[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2df3b0cb0706080829y532d6ab9rec120b40af16140b@mail.gmail.com>
Date: Fri, 8 Jun 2007 12:29:20 -0300
From: M.B.Jr. <marcio.barbado@...il.com>
To: admin@...ibase.ca
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: You shady bastards.
cool,
HD Moore started a thread,
yeah, lets reply the more we can!!!
On 6/6/07, Kradorex Xeron <admin@...ibase.ca> wrote:
>
> On Wednesday 06 June 2007 09:47, H D Moore wrote:
> > Hello,
> >
> > Some friends and I were putting together a contact list for the folks
> > attending the Defcon conference this year in Las Vegas. My friend sent
> > out an email, with a large CC list, asking people to respond if they
> > planned on attending. The email was addressed to quite a few people,
> with
> > one of them being David Maynor. Unfortunately, his old SecureWorks
> > address was used, not his current address with ErrattaSec.
> >
> > Since one of the messages sent to the group contained a URL to our phone
> > numbers and names, I got paranoid and decided to determine whether
> > SecureWorks was still reading email addressed to David Maynor. I sent an
> > email to David's old SecureWorks address, with a subject line promising
> > 0-day, and a link to a non-public URL on the metasploit.com web server
> > (via SSL). Twelve hours later, someone from a Comcast cable modem in
> > Atlanta tried to access the link, and this someone was (confirmed) not
> > David. SecureWorks is based in Atlanta. All times are CDT.
> >
> > I sent the following message last night at 7:02pm.
> >
> > ---
> > From: H D Moore <hdm[at]metasploit.com>
> > To: David Maynor <dmaynor[at]secureworks.com>
> > Subject: Zero-day I promised
> > Date: Tue, 5 Jun 2007 19:02:11 -0500
> > User-Agent: KMail/1.9.3
> > MIME-Version: 1.0
> > Content-Type: text/plain;
> > charset="us-ascii"
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> > Message-Id: <200706051902.11544.hdm[at]metasploit.com>
> > Status: RO
> > X-Status: RSC
> >
> > https://metasploit.com/maynor.tar.gz
> > ---
> >
> > Approximately 12 hours later, the following request shows up in my
> Apache
> > log file. It looks like someone at SecureWorks is reading email
> addressed
> > to David and tried to access the link I sent:
> >
> > 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz
> > HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
> > AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"
> >
> > This address resolves to:
> > c-71-59-27-152.hsd1.ga.comcast.net
> >
> > The whois information is just the standard Comcast block boilerplate.
> >
> > ---
> >
> > Is this illegal? I could see reading email addressed to him being within
> > the bounds of the law, but it seems like trying to download the "0day"
> > link crosses the line.
> >
> > Illegal or not, this is still pretty damned shady.
> >
> > Bastards.
> >
> > -HD
>
> I will seldom touch on the legal side but I have a possible scenario:
>
> -- If David is no longer at that address, it could be said that his mail
> account was taken down and the mail sent ended up in a possible "catch
> all"
> box, perhaps someone at SecureWorks was looking through the said catchall
> mailbox for any interesting mail sent to the secureworks.com domain (i.e.
> to
> old employees) - It's quite common for companies and organizations to
> monitor
> former employee mailboxes in the event anyone that doesn't have any new
> contact information to be able to still get somewhere with the old
> address.
> And them being a security organization, maybe they proceeded to
> investigate
> the link sent.
>
>
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Marcio Barbado, Jr.
==============
==============
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists