Vulnerability Development mailing list archives

Re: getcat.com -- IE CueCat Spy on you.

From: Doug Kahler <dougak () TAMPABAY RR COM>
Date: Fri, 8 Sep 2000 13:17:33 -0400

Well knowing that the company that developed CueCat probably wants to
collect info about users. I would imagine they tried to connect to netbios
to grab your MAC address. They are prob trying to associate your info with
your MAC address. Since MAC addresses are supposed to be unique they could
be used in the same way as the PIII Serial Number. So even if you delete
your cookies they'll still be able to track you though your MAC address.
That's why for you or anyone else who is reading this and has netbios open
to
the internet, you had better close it.


----- Original Message -----
From: "Richard Rager" <kb8rln () PENGUINMASTER COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Friday, September 08, 2000 10:49 AM
Subject: getcat.com -- IE CueCat Spy on you.

Ok I was having problem goto to www.CueCat.com so I looked with tcpdump
to see what was going on.  The CueCat site was tring to connect to my
computer netbios port.  Here is the proof.


10:33:51.938023 > 209.81.164.237.3991 > 216.34.143.198.www: S
[ECN-Echo,CWR] 1634597875:1634597875(0) win 4452 <mss
1484,sackOK,timestamp 34033191 0,nop,wscale
0> (DF)
10:33:54.936372 > 209.81.164.237.3991 > 216.34.143.198.www: S
[ECN-Echo,CWR] 1634597875:1634597875(0) win 4452 <mss
1484,sackOK,timestamp 34033491 0,nop,wscale
0> (DF)
10:34:00.936370 > 209.81.164.237.3991 > 216.34.143.198.www: S
[ECN-Echo,CWR] 1634597875:1634597875(0) win 4452 <mss
1484,sackOK,timestamp 34034091 0,nop,wscale
0> (DF)
10:34:12.936364 > 209.81.164.237.3991 > 216.34.143.198.www: S
[ECN-Echo,CWR] 1634597875:1634597875(0) win 4452 <mss
1484,sackOK,timestamp 34035291 0,nop,wscale
0> (DF)
10:34:27.376342 < 209.81.216.169.1957 > 209.81.164.237.netbios-ssn: S
35808593:35808593(0) win 8192 <mss 536,nop,nop,sackOK> (DF)
10:34:27.376489 > 209.81.164.237.netbios-ssn > 209.81.216.169.1957: R
0:0(0) ack 35808594 win 0 (DF)
10:34:28.146342 < 209.81.216.169.1957 > 209.81.164.237.netbios-ssn: S
35808593:35808593(0) win 8192 <mss 536,nop,nop,sackOK> (DF)
10:34:28.146397 > 209.81.164.237.netbios-ssn > 209.81.216.169.1957: R
0:0(0) ack 1 win 0 (DF)
10:34:29.006332 < 209.81.216.169.1957 > 209.81.164.237.netbios-ssn: S
35808593:35808593(0) win 8192 <mss 536,nop,nop,sackOK> (DF)
10:34:29.006387 > 209.81.164.237.netbios-ssn > 209.81.216.169.1957: R
0:0(0) ack



We need to stop this type of abuse.

Enjoy,

Richard

Current thread:

getcat.com -- IE CueCat Spy on you. Richard Rager (Sep 08)
- Re: getcat.com -- IE CueCat Spy on you. Doug Kahler (Sep 12)
- Re: getcat.com -- IE CueCat Spy on you. Richard Rager (Sep 12)
- <Possible follow-ups>
- Re: getcat.com -- IE CueCat Spy on you. Oliver Friedrichs (Sep 12)
- Re: getcat.com -- IE CueCat Spy on you. Doug Davis (Sep 12)