Full Disclosure mailing list archives
Re: You shady bastards.
From: "Joey Mengele" <joey.mengele () hushmail com>
Date: Fri, 08 Jun 2007 13:08:10 -0400
LOLOLOLOL On Fri, 08 Jun 2007 11:52:21 -0400 evilrabbi <evilrabbi () gmail com> wrote:
ok.. On 6/8/07, M. B. Jr. <marcio.barbado () gmail com> wrote:cool, HD Moore started a thread, yeah, lets reply the more we can!!! On 6/6/07, Kradorex Xeron <admin () digibase ca> wrote:On Wednesday 06 June 2007 09:47, H D Moore wrote:Hello, Some friends and I were putting together a contact list forthe folksattending the Defcon conference this year in Las Vegas. Myfriend sentout an email, with a large CC list, asking people to respondif theyplanned on attending. The email was addressed to quite a fewpeople,withone of them being David Maynor. Unfortunately, his oldSecureWorksaddress was used, not his current address with ErrattaSec. Since one of the messages sent to the group contained a URLto our phonenumbers and names, I got paranoid and decided to determinewhetherSecureWorks was still reading email addressed to DavidMaynor. I sent anemail to David's old SecureWorks address, with a subjectline promising0-day, and a link to a non-public URL on the metasploit.comweb server(via SSL). Twelve hours later, someone from a Comcast cablemodem inAtlanta tried to access the link, and this someone was(confirmed) notDavid. SecureWorks is based in Atlanta. All times are CDT. I sent the following message last night at 7:02pm. --- From: H D Moore <hdm[at]metasploit.com> To: David Maynor <dmaynor[at]secureworks.com> Subject: Zero-day I promised Date: Tue, 5 Jun 2007 19:02:11 -0500 User-Agent: KMail/1.9.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706051902.11544.hdm[at]metasploit.com> Status: RO X-Status: RSC https://metasploit.com/maynor.tar.gz --- Approximately 12 hours later, the following request shows upin myApachelog file. It looks like someone at SecureWorks is readingaddressedto David and tried to access the link I sent: 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET/maynor.tar.gzHTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OSX; en)AppleWebKit/419 (KHTML, like Gecko) Safari/419.3" This address resolves to: c-71-59-27-152.hsd1.ga.comcast.net The whois information is just the standard Comcast blockboilerplate.--- Is this illegal? I could see reading email addressed to himbeing withinthe bounds of the law, but it seems like trying to downloadthe "0day"link crosses the line. Illegal or not, this is still pretty damned shady. Bastards. -HDI will seldom touch on the legal side but I have a possiblescenario:-- If David is no longer at that address, it could be saidthat his mailaccount was taken down and the mail sent ended up in apossible "catchall" box, perhaps someone at SecureWorks was looking through thesaid catchallmailbox for any interesting mail sent to the secureworks.comdomain (i.e.to old employees) - It's quite common for companies andorganizations tomonitor former employee mailboxes in the event anyone that doesn'thave any newcontact information to be able to still get somewhere with theoldaddress. And them being a security organization, maybe they proceededtoinvestigate the link sent._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Marcio Barbado, Jr. ============== ==============-- -- h0 h0 h0 -- www.nopsled.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Click here for huge discounts on tradeshow supplies - special offer http://tagline.hushmail.com/fc/CAaCXv1Q4Qsh3luDdkKlFffuyGfsLobw/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: You shady bastards., (continued)
- Re: You shady bastards. rlogin (Jun 07)
- Re: You shady bastards. Anders B Jansson (Jun 07)
- Re: You shady bastards. Thierry Zoller (Jun 08)
- Re: You shady bastards. - CONFIDENTIAL Larry Seltzer (Jun 08)
- Shady bastards - CONFIDENTIAL (Terms of Services) J. Oquendo (Jun 08)
- Re: You shady bastards. Kradorex Xeron (Jun 08)
- Re: You shady bastards. Thierry Zoller (Jun 08)
- Re: You shady bastards. Kradorex Xeron (Jun 08)
- Re: You shady bastards. Anders B Jansson (Jun 07)
- Re: You shady bastards. Dude VanWinkle (Jun 08)
- Re: You shady bastards. rlogin (Jun 07)