketing myself, even if many people in the comments are reporting their security is kicking in.
Somehow i missed that. I think it actually changes my opinion a bit on this, it is rather clever - maybe it should've been mentioned in the headline so that idiots like me would notice
Awesome! (Unrelated: Now I just need to figure out how to overcome all these "Admiral" nags that are chipping away at my love for filtering on half of the legitimate news sites... any advice?)
Yeah but after carefully overriding, TFA is basically saying that it's sharing a story about how this very domain used to be nefarious and no longer is... So I think it's just stuck in deny lists despite new ownership?
CEO of c/side here. Sorry to keep you waiting.
Answering a few points here:
1. This is not an ad, or at least it was not intended to be one. We feel like this is a microsite which like most blogs has a little "this is who we are" ending. Same concept as the Cloudflare blog which we all appreciate and love. We noticed vendors in the security space talk about the BA attack but often share misinformation about what happened. Information is scattered among various channels and old news publications but since the court documents were released no one did a proper recap. We care so we managed to buy the domain, which was not hard, but indicates that we are not just a salesy brand we are genuinely deep in client-side security and feel its important to talk about the attacks that happened otherwise companies do not take action and consumers become victims.
2. Yes, this domain name is still flagged on some DNS filter providers. Threat feeds are an outdated concept that create a false sense of security and pollute the web if not kept up to date. Especially in the case of client-side attacks they are grossly ineffective as vendors consume the threat-feeds but don't actively monitor the dataflow or served code meaning targeted attacks fly under the radar. The BAways domain has not been used in an attack for over 5 years. You've all been very helpful in flagging the DNS you use and we'll reach out to those vendors to correct the flagging of the domain. There is no malicious action on this domain anymore, it purely serves as a reminder to educate on the risks of unmonitored client-side executions.
3. To finish: Client-side security is important. When I speak to security engineers, they get it. It's a vital part of the supply-chain and it is overlooked. However, executives are often not aware of the issue and feel it is negligible. This is partly because the world has stopped covering client-side attacks for some reason and put them under umbrella terms like "data leaks". Malicious pop-ups are blocked by most browsers, but those pop-ups often originate from malicious JS. Stealthy attacks are easy to pull off so imagine a small percentage of pop-up's that were blocked stealing user credentials. Between the Polyfill attack, the data leak of Kaiser Permanente and many other attacks over 500K websites were impacted in 2024, millions in fines, millions of user credentials, sensitive information and credit cards leaked. The aim of this blogpost is to get people to talk and understand that posture management means monitoring the entire posture, not just NPM, not just a simple vulnerability scan, not just the server side and internal networking but active monitoring of all bases.
I hope this context helps and thanks for your engagement.
I was approached by BA to tender for a web performance project. I was excited because, at the time, I had Gold status with BA and I used the site on a weekly basis—I knew exactly where and why it was slow simply through using it so much!
The RFP deadline was short—really short. So, I spent the bulk of a vacation in Croatia writing up my proposal. When I was meant to be lounging by the pool or chugging Malvasia, I was buried in my laptop putting together my pitch. I got it done in time, fired it over, only to be told ‘we are focusing on web security now; this project is on hold’. Then, a few days later, the news broke.