State/IRM blocked this blog’s evil shadow diplopundit.com, and it’s a good thing!

Posted: 7:24 pm EDT
Updated: 4:06 pm EDT

 

Last week we blogged about some reported issues with accessing this blog from the State Department. There were reports of this blog displaying as a blank page, and another of this blog being categorized as “suspicious.”

Two things to remember — first, if you’re connecting to this blog from a State Department network and you get a blank screen, check if you’re using Internet Explorer 8. If you are, you need to switch to Chrome if you want to read this blog.

Second, if you get the “suspicious” prompt or a block that prevents you from connecting to Diplopundit, make sure you are connecting to the correct URL – the one that sounds rhymy — diplopundit.NET, and not/not its evil shadow diplopundit.COM.

Here is the back story.  We thought it was a question of the left hand not knowing what the right hand is doing, it wasn’t that. Nothing to do with the tigers either. So our apologies for thinking that.  The firewall did bite but it was not done out of any wicked reason. It was merely a coincidence of two unrelated issues that occurred around the same time.

After we’ve blogged about issues with access from State, Ann from State/IRM’s Information Assurance office reached out to us to help see what’s going on.

“Suspicious” Category

So folks who attempted to access Diplopundit but typed .COM instead of .NET were blocked by state.gov, and will continue to be blocked access. And that’s a good thing.

image002-4

IRM/IA’s Ann did some sleuthing and discovered that somebody is domain camping on diplopundit.com, a domain registered out of Australia under protected status, so it’s not clear who owns it. Apparently, it is a very common attack to buy up domain names that are similar to a popular one, with different endings, common typos, etc, and then camp malware on them. She notes that “It’s especially awesome to do this to sites that have a high likelihood for targeted visitors, like, oh, maybe Department of State and other governments.” Running the domain through some site reputation lookups came back “suspicious.”

www.brightcloud.com threat intelligence: Suspicious

http://www.isithacked.com/check/www.diplopundit.com : Suspicious returns

IRM/IA tried to access diplopundit.com and the site is redirecting to another site that tells users their computers are infected and to click on “ok” to begin the repair process. DEFINITELY malicious.  IRM/IA’s IT ninja concludes that not only did the State Department’s security systems work as needed, someone is using the reputation of Diplopundit to try to infect users who type the wrong URL.

Ugh!  So watch what you type.  She’s not sure if this is targeted or just criminal botnet activity but whatever it is, stay away from diplopundit.COM.  Also, make sure you’re not sending any email to diplopundit.COM, as that email would end up with whoever owns that shadowy domain.

The Blank Screens

Internet Explorer  (IE) is the browser compatible with the Department of State’s IT system. A couple of years ago, Chrome became an optional browser. IE8 and other old browsers are less stable, and much more vulnerable to viruses, and other security issues. It also doesn’t support a lot of things including HTML5 and CSS codes used in WordPress. In fact, we’re told that WP’s support for this browser version was dropped a while back.  Microsoft has also reported that they will end support for it themselves. So it’s not about what script is in this blog, it’s more about the IE8 browser not playing nice with the blogs. This blog displays properly on Safari, Firefox, Chrome, and on Internet Explorer 9. Our tech folks suggested that IE8 users upgrade to IE9 if at all possible.

Our readers from State can’t just do that on their own, so we asked IRM. The word is that the State Department will probably skip IE9 due to resource constraints on testing each incremental version. The good news is, it will move everyone directly to Internet Explorer 11 in December. That may sound a long way off but we’re told that the move forces everyone from 32-bit to 64-bit servers, which is not an insignificant jump for all the developers (including those for Consular Affairs and the financial services). So there is that to look forward to at the end of the year.

Our most sincere thanks to State/IRM especially to IA’s Ann who pursued this issue to the end and also WP’s Grace and her team for helping us understand what’s going on. Merci.

#