I vividly remember this happening. Firstly, because I was an affected customer and I had to cancel all of my debit/credit cards days before a two-week work trip to SF, but secondly…<p>I was approached by BA to tender for a web performance project. I was excited because, at the time, I had Gold status with BA and I used the site on a weekly basis—I knew exactly where and why it was slow simply through using it so much!<p>The RFP deadline was short—really short. So, I spent the bulk of a vacation in Croatia writing up my proposal. When I was meant to be lounging by the pool or chugging Malvasia, I was buried in my laptop putting together my pitch. I got it done in time, fired it over, only to be told ‘we are focusing on web security now; this project is on hold’. Then, a few days later, the news broke.
The bit about the ground-handler agent not having 2FA is a bit of a red herring, getting access to a session is trivial - just find an empty common-use terminal in the airport. Or just bribe one of the thousands of underpaid and overworked agents working at any moment in any airport.<p>2FA would be tricky since these accounts can't be nominative anyway (at least not with the current economic model): there is so much turnover and subcontracting that it would be a nightmare to manage<p>The real question is how they broke out of the Common-Use Citrix session to get access to a non-airport environment, and that unfortunately isn't explained - there shouldn't be any relation whatsoever between the BA website and BA's Airport CUPPS network
It’s always interesting to see which tremendous amount of talent, knowledge and passion is wasted for a hack like this. I can understand that the constant adrenaline and intrinsic satisfaction plus elevated self esteem and confidence must be addictive. It’s depressing that we can’t establish that in a healthy way in a „normal“ job environment.<p>I think money is not the main driver for those people.
absolutely hilarious a security company would buy a domain called "baways.com" just to make rub a security breach in the face of british airways WHILST using it simultaneously as a platform to market their tool.<p>I won't believe any real security professional (i.e. budget holder) will read this and think it actually conveys any trust towards c-side (the security company who wrote this entire piece)<p>Equally idiotic move to the Hudson Rock hit piece on Snowflake which they eventually yanked offline <a href="https://www.theregister.com/2024/06/04/snowflake_report_pulled/" rel="nofollow">https://www.theregister.com/2024/06/04/snowflake_report_pull...</a>
Hey folks,<p>CEO of c/side here. Sorry to keep you waiting.
Answering a few points here:<p>1. This is not an ad, or at least it was not intended to be one. We feel like this is a microsite which like most blogs has a little "this is who we are" ending. Same concept as the Cloudflare blog which we all appreciate and love. We noticed vendors in the security space talk about the BA attack but often share misinformation about what happened. Information is scattered among various channels and old news publications but since the court documents were released no one did a proper recap. We care so we managed to buy the domain, which was not hard, but indicates that we are not just a salesy brand we are genuinely deep in client-side security and feel its important to talk about the attacks that happened otherwise companies do not take action and consumers become victims.<p>2. Yes, this domain name is still flagged on some DNS filter providers. Threat feeds are an outdated concept that create a false sense of security and pollute the web if not kept up to date. Especially in the case of client-side attacks they are grossly ineffective as vendors consume the threat-feeds but don't actively monitor the dataflow or served code meaning targeted attacks fly under the radar. The BAways domain has not been used in an attack for over 5 years. You've all been very helpful in flagging the DNS you use and we'll reach out to those vendors to correct the flagging of the domain. There is no malicious action on this domain anymore, it purely serves as a reminder to educate on the risks of unmonitored client-side executions.<p>3. To finish: Client-side security is important. When I speak to security engineers, they get it. It's a vital part of the supply-chain and it is overlooked. However, executives are often not aware of the issue and feel it is negligible. This is partly because the world has stopped covering client-side attacks for some reason and put them under umbrella terms like "data leaks". Malicious pop-ups are blocked by most browsers, but those pop-ups often originate from malicious JS. Stealthy attacks are easy to pull off so imagine a small percentage of pop-up's that were blocked stealing user credentials. Between the Polyfill attack, the data leak of Kaiser Permanente and many other attacks over 500K websites were impacted in 2024, millions in fines, millions of user credentials, sensitive information and credit cards leaked. The aim of this blogpost is to get people to talk and understand that posture management means monitoring the entire posture, not just NPM, not just a simple vulnerability scan, not just the server side and internal networking but active monitoring of all bases.<p>I hope this context helps and thanks for your engagement.