Re: You shady bastards.

[Jay Sulzberger <jays () panix com>]

On Wed, 6 Jun 2007, J. Oquendo <sil () infiltrated net> wrote:

> H D Moore wrote:
> > Hello,
> >
> > Some friends and I were putting together a contact list for the folks 
> > attending the Defcon conference this year in Las Vegas. My friend sent out 
> > an email, with a large CC list, asking people to respond if they planned on 
> > attending. The email was addressed to quite a few people, with one of them 
> > being David Maynor. Unfortunately, his old SecureWorks address was used, 
> > not his current address with ErrattaSec. 
> > Since one of the messages sent to the group contained a URL to our phone 
> > numbers and names, I got paranoid and decided to determine whether 
> > SecureWorks was still reading email addressed to David Maynor. I sent an 
> > email to David's old SecureWorks address, with a subject line promising 
> > 0-day, and a link to a non-public URL on the metasploit.com web server (via 
> > SSL). Twelve hours later, someone from a Comcast cable modem in Atlanta 
> > tried to access the link, and this someone was (confirmed) not David. 
> > SecureWorks is based in Atlanta. All times are CDT.
> >
> > I sent the following message last night at 7:02pm.
> >
> > ---
> > From: H D Moore <hdm[at]metasploit.com>
> > To: David Maynor <dmaynor[at]secureworks.com>
> > Subject: Zero-day I promised
> > Date: Tue, 5 Jun 2007 19:02:11 -0500
> > User-Agent: KMail/1.9.3
> > MIME-Version: 1.0
> > Content-Type: text/plain;
> >   charset="us-ascii"
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> > Message-Id: <200706051902.11544.hdm[at]metasploit.com>
> > Status: RO
> > X-Status: RSC
> >
> > https://metasploit.com/maynor.tar.gz
> > ---
> >
> > Approximately 12 hours later, the following request shows up in my Apache 
> > log file. It looks like someone at SecureWorks is reading email addressed 
> > to David and tried to access the link I sent:
> >
> > 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz HTTP/1.1" 
> > 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/419 
> > (KHTML, like Gecko) Safari/419.3"
> >
> > This address resolves to:
> > c-71-59-27-152.hsd1.ga.comcast.net
> >
> > The whois information is just the standard Comcast block boilerplate.
> >
> > ---
> >
> > Is this illegal? I could see reading email addressed to him being within 
> > the bounds of the law, but it seems like trying to download the "0day" link 
> > crosses the line.
> >
> > Illegal or not, this is still pretty damned shady.
> >
> > Bastards.
> >
> > -HD
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> Why would it be illegal if his former employer accessed his email using
> this method. The information going to their network is considered their
> property and they could do as they see fit. I could see if in your
> email you included the almost always ignored disclaimer bs though:
>
> THIS EMAIL IS INTENDED FOR THE RECIPIENT'S EYES ONLY. YOU WILL LIKELY
> IGNORE THIS ANYWAY BUT USING THIS STUPIDLY CRAFTED CONFIDENTIALITY
> DISCLAIMER, I WILL FILL MORE SPACE IN YOUR INBOX AND GENERATE MORE
> POINTLESS BANDWIDTH USAGE ON YOUR NETWORK. IF YOU ARE NOT THE INTENDED
> RECIPIENT READING THIS EMAIL AND OR ATTACHMENTS LINKS ETAL WILL RESULT
> IN US PRETENDING TO HIRE A LAWYER AND DOING SOMETHING ABOUT IT.
>
> I know how many times I've seen these listed with someone shooting
> off information to mailing lists to do an "oops f*** I sent that to
> the wrong place"... What are the options now? Sue everyone who read
> it? Gash their eyes out. Normally if I were going to send out an email
> that was *THAT* confidential, I personally do two things:
>
> 1) Call the person to make sure they're available to get it. If not
> its not sent until they're ready.
> 2) Secondly if I have to post something on my website for someone's
> personal viewing, I usually do something like:
>
> $ echo theirname|md5
> 6a9c1e04624bcc81a84800b8aa10a1f1
>
> Where the checksum becomes the file and I send them the link to the
> file. What are the odds of someone finding that checksum... Highly
> unlikely.
>
> -- 
> ====================================================
> J. Oquendo

Ah, "something like".  Likely in practice your file name is
saltier, and you can taste the nonce.

oo--JS.


> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> echo infiltrated.net|sed 's/^/sil@/g' 
> "Wise men talk because they have something to say;
> fools, because they have to say something." -- Plato

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/