Hello and welcome to the Wednesday, January 21st, 2006 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought to you by the sands, create your certificate program in penetration testing and ethical hacking.

A good reminder today from Xavier to, well, don't forget to look for international domain names in your DNS logs.

There are some legitimate international domain names, and of course, how many of them

you'll see depends somewhat on your users, which websites they frequent, but international domain

names also have the unfortunate ability to impersonate the more commonly used ASCII domain names.

And, well, that's exactly what Xavier is looking for here.

If you have a non-ASCII domain name, the label starts with XN dash-dash.

So that's one thing to look for.

In particular, if the top-level domain name is not an international top-level domain,

but a standard ASQ domain, that's often a hint that something fishy is going on here,

as in someone attempting to impersonate a particular website.

So take a look at that.

However, how effective this particular attack is also very much depends on the browser your users are using.

Safari tends to be a little bit more vulnerable here in that it's more likely to actually display those non-asky characters.

While a lot of other browsers, like, well, really a lot, or Chrome,

so the big other browser is typically showing the puny code,

which means the domain is then displayed with the XN-Dash-Dash prefix,

and no non-asky characters are being displayed.

So take a look at domain names or domain logs and see if you find anything interesting.

And always kind of like these warn abilities in old software that have been around for decades.

...