Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: M.B.Jr. (marcio.barbadogmail.com)
Date: Fri Jun 08 2007 - 10:29:20 CDT
HD Moore started a thread,
yeah, lets reply the more we can!!!
On 6/6/07, Kradorex Xeron <admindigibase.ca> wrote:
> On Wednesday 06 June 2007 09:47, H D Moore wrote:
> > Hello,
> > Some friends and I were putting together a contact list for the folks
> > attending the Defcon conference this year in Las Vegas. My friend sent
> > out an email, with a large CC list, asking people to respond if they
> > planned on attending. The email was addressed to quite a few people,
> > one of them being David Maynor. Unfortunately, his old SecureWorks
> > address was used, not his current address with ErrattaSec.
> > Since one of the messages sent to the group contained a URL to our phone
> > numbers and names, I got paranoid and decided to determine whether
> > SecureWorks was still reading email addressed to David Maynor. I sent an
> > email to David's old SecureWorks address, with a subject line promising
> > 0-day, and a link to a non-public URL on the metasploit.com web server
> > (via SSL). Twelve hours later, someone from a Comcast cable modem in
> > Atlanta tried to access the link, and this someone was (confirmed) not
> > David. SecureWorks is based in Atlanta. All times are CDT.
> > I sent the following message last night at 7:02pm.
> > ---
> > From: H D Moore <hdm[at]metasploit.com>
> > To: David Maynor <dmaynor[at]secureworks.com>
> > Subject: Zero-day I promised
> > Date: Tue, 5 Jun 2007 19:02:11 -0500
> > User-Agent: KMail/1.9.3
> > MIME-Version: 1.0
> > Content-Type: text/plain;
> > charset="us-ascii"
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> > Message-Id: <200706051902.11544.hdm[at]metasploit.com>
> > Status: RO
> > X-Status: RSC
> > https://metasploit.com/maynor.tar.gz
> > ---
> > Approximately 12 hours later, the following request shows up in my
> > log file. It looks like someone at SecureWorks is reading email
> > to David and tried to access the link I sent:
> > 126.96.36.199 - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz
> > HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
> > AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"
> > This address resolves to:
> > c-71-59-27-152.hsd1.ga.comcast.net
> > The whois information is just the standard Comcast block boilerplate.
> > ---
> > Is this illegal? I could see reading email addressed to him being within
> > the bounds of the law, but it seems like trying to download the "0day"
> > link crosses the line.
> > Illegal or not, this is still pretty damned shady.
> > Bastards.
> > -HD
> I will seldom touch on the legal side but I have a possible scenario:
> -- If David is no longer at that address, it could be said that his mail
> account was taken down and the mail sent ended up in a possible "catch
> box, perhaps someone at SecureWorks was looking through the said catchall
> mailbox for any interesting mail sent to the secureworks.com domain (i.e.
> old employees) - It's quite common for companies and organizations to
> former employee mailboxes in the event anyone that doesn't have any new
> contact information to be able to still get somewhere with the old
> And them being a security organization, maybe they proceeded to
> the link sent.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Marcio Barbado, Jr.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/