[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] You shady bastards.

To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] You shady bastards.
From: Jay Sulzberger <jays@xxxxxxxxx>
Date: Wed, 6 Jun 2007 11:29:54 -0400 (EDT)


On Wed, 6 Jun 2007, J. Oquendo <sil@xxxxxxxxxxxxxxx> wrote:

> H D Moore wrote:
>> Hello,
>> 
>> Some friends and I were putting together a contact list for the folks 
>> attending the Defcon conference this year in Las Vegas. My friend sent out 
>> an email, with a large CC list, asking people to respond if they planned on 
>> attending. The email was addressed to quite a few people, with one of them 
>> being David Maynor. Unfortunately, his old SecureWorks address was used, 
>> not his current address with ErrattaSec. 
>> Since one of the messages sent to the group contained a URL to our phone 
>> numbers and names, I got paranoid and decided to determine whether 
>> SecureWorks was still reading email addressed to David Maynor. I sent an 
>> email to David's old SecureWorks address, with a subject line promising 
>> 0-day, and a link to a non-public URL on the metasploit.com web server (via 
>> SSL). Twelve hours later, someone from a Comcast cable modem in Atlanta 
>> tried to access the link, and this someone was (confirmed) not David. 
>> SecureWorks is based in Atlanta. All times are CDT.
>> 
>> I sent the following message last night at 7:02pm.
>> 
>> ---
>> From: H D Moore <hdm[at]metasploit.com>
>> To: David Maynor <dmaynor[at]secureworks.com>
>> Subject: Zero-day I promised
>> Date: Tue, 5 Jun 2007 19:02:11 -0500
>> User-Agent: KMail/1.9.3
>> MIME-Version: 1.0
>> Content-Type: text/plain;
>>   charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>> Content-Disposition: inline
>> Message-Id: <200706051902.11544.hdm[at]metasploit.com>
>> Status: RO
>> X-Status: RSC
>> 
>> https://metasploit.com/maynor.tar.gz
>> ---
>> 
>> Approximately 12 hours later, the following request shows up in my Apache 
>> log file. It looks like someone at SecureWorks is reading email addressed 
>> to David and tried to access the link I sent:
>> 
>> 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz HTTP/1.1" 
>> 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/419 
>> (KHTML, like Gecko) Safari/419.3"
>> 
>> This address resolves to:
>> c-71-59-27-152.hsd1.ga.comcast.net
>> 
>> The whois information is just the standard Comcast block boilerplate.
>> 
>> ---
>> 
>> Is this illegal? I could see reading email addressed to him being within 
>> the bounds of the law, but it seems like trying to download the "0day" link 
>> crosses the line.
>> 
>> Illegal or not, this is still pretty damned shady.
>> 
>> Bastards.
>> 
>> -HD
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> 
> Why would it be illegal if his former employer accessed his email using
> this method. The information going to their network is considered their
> property and they could do as they see fit. I could see if in your
> email you included the almost always ignored disclaimer bs though:
>
> THIS EMAIL IS INTENDED FOR THE RECIPIENT'S EYES ONLY. YOU WILL LIKELY
> IGNORE THIS ANYWAY BUT USING THIS STUPIDLY CRAFTED CONFIDENTIALITY
> DISCLAIMER, I WILL FILL MORE SPACE IN YOUR INBOX AND GENERATE MORE
> POINTLESS BANDWIDTH USAGE ON YOUR NETWORK. IF YOU ARE NOT THE INTENDED
> RECIPIENT READING THIS EMAIL AND OR ATTACHMENTS LINKS ETAL WILL RESULT
> IN US PRETENDING TO HIRE A LAWYER AND DOING SOMETHING ABOUT IT.
>
> I know how many times I've seen these listed with someone shooting
> off information to mailing lists to do an "oops f*** I sent that to
> the wrong place"... What are the options now? Sue everyone who read
> it? Gash their eyes out. Normally if I were going to send out an email
> that was *THAT* confidential, I personally do two things:
>
> 1) Call the person to make sure they're available to get it. If not
> its not sent until they're ready.
> 2) Secondly if I have to post something on my website for someone's
> personal viewing, I usually do something like:
>
> $ echo theirname|md5
> 6a9c1e04624bcc81a84800b8aa10a1f1
>
> Where the checksum becomes the file and I send them the link to the
> file. What are the odds of someone finding that checksum... Highly
> unlikely.
>
> -- 
> ====================================================
> J. Oquendo

Ah, "something like".  Likely in practice your file name is
saltier, and you can taste the nonce.

oo--JS.


> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> echo infiltrated.net|sed 's/^/sil@/g' 
> "Wise men talk because they have something to say;
> fools, because they have to say something." -- Plato
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] You shady bastards.
  - From: H D Moore
- Re: [Full-disclosure] You shady bastards.
  - From: J. Oquendo

Prev by Date: Re: [Full-disclosure] You shady bastards.
Next by Date: Re: [Full-disclosure] You shady bastards.
Previous by thread: Re: [Full-disclosure] You shady bastards.
Next by thread: Re: [Full-disclosure] You shady bastards.
Index(es):
- Date
- Thread