Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: You shady bastards.
From: evilrabbi <evilrabbi () gmail com>
Date: Fri, 8 Jun 2007 10:52:21 -0500

ok..

On 6/8/07, M. B. Jr. <marcio.barbado () gmail com> wrote:
cool,
HD Moore started a thread,

yeah, lets reply the more we can!!!


On 6/6/07, Kradorex Xeron <admin () digibase ca> wrote:

On Wednesday 06 June 2007 09:47, H D Moore wrote:
Hello,

Some friends and I were putting together a contact list for the folks
attending the Defcon conference this year in Las Vegas. My friend sent
out an email, with a large CC list, asking people to respond if they
planned on attending. The email was addressed to quite a few people,
with
one of them being David Maynor. Unfortunately, his old SecureWorks
address was used, not his current address with ErrattaSec.

Since one of the messages sent to the group contained a URL to our phone
numbers and names, I got paranoid and decided to determine whether
SecureWorks was still reading email addressed to David Maynor. I sent an
email to David's old SecureWorks address, with a subject line promising
0-day, and a link to a non-public URL on the metasploit.com web server
(via SSL). Twelve hours later, someone from a Comcast cable modem in
Atlanta tried to access the link, and this someone was (confirmed) not
David. SecureWorks is based in Atlanta. All times are CDT.

I sent the following message last night at 7:02pm.

---
From: H D Moore <hdm[at]metasploit.com>
To: David Maynor <dmaynor[at]secureworks.com>
Subject: Zero-day I promised
Date: Tue, 5 Jun 2007 19:02:11 -0500
User-Agent: KMail/1.9.3
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200706051902.11544.hdm[at]metasploit.com>
Status: RO
X-Status: RSC

https://metasploit.com/maynor.tar.gz
---

Approximately 12 hours later, the following request shows up in my
Apache
log file. It looks like someone at SecureWorks is reading email
addressed
to David and tried to access the link I sent:

71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz
HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"

This address resolves to:
c-71-59-27-152.hsd1.ga.comcast.net

The whois information is just the standard Comcast block boilerplate.

---

Is this illegal? I could see reading email addressed to him being within
the bounds of the law, but it seems like trying to download the "0day"
link crosses the line.

Illegal or not, this is still pretty damned shady.

Bastards.

-HD

I will seldom touch on the legal side but I have a possible scenario:

-- If David is no longer at that address, it could be said that his mail
account was taken down and the mail sent ended up in a possible "catch
all"
box, perhaps someone at SecureWorks was looking through the said catchall
mailbox for any interesting mail sent to the secureworks.com domain (i.e.
to
old employees) - It's quite common for companies and organizations to
monitor
former employee mailboxes in the event anyone that doesn't have any new
contact information to be able to still get somewhere with the old
address.
And them being a security organization, maybe they proceeded to
investigate
the link sent.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
Marcio Barbado, Jr.
==============
==============



-- 
-- h0 h0 h0 --
www.nopsled.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault