[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20070608170811.24D28DA831@mailserver8.hushmail.com>
Date: Fri, 08 Jun 2007 13:08:10 -0400
From: "Joey Mengele" <joey.mengele@...hmail.com>
To: <marcio.barbado@...il.com>,<evilrabbi@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: You shady bastards.
LOLOLOLOL
On Fri, 08 Jun 2007 11:52:21 -0400 evilrabbi <evilrabbi@...il.com>
wrote:
>ok..
>
>On 6/8/07, M. B. Jr. <marcio.barbado@...il.com> wrote:
>> cool,
>> HD Moore started a thread,
>>
>> yeah, lets reply the more we can!!!
>>
>>
>> On 6/6/07, Kradorex Xeron <admin@...ibase.ca> wrote:
>> >
>> > On Wednesday 06 June 2007 09:47, H D Moore wrote:
>> > > Hello,
>> > >
>> > > Some friends and I were putting together a contact list for
>the folks
>> > > attending the Defcon conference this year in Las Vegas. My
>friend sent
>> > > out an email, with a large CC list, asking people to respond
>if they
>> > > planned on attending. The email was addressed to quite a few
>people,
>> > with
>> > > one of them being David Maynor. Unfortunately, his old
>SecureWorks
>> > > address was used, not his current address with ErrattaSec.
>> > >
>> > > Since one of the messages sent to the group contained a URL
>to our phone
>> > > numbers and names, I got paranoid and decided to determine
>whether
>> > > SecureWorks was still reading email addressed to David
>Maynor. I sent an
>> > > email to David's old SecureWorks address, with a subject
>line promising
>> > > 0-day, and a link to a non-public URL on the metasploit.com
>web server
>> > > (via SSL). Twelve hours later, someone from a Comcast cable
>modem in
>> > > Atlanta tried to access the link, and this someone was
>(confirmed) not
>> > > David. SecureWorks is based in Atlanta. All times are CDT.
>> > >
>> > > I sent the following message last night at 7:02pm.
>> > >
>> > > ---
>> > > From: H D Moore <hdm[at]metasploit.com>
>> > > To: David Maynor <dmaynor[at]secureworks.com>
>> > > Subject: Zero-day I promised
>> > > Date: Tue, 5 Jun 2007 19:02:11 -0500
>> > > User-Agent: KMail/1.9.3
>> > > MIME-Version: 1.0
>> > > Content-Type: text/plain;
>> > > charset="us-ascii"
>> > > Content-Transfer-Encoding: 7bit
>> > > Content-Disposition: inline
>> > > Message-Id: <200706051902.11544.hdm[at]metasploit.com>
>> > > Status: RO
>> > > X-Status: RSC
>> > >
>> > > https://metasploit.com/maynor.tar.gz
>> > > ---
>> > >
>> > > Approximately 12 hours later, the following request shows up
>in my
>> > Apache
>> > > log file. It looks like someone at SecureWorks is reading
>email
>> > addressed
>> > > to David and tried to access the link I sent:
>> > >
>> > > 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET
>/maynor.tar.gz
>> > > HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS
>X; en)
>> > > AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"
>> > >
>> > > This address resolves to:
>> > > c-71-59-27-152.hsd1.ga.comcast.net
>> > >
>> > > The whois information is just the standard Comcast block
>boilerplate.
>> > >
>> > > ---
>> > >
>> > > Is this illegal? I could see reading email addressed to him
>being within
>> > > the bounds of the law, but it seems like trying to download
>the "0day"
>> > > link crosses the line.
>> > >
>> > > Illegal or not, this is still pretty damned shady.
>> > >
>> > > Bastards.
>> > >
>> > > -HD
>> >
>> > I will seldom touch on the legal side but I have a possible
>scenario:
>> >
>> > -- If David is no longer at that address, it could be said
>that his mail
>> > account was taken down and the mail sent ended up in a
>possible "catch
>> > all"
>> > box, perhaps someone at SecureWorks was looking through the
>said catchall
>> > mailbox for any interesting mail sent to the secureworks.com
>domain (i.e.
>> > to
>> > old employees) - It's quite common for companies and
>organizations to
>> > monitor
>> > former employee mailboxes in the event anyone that doesn't
>have any new
>> > contact information to be able to still get somewhere with the
>old
>> > address.
>> > And them being a security organization, maybe they proceeded
>to
>> > investigate
>> > the link sent.
>> >
>> >
>> > >
>> > > _______________________________________________
>> > > Full-Disclosure - We believe in it.
>> > > Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>> > > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>>
>>
>> --
>> Marcio Barbado, Jr.
>> ==============
>> ==============
>>
>
>
>--
>-- h0 h0 h0 --
>www.nopsled.net
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
--
Click here for huge discounts on tradeshow supplies - special offer
http://tagline.hushmail.com/fc/CAaCXv1Q4Qsh3luDdkKlFffuyGfsLobw/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists