lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <44502B8F.2020801@kc.rr.com>
Date: Thu Apr 27 03:24:05 2006
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Internet Explorer User Interface Races, Redeux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Robert Lemos wrote:
> Hi, Matt, thanks for this. Another 50 bucks is in the mail. This is
> exactly what I need to make the Securityfocus homepage exciting again.

This Lemos spoof is rather entertaining, but not the least bit
convincing.  There are three errors here.

1) The assumption that people can pay me for quotes.  Pretty obvious
give away to me -- maybe not to other people.

2) A Yahoo! account for Lemos.  I have his e-mail address (as any
contact would) and you can bet it's not @yahoo.com.

3) Headers that clearly identify the message as originating from a GMail
account.

    Received: from pproxy.gmail.com (pproxy.gmail.com [64.233.166.182])
	by lists.grok.org.uk (Postfix) with ESMTP id F0B1C8E8	for
 <full-disclosure@...ts.grok.org.uk>; Thu, 27 Apr 2006 01:22:53 +0100 (BST)

    Received: by pproxy.gmail.com with SMTP id i75so1983751pye	for
 <full-disclosure@...ts.grok.org.uk>; Wed, 26 Apr 2006 17:22:53 -0700 (PDT)

    Received: by 10.35.78.9 with SMTP id f9mr960804pyl; Wed,
 26 Apr 2006 17:22:53 -0700 (PDT)
Received: by 10.35.81.19 with HTTP; Wed, 26 Apr 2006 17:22:53 -0700 (PDT)

'pproxy.gmail.com' on a @yahoo.com alias?  Unlikely.  But it gets better:

    DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;

4) Message-IDs that reveal the identity of the spoofer

The MID on this post is remarkably similar to that of another list pos(t)er:

The Message-ID on the spoof:
3a166c090604261722l2e6236d3h1e68774bc2094bd9@...l.gmail.com

The Message-ID on another post:
3a166c090604242027s2d4acc87p147135d127489b3@...l.gmail.com

Notice that the first 13 bytes of the MIDs are identical.  I had a
theory that these two messages were of similar origin, so I produced two
non-spoofed e-mails from my OWN gmail  account.  I discovered that the
two MIDs were:

a394e3d90604261816p28f5de3uea1382f966c2da3f@...l.gmail.com
a394e3d90604261816u53c64b05md8c9d5c151954d14@...l.gmail.com

Notice that in two MIDs of messages sent only seconds apart with only
three bytes in content variation, there are still only 18 bytes in
common, though the MIDs generated by Google would likely have a
relatively poor rate of entropy over a period of only a few seconds.

Compare this with the MID of a third message sent from a second GMail ID
I own only minutes later with a similar level of content variance:

ef96773a0604261847l3be92ed9j5f11657ed384f9af@...l.gmail.com

Notice that there is a commonality in the string "06042618" which
appears to identify my computer -- presumably by IP or session.

This accounts for the difference in MID uniqueness, because my IP was
*EXACTLY* identical and I was using the SAME session when I sent these
two messages.  The first eight bytes appear to uniquely identify the
account of the originator.

They are EXACTLY identical in the spoofed "Robert Lemos" e-mail when
compared with a previous e-mail of a list poster who's previously been
responsible for noise.

Further, you'll notice that MOST of the computer-specific bytes are
identical, indicating that our sender was probably behind the same
network when the two messages were sent.

Game's up, n3td3v.  You can quit hiding behind your fake Yahoo account
now.  Go away kid, before you hurt somebody.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFEUCuPfp4vUrVETTgRA5kQAKC6HZ446aQrDURI3DIpxdBCuJkvygCgqexV
NtXJWN5yrxVwyKNhZuG1Y4o=
=HGeQ
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3729 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060426/03594355/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ