Full Disclosure mailing list archives

Re: You shady bastards.

From: "Joey Mengele" <joey.mengele () hushmail com>
Date: Fri, 08 Jun 2007 13:08:10 -0400

LOLOLOLOL

On Fri, 08 Jun 2007 11:52:21 -0400 evilrabbi <evilrabbi () gmail com> 
wrote:

ok..

On 6/8/07, M. B. Jr. <marcio.barbado () gmail com> wrote:

cool,
HD Moore started a thread,

yeah, lets reply the more we can!!!


On 6/6/07, Kradorex Xeron <admin () digibase ca> wrote:


On Wednesday 06 June 2007 09:47, H D Moore wrote:

Hello,

Some friends and I were putting together a contact list for

the folks

attending the Defcon conference this year in Las Vegas. My

friend sent

out an email, with a large CC list, asking people to respond

if they

planned on attending. The email was addressed to quite a few

people,

with

one of them being David Maynor. Unfortunately, his old

SecureWorks

address was used, not his current address with ErrattaSec.

Since one of the messages sent to the group contained a URL

to our phone

numbers and names, I got paranoid and decided to determine

whether

SecureWorks was still reading email addressed to David

Maynor. I sent an

email to David's old SecureWorks address, with a subject

line promising

0-day, and a link to a non-public URL on the metasploit.com

web server

(via SSL). Twelve hours later, someone from a Comcast cable

modem in

Atlanta tried to access the link, and this someone was

(confirmed) not

David. SecureWorks is based in Atlanta. All times are CDT.

I sent the following message last night at 7:02pm.

---
From: H D Moore <hdm[at]metasploit.com>
To: David Maynor <dmaynor[at]secureworks.com>
Subject: Zero-day I promised
Date: Tue, 5 Jun 2007 19:02:11 -0500
User-Agent: KMail/1.9.3
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200706051902.11544.hdm[at]metasploit.com>
Status: RO
X-Status: RSC

https://metasploit.com/maynor.tar.gz
---

Approximately 12 hours later, the following request shows up

in my

Apache

log file. It looks like someone at SecureWorks is reading

email

addressed

to David and tried to access the link I sent:

71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET

/maynor.tar.gz

HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS

X; en)

AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"

This address resolves to:
c-71-59-27-152.hsd1.ga.comcast.net

The whois information is just the standard Comcast block

boilerplate.


---

Is this illegal? I could see reading email addressed to him

being within

the bounds of the law, but it seems like trying to download

the "0day"

link crosses the line.

Illegal or not, this is still pretty damned shady.

Bastards.

-HD


I will seldom touch on the legal side but I have a possible

scenario:


-- If David is no longer at that address, it could be said

that his mail

account was taken down and the mail sent ended up in a

possible "catch

all"
box, perhaps someone at SecureWorks was looking through the

said catchall

mailbox for any interesting mail sent to the secureworks.com

domain (i.e.

to
old employees) - It's quite common for companies and

organizations to

monitor
former employee mailboxes in the event anyone that doesn't

have any new

contact information to be able to still get somewhere with the

old

address.
And them being a security organization, maybe they proceeded

to

investigate
the link sent.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-

charter.html

Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
Marcio Barbado, Jr.
==============
==============



-- 
-- h0 h0 h0 --
www.nopsled.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


--
Click here for huge discounts on tradeshow supplies - special offer
http://tagline.hushmail.com/fc/CAaCXv1Q4Qsh3luDdkKlFffuyGfsLobw/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: You shady bastards., (continued)
- Re: You shady bastards. rlogin (Jun 07)
  - Re: You shady bastards. Anders B Jansson (Jun 07)
    - Re: You shady bastards. Thierry Zoller (Jun 08)
    - Re: You shady bastards. - CONFIDENTIAL Larry Seltzer (Jun 08)
    - Shady bastards - CONFIDENTIAL (Terms of Services) J. Oquendo (Jun 08)
    - Re: You shady bastards. Kradorex Xeron (Jun 08)
    - Re: You shady bastards. Thierry Zoller (Jun 08)
    - Re: You shady bastards. Kradorex Xeron (Jun 08)
    - Re: You shady bastards. Dude VanWinkle (Jun 08)
- Re: You shady bastards. Aberration State (Jun 08)
- Re: You shady bastards. Joey Mengele (Jun 08)
- Re: You shady bastards. Joey Mengele (Jun 08)
- Re: You shady bastards. Juha-Matti Laurio (Jun 09)