ok.. On 6/8/07, M. B. Jr. <[EMAIL PROTECTED]> wrote: > cool, > HD Moore started a thread, > > yeah, lets reply the more we can!!! > > > On 6/6/07, Kradorex Xeron <[EMAIL PROTECTED]> wrote: > > > > On Wednesday 06 June 2007 09:47, H D Moore wrote: > > > Hello, > > > > > > Some friends and I were putting together a contact list for the folks > > > attending the Defcon conference this year in Las Vegas. My friend sent > > > out an email, with a large CC list, asking people to respond if they > > > planned on attending. The email was addressed to quite a few people, > > with > > > one of them being David Maynor. Unfortunately, his old SecureWorks > > > address was used, not his current address with ErrattaSec. > > > > > > Since one of the messages sent to the group contained a URL to our phone > > > numbers and names, I got paranoid and decided to determine whether > > > SecureWorks was still reading email addressed to David Maynor. I sent an > > > email to David's old SecureWorks address, with a subject line promising > > > 0-day, and a link to a non-public URL on the metasploit.com web server > > > (via SSL). Twelve hours later, someone from a Comcast cable modem in > > > Atlanta tried to access the link, and this someone was (confirmed) not > > > David. SecureWorks is based in Atlanta. All times are CDT. > > > > > > I sent the following message last night at 7:02pm. > > > > > > --- > > > From: H D Moore <hdm[at]metasploit.com> > > > To: David Maynor <dmaynor[at]secureworks.com> > > > Subject: Zero-day I promised > > > Date: Tue, 5 Jun 2007 19:02:11 -0500 > > > User-Agent: KMail/1.9.3 > > > MIME-Version: 1.0 > > > Content-Type: text/plain; > > > charset="us-ascii" > > > Content-Transfer-Encoding: 7bit > > > Content-Disposition: inline > > > Message-Id: <200706051902.11544.hdm[at]metasploit.com> > > > Status: RO > > > X-Status: RSC > > > > > > https://metasploit.com/maynor.tar.gz > > > --- > > > > > > Approximately 12 hours later, the following request shows up in my > > Apache > > > log file. It looks like someone at SecureWorks is reading email > > addressed > > > to David and tried to access the link I sent: > > > > > > 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz > > > HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) > > > AppleWebKit/419 (KHTML, like Gecko) Safari/419.3" > > > > > > This address resolves to: > > > c-71-59-27-152.hsd1.ga.comcast.net > > > > > > The whois information is just the standard Comcast block boilerplate. > > > > > > --- > > > > > > Is this illegal? I could see reading email addressed to him being within > > > the bounds of the law, but it seems like trying to download the "0day" > > > link crosses the line. > > > > > > Illegal or not, this is still pretty damned shady. > > > > > > Bastards. > > > > > > -HD > > > > I will seldom touch on the legal side but I have a possible scenario: > > > > -- If David is no longer at that address, it could be said that his mail > > account was taken down and the mail sent ended up in a possible "catch > > all" > > box, perhaps someone at SecureWorks was looking through the said catchall > > mailbox for any interesting mail sent to the secureworks.com domain (i.e. > > to > > old employees) - It's quite common for companies and organizations to > > monitor > > former employee mailboxes in the event anyone that doesn't have any new > > contact information to be able to still get somewhere with the old > > address. > > And them being a security organization, maybe they proceeded to > > investigate > > the link sent. > > > > > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > Marcio Barbado, Jr. > ============== > ============== >
-- -- h0 h0 h0 -- www.nopsled.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
