[ISN] DHS Mail List Meltdown Becomes Internet Party for Exposed Gov Workers

From: InfoSec News (alerts@private)
Date: Wed Oct 03 2007 - 23:08:50 PDT


http://blog.wired.com/27bstroke6/2007/10/dhs-mail-list-m.html

By Kim Zetter 
Wired.com
October 03, 2007

A Department of Homeland Security mailing list that provides 
unclassified daily news reports on critical infrastructure information 
experienced a meltdown today when the list apparently got misconfigured 
and began routing any reply that someone sent to another person on the 
list to every subscriber on the list. The list was further configured to 
reveal the e-mail address of the senders so that the names and contact 
details of hundreds of list members -- including government workers in 
critical infrastructure positions -- were exposed. The mishap also 
revealed an interesting tidbit -- at least one member of the list works 
in some capacity with Iran's Ministry of Defense.

The problem began early this morning when a subscriber to the DHS Daily 
Open Source Infrastructure Report mail list sent an e-mail to the list 
address saying he was switching jobs and asking to have the daily report 
sent to his new e-mail address. Another list member replied to his 
message telling him that he'd inadvertently sent his request to the 
wrong address. That reply, however, also went to everyone on the DHS 
mail list, as did every other reply from people on the list telling the 
first two posters that their messages had spammed the entire list. 
Subsequent e-mails pleading with members to "stop hitting the 
reply-to-all button" also were spammed to the entire list. By midday, 
hundreds of such e-mails were clogging the list.

At one point someone suggested lightly that the mailing mix-up was a 
great way for list members to network and get to know one another, which 
then resulted in a free-for-all internet party as members spammed the 
list with still more e-mail, jokingly exchanging astrological signs and 
romantic details ("I like long walks on the beach and a nice chardonnay 
with my roasted duck," wrote one member), networking for jobs and, in 
the case of at least one list member, campaigning for political office.

One government worker, however, wasn't amused.

    From: Kinder, Mike [mailto:XXXXXXX@private]

    Subject: URGENT REQUEST FROM DOD RE: DHS_Daily_Report_2007-10-02

    This is your COMBATING TERRORISM OFFICE for DOD asking you to kindly 
    stop now please. We actually have work to do.

    Not to be a buzz kill but this is NOT a networking tool. I will make 
    a list of these responses to have all of you removed if it 
    continues.

    Thank you.

    Michael Kinder
    Infrastructure Protection SETA Support to the TSWG

    http://www.tswg.gov

    NIPRNET: XXXXXXX@private

    SIPRNET: XXXXXXX@private

    The Technical Support Working Group (TSWG) is the U.S. Government's 
    national forum that identifies, prioritizes, and coordinates 
    interagency and international research and development (R&D) 
    requirements for combating terrorism. Through the Department of 
    Defense's Combating Terrorism Technology Support Program and funding 
    provided by other agencies, the TSWG rapidly develops technologies 
    and equipment to meet the high priority needs of the combating 
    terrorism community, and addresses joint international operational 
    requirements through cooperative R&D with major allies. For 
    information on TSWG technology projects, transition opportunities, 
    and other user information, please visit the TSWG web page at 
    www.tswg.gov.


The list is run by a government contractor Computer Sciences 
Corporation. List subscribers include government workers involved in 
security and counterterrorism efforts, employees of government 
contractors and security companies, as well as journalists and 
researchers. None of the information exchanged on the list is classified 
and can all be obtained from other sources. But many of the messages 
included signatures at the bottom of the e-mail disclosing the sender's 
government title and contact details, which could potentially be of use 
to someone wanting to social engineer the government worker to obtain 
information or spoof the worker's e-mail address and pose as him.

The problem with the list continued for at least six hours before 
someone finally fixed it -- but not before more than 500 messages had 
been spammed to list members. One State Department worker complained 
that the mishap cost her agency money since she was working overseas and 
being billed for every message that arrived to her handheld device.

Some of the list members were surprised when the worker from Iran, Amir 
Ferdosi, popped up with this message.

    From: Amir Ferdosi

    To: DHS Daily OSIR Distribution List

    Sent: Wednesday, October 3, 2007 3:24:28 PM

    Subject: Is this being a joke?

    why are so many messages today?

    Amir Ferdosi

    Sazeman-e Sana'et-e Defa'

    Qom, Iran

He added in another message:

    This is very distracting to my messages. I read English slowly. My 
    main office is in Iran, but I commute to Europe. I am a researcher 
    for the defence ministry. Today I am just outside Marseille, France--it is 
    very mild temperature.

    My brother lives in Tustin, California. Is that near you. I visited 
    several years ago.

    with respenct, amir

This sparked an alarming response from another list member:

    From: Marshall Odom

    To: Amir Ferdosi , DHS Daily OSIR Distribution List

    Subject: Give it a read you may see yourself in here!!!!!

    Wow a reply from Iran!!!! Open source really does mean open 
    source!!!!! For those of you that have responded to this email from 
    an official computer with your snazzy little signature at the 
    bottom, especially those that have every piece of contact 
    information listed, including those of you that have disclosed 
    sensitive phone numbers and classified email addresses have 
    knowingly provided this information to people all over the world 
    some of which I am sure are deemed "undesirables'. Folks wise up. 
    This is an open report that anyone with an email address can 
    subscribe to. Although some of you responses have been humorous to 
    say the least (leave poor alex alone) you are opening doors to 
    people that you do not want to. I notice some of you are in jobs 
    that use this list as a way of staying informed although you have no 
    true capacity in the world of infrastructure security and I applaud 
    you for using this tool to stay abreast of all the information 
    provided.

    But those of you that are in the military or provide services 
    through any official office you should know better than to advertise 
    who you are and who you work for. The best tool that someone can use 
    to gain access to information they should not have is to befriend 
    you and what better way than through some harmless emails. besides 
    now they have all your information. This is trade craft 101 folks. 
    Wise up and don't reply to something just because you can. I know 
    that I now have access to hundreds of IP addresses, email addresses, 
    phone numbers, names of personnel in sensitive positions and 
    locations, I am only a cover story and a fake letterhead away from 
    trolling for intel.


I wrote Ferdosi asking him to elaborate on what he does for the Ministry 
of Defense. He replied that he doesn't actually work for the ministry 
but "for a company that creates products for security and other uses." 
He didn't respond to a follow-up question asking him the name of the 
company he works for, but a Google search on Sazeman-e Sana'et-e Defa' 
turns up what appears to be the Defense Industries Organization, a 
state-owned subsidiary of Iran's Ministry of Defense.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Wed Oct 03 2007 - 23:45:53 PDT