funsec mailing list archives
Re: WTF? DHS Mail List Meltdown Becomes Internet Party for Exposed Gov Workers
From: Robert Slade <rmslade () shaw ca>
Date: Thu, 04 Oct 2007 11:07:26 -0700
From: Paul Ferguson <fergdawg () netzero net> Date: Wednesday, October 3, 2007 9:20 pm
A Department of Homeland Security mailing list that provides unclassifieddaily news reports on critical infrastructure information experienced a meltdown today when the list apparently got misconfigured and began routing any reply that someone sent to another person on the list to every subscriber on the list.
It was pretty interesting. I'm on the road teaching in Calgary, so I have to rely on Webmail and those clunky interfaces anyway, and then to have this mailstorm happen ... Well, anyway, I think I've finally dealt with the last of it (although I'm sure a few more bounces will dribble in today). The DHS list, for those who don't know it, is actually pretty good in terms of collecting various security related stuff from the news media. It's been sending out the messages in PDF, but switched to Word format about a month ago (which indicates that whoever manages the production and distribution of the stuff is fairly technically thick). We've seen indications in the past that the list wasn't locked down, but they switched servers about a month ago as well. Yesterday morning, about 8 am eastern, somebody sent a message (probably just replying to the daily message) asking them to change his email address. Standard bonehead mailing list move: sending admin mail to the list itself. The server should, of course, have just rejected it, but it seems to be configured to accept email from anyone. (He compounded the problem by sending a "cancellation" message after the first: I've kept both, as well as some of the more interesting subsequent traffic.)
The list was further configured to reveal the e-mail address of the senders so that the names and contact details of hundreds of list members -- including government workers in critical infrastructure positions -- were exposed.
The only email addresses exposed were of the people who got all hot and bothered and sent "take me off the noisy list immediately!" messages. There are a lot of chowderheads on the list--as well as a number of people who took the whole thing in good humour. At one point they started a series of messages along the lines of "where is everybody from?" I replied to that, and got a whole bunch of bounce messages telling me about all kinds of people in sensitive positions who were away from the office--including one guy who announced that he was having health issues.
The mishap also revealed an interesting tidbit -- at least one member of the list works in some capacity with Iran's Ministry of Defense.
Yeah, and he was one of the "WTF? I didn't sign up for all this noise!" types. I kept his message, too. ====================== rslade () computercrime org slade () victoria tc ca rslade () vcn bc ca "If you do buy a computer, don't turn it on." - Richards' 2nd Law ============= for back issues: [Base URL] site http://victoria.tc.ca/techrev/ CISSP refs: [Base URL]mnbksccd.htm Security Dict.: [Base URL]secgloss.htm Security Educ.: [Base URL]comseced.htm Book reviews: [Base URL]mnbk.htm [Base URL]review.htm Partial/recent: http://groups.yahoo.com/group/techbooks/ Security Educ.: http://groups.yahoo.com/group/comseced/ Review mailing list: send mail to techbooks-subscribe () egroups com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: WTF? DHS Mail List Meltdown Becomes Internet Party for Exposed Gov Workers Robert Slade (Oct 04)
- <Possible follow-ups>
- Re: WTF? DHS Mail List Meltdown Becomes Internet Party for Exposed Gov Workers Juha-Matti Laurio (Oct 04)