lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 8 Jun 2007 10:52:21 -0500
From: evilrabbi <evilrabbi@...il.com>
To: "M. B. Jr." <marcio.barbado@...il.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: You shady bastards.

ok..

On 6/8/07, M. B. Jr. <marcio.barbado@...il.com> wrote:
> cool,
> HD Moore started a thread,
>
> yeah, lets reply the more we can!!!
>
>
> On 6/6/07, Kradorex Xeron <admin@...ibase.ca> wrote:
> >
> > On Wednesday 06 June 2007 09:47, H D Moore wrote:
> > > Hello,
> > >
> > > Some friends and I were putting together a contact list for the folks
> > > attending the Defcon conference this year in Las Vegas. My friend sent
> > > out an email, with a large CC list, asking people to respond if they
> > > planned on attending. The email was addressed to quite a few people,
> > with
> > > one of them being David Maynor. Unfortunately, his old SecureWorks
> > > address was used, not his current address with ErrattaSec.
> > >
> > > Since one of the messages sent to the group contained a URL to our phone
> > > numbers and names, I got paranoid and decided to determine whether
> > > SecureWorks was still reading email addressed to David Maynor. I sent an
> > > email to David's old SecureWorks address, with a subject line promising
> > > 0-day, and a link to a non-public URL on the metasploit.com web server
> > > (via SSL). Twelve hours later, someone from a Comcast cable modem in
> > > Atlanta tried to access the link, and this someone was (confirmed) not
> > > David. SecureWorks is based in Atlanta. All times are CDT.
> > >
> > > I sent the following message last night at 7:02pm.
> > >
> > > ---
> > > From: H D Moore <hdm[at]metasploit.com>
> > > To: David Maynor <dmaynor[at]secureworks.com>
> > > Subject: Zero-day I promised
> > > Date: Tue, 5 Jun 2007 19:02:11 -0500
> > > User-Agent: KMail/1.9.3
> > > MIME-Version: 1.0
> > > Content-Type: text/plain;
> > >   charset="us-ascii"
> > > Content-Transfer-Encoding: 7bit
> > > Content-Disposition: inline
> > > Message-Id: <200706051902.11544.hdm[at]metasploit.com>
> > > Status: RO
> > > X-Status: RSC
> > >
> > > https://metasploit.com/maynor.tar.gz
> > > ---
> > >
> > > Approximately 12 hours later, the following request shows up in my
> > Apache
> > > log file. It looks like someone at SecureWorks is reading email
> > addressed
> > > to David and tried to access the link I sent:
> > >
> > > 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz
> > > HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
> > > AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"
> > >
> > > This address resolves to:
> > > c-71-59-27-152.hsd1.ga.comcast.net
> > >
> > > The whois information is just the standard Comcast block boilerplate.
> > >
> > > ---
> > >
> > > Is this illegal? I could see reading email addressed to him being within
> > > the bounds of the law, but it seems like trying to download the "0day"
> > > link crosses the line.
> > >
> > > Illegal or not, this is still pretty damned shady.
> > >
> > > Bastards.
> > >
> > > -HD
> >
> > I will seldom touch on the legal side but I have a possible scenario:
> >
> > -- If David is no longer at that address, it could be said that his mail
> > account was taken down and the mail sent ended up in a possible "catch
> > all"
> > box, perhaps someone at SecureWorks was looking through the said catchall
> > mailbox for any interesting mail sent to the secureworks.com domain (i.e.
> > to
> > old employees) - It's quite common for companies and organizations to
> > monitor
> > former employee mailboxes in the event anyone that doesn't have any new
> > contact information to be able to still get somewhere with the old
> > address.
> > And them being a security organization, maybe they proceeded to
> > investigate
> > the link sent.
> >
> >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> Marcio Barbado, Jr.
> ==============
> ==============
>


-- 
-- h0 h0 h0 --
www.nopsled.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ