lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 06 Jun 2007 10:05:29 -0400
From: "J. Oquendo" <sil@...iltrated.net>
To: H D Moore <fdlist@...italoffense.net>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: You shady bastards.

H D Moore wrote:
> Hello,
>
> Some friends and I were putting together a contact list for the folks 
> attending the Defcon conference this year in Las Vegas. My friend sent 
> out an email, with a large CC list, asking people to respond if they 
> planned on attending. The email was addressed to quite a few people, with 
> one of them being David Maynor. Unfortunately, his old SecureWorks 
> address was used, not his current address with ErrattaSec. 
>
> Since one of the messages sent to the group contained a URL to our phone 
> numbers and names, I got paranoid and decided to determine whether 
> SecureWorks was still reading email addressed to David Maynor. I sent an 
> email to David's old SecureWorks address, with a subject line promising 
> 0-day, and a link to a non-public URL on the metasploit.com web server 
> (via SSL). Twelve hours later, someone from a Comcast cable modem in 
> Atlanta tried to access the link, and this someone was (confirmed) not 
> David. SecureWorks is based in Atlanta. All times are CDT.
>
> I sent the following message last night at 7:02pm.
>
> ---
> From: H D Moore <hdm[at]metasploit.com>
> To: David Maynor <dmaynor[at]secureworks.com>
> Subject: Zero-day I promised
> Date: Tue, 5 Jun 2007 19:02:11 -0500
> User-Agent: KMail/1.9.3
> MIME-Version: 1.0
> Content-Type: text/plain;
>   charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> Message-Id: <200706051902.11544.hdm[at]metasploit.com>
> Status: RO
> X-Status: RSC
>
> https://metasploit.com/maynor.tar.gz
> ---
>
> Approximately 12 hours later, the following request shows up in my Apache 
> log file. It looks like someone at SecureWorks is reading email addressed 
> to David and tried to access the link I sent:
>
> 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz 
> HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) 
> AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"
>
> This address resolves to:
> c-71-59-27-152.hsd1.ga.comcast.net
>
> The whois information is just the standard Comcast block boilerplate.
>
> ---
>
> Is this illegal? I could see reading email addressed to him being within 
> the bounds of the law, but it seems like trying to download the "0day" 
> link crosses the line.
>
> Illegal or not, this is still pretty damned shady.
>
> Bastards.
>
> -HD
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>   
Why would it be illegal if his former employer accessed his email using
this method. The information going to their network is considered their
property and they could do as they see fit. I could see if in your
email you included the almost always ignored disclaimer bs though:

THIS EMAIL IS INTENDED FOR THE RECIPIENT'S EYES ONLY. YOU WILL LIKELY
IGNORE THIS ANYWAY BUT USING THIS STUPIDLY CRAFTED CONFIDENTIALITY
DISCLAIMER, I WILL FILL MORE SPACE IN YOUR INBOX AND GENERATE MORE
POINTLESS BANDWIDTH USAGE ON YOUR NETWORK. IF YOU ARE NOT THE INTENDED
RECIPIENT READING THIS EMAIL AND OR ATTACHMENTS LINKS ETAL WILL RESULT
IN US PRETENDING TO HIRE A LAWYER AND DOING SOMETHING ABOUT IT.

I know how many times I've seen these listed with someone shooting
off information to mailing lists to do an "oops f*** I sent that to
the wrong place"... What are the options now? Sue everyone who read
it? Gash their eyes out. Normally if I were going to send out an email
that was *THAT* confidential, I personally do two things:

1) Call the person to make sure they're available to get it. If not
its not sent until they're ready.
2) Secondly if I have to post something on my website for someone's
personal viewing, I usually do something like:

$ echo theirname|md5
6a9c1e04624bcc81a84800b8aa10a1f1

Where the checksum becomes the file and I send them the link to the
file. What are the odds of someone finding that checksum... Highly
unlikely.

-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g' 

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato



Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5157 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ