On Wed, 6 Jun 2007, J. Oquendo <[EMAIL PROTECTED]> wrote:
> H D Moore wrote: >> Hello, >> >> Some friends and I were putting together a contact list for the folks >> attending the Defcon conference this year in Las Vegas. My friend sent out >> an email, with a large CC list, asking people to respond if they planned on >> attending. The email was addressed to quite a few people, with one of them >> being David Maynor. Unfortunately, his old SecureWorks address was used, >> not his current address with ErrattaSec. >> Since one of the messages sent to the group contained a URL to our phone >> numbers and names, I got paranoid and decided to determine whether >> SecureWorks was still reading email addressed to David Maynor. I sent an >> email to David's old SecureWorks address, with a subject line promising >> 0-day, and a link to a non-public URL on the metasploit.com web server (via >> SSL). Twelve hours later, someone from a Comcast cable modem in Atlanta >> tried to access the link, and this someone was (confirmed) not David. >> SecureWorks is based in Atlanta. All times are CDT. >> >> I sent the following message last night at 7:02pm. >> >> --- >> From: H D Moore <hdm[at]metasploit.com> >> To: David Maynor <dmaynor[at]secureworks.com> >> Subject: Zero-day I promised >> Date: Tue, 5 Jun 2007 19:02:11 -0500 >> User-Agent: KMail/1.9.3 >> MIME-Version: 1.0 >> Content-Type: text/plain; >> charset="us-ascii" >> Content-Transfer-Encoding: 7bit >> Content-Disposition: inline >> Message-Id: <200706051902.11544.hdm[at]metasploit.com> >> Status: RO >> X-Status: RSC >> >> https://metasploit.com/maynor.tar.gz >> --- >> >> Approximately 12 hours later, the following request shows up in my Apache >> log file. It looks like someone at SecureWorks is reading email addressed >> to David and tried to access the link I sent: >> >> 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz HTTP/1.1" >> 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/419 >> (KHTML, like Gecko) Safari/419.3" >> >> This address resolves to: >> c-71-59-27-152.hsd1.ga.comcast.net >> >> The whois information is just the standard Comcast block boilerplate. >> >> --- >> >> Is this illegal? I could see reading email addressed to him being within >> the bounds of the law, but it seems like trying to download the "0day" link >> crosses the line. >> >> Illegal or not, this is still pretty damned shady. >> >> Bastards. >> >> -HD >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> > Why would it be illegal if his former employer accessed his email using > this method. The information going to their network is considered their > property and they could do as they see fit. I could see if in your > email you included the almost always ignored disclaimer bs though: > > THIS EMAIL IS INTENDED FOR THE RECIPIENT'S EYES ONLY. YOU WILL LIKELY > IGNORE THIS ANYWAY BUT USING THIS STUPIDLY CRAFTED CONFIDENTIALITY > DISCLAIMER, I WILL FILL MORE SPACE IN YOUR INBOX AND GENERATE MORE > POINTLESS BANDWIDTH USAGE ON YOUR NETWORK. IF YOU ARE NOT THE INTENDED > RECIPIENT READING THIS EMAIL AND OR ATTACHMENTS LINKS ETAL WILL RESULT > IN US PRETENDING TO HIRE A LAWYER AND DOING SOMETHING ABOUT IT. > > I know how many times I've seen these listed with someone shooting > off information to mailing lists to do an "oops f*** I sent that to > the wrong place"... What are the options now? Sue everyone who read > it? Gash their eyes out. Normally if I were going to send out an email > that was *THAT* confidential, I personally do two things: > > 1) Call the person to make sure they're available to get it. If not > its not sent until they're ready. > 2) Secondly if I have to post something on my website for someone's > personal viewing, I usually do something like: > > $ echo theirname|md5 > 6a9c1e04624bcc81a84800b8aa10a1f1 > > Where the checksum becomes the file and I send them the link to the > file. What are the odds of someone finding that checksum... Highly > unlikely. > > -- > ==================================================== > J. Oquendo Ah, "something like". Likely in practice your file name is saltier, and you can taste the nonce. oo--JS. > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 > echo infiltrated.net|sed 's/^/sil@/g' > "Wise men talk because they have something to say; > fools, because they have to say something." -- Plato > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
