Trad.Goth Advisory #1 Name: Social Engineering of Administrators and Security Professionals Type: Information Disclosure Date: Daily Application: External use only, all MTA's and E-mail Clients, always read the label Platform: All Platforms, especially tall ones that wobble a lot Severity: Names, contact details and internal network infrastructure details can be enumerated, as can personnel absence Author : Nexus <nexusat_private-way.co.uk> Vend Status: Out of Jolt.... bummer said Dougal CVE: It's too common for a CVE Reference... well actually, I haven't asked them Overview The names, contact details and presence at work of Administrators and Security Professionals can be enumerated in a trivial fashion simply by posting a single e-mail to a public mailing list. The resulting storm of Out Of Office Replies (OOOR's) will contain all the vital information necessary to socially engineer and determine remote network structure and implementation. Personal mobile (n. cell phone, [US]), pager (n. bleepy thing [UK]) numbers and other contact details can also be revealed as can recent happy events such as births, deaths and marriages. (Not that I am suggesting Death is always a happy occasion but please remember that I'm a) a Trad.Goth (tm) , b) Divorced and c) hate Marilin Manson.) In addition to this, the SMTP header can also reveal RFC 1918 addresses, MTA and client versions, OS types, software version banners and any AV products being used. Effects Certain levels of annoyance for anyone posting to a public mailing list, probably major levels of annoyance for the poor Moderator that gets this every time they remind the list to turn of OOOR's. If your rather crowded OOOR'd inbox becomes an issue, I recommend forwarding the details to your local K-RAD 31337 d00d Dept. or Trocedero Playgroup for follow-up action. Detailed Description: 1. Post an e-mail to a public mailing list. 2. Ermmmm.... 3. That's it. 4. Await barrage of OOOR's. 5. Complain to anyone that is willing to listen. 6. Continued on Page 94. 7. Apologise to Private Eye for #6 Proof-of-Concept: This advisory in itself provides full proof of concept, however, list members are encouraged to replicate this activity and review the rather full inbox that results, in a wide variety of languages. Contact details should be followed up, preferably outside of the individuals working hours, so as to convey the importance of telling the entire world that you are not available. Consideration should be given to reconfiguring your MTA's to send YIKYAOOOSSSMOOOR messages (Yes I Know You Are Out Of Office So Stop Sending Me Out Of Office Replies) to ensure that people are informed that you are In The Office. Unless you are out of office of course. If you are both in and out of the office at the same time, then please write an RFC for decoherance and the required number of qubits to factor yourself into the same place. Temporary Workaround: Inform the list Moderator and the list engine that you are out of office. Please. Pretty please with sugar on top. Vendor Response: The Vendor was unfortunately unavailable being Out Of Office. However, their contact details have been passed to the Insomniac Social Engineering Dept. for further analysis and sold to Telemarketing companies. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project [http://cve.mitre.org] has not assigned the following name to this issue - "Please Stop". In fact, I have not contacted them at all since they only allow crayons here. Credits: I would like to thank the "Big 5" consultantcy firm with the MTA at 10.26.104.85, the South American bank with the Solaris box at 172.16.126.251 via the Tid InfoMail Exchanger v2.20 server and the German ISP that likes IBM boxes, including the MTA at 192.168.0.30 (nice open-source freeware AV solution guys ;-) and the other members of this list for supplying me with their emergency contact details. Any particularly bad time to call ? Greetz: The Guys - y'know who you are... *wave*
This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 08:52:48 PDT