Thursday, June 07, 2012

zimbra

internet post!

So, earlier today, I got an email from the "Security Operations Lead" at NASA Ames, saying that a whole batch of people's passwords and account names had been accessed. I had an account there for a meeting I went to earlier this month; coincidentally, immediately after attending that meeting, I noticed that one of my peripheral email accounts had been accessed, and at the time I blamed it on the hotel.

Just now, I get an email from something called Zimbra, informing me that:
You requested your Email Account  on June 7, 2012 at 11:02 PM CS to be deactivated and deleted from a location in with this IP number; 201.130.47.33.
2. Click on  (https://secure.zimbra.com/verifyf?intl=us&.partner= cancelrequest) to cancel this request; else your email account will be deactivated and deleted within 24 hours
The sender's address was "bankofcard@yahoo.com". Yeah. Zimbra is apparently some sort of open source email server software for Linux machines. So this doesn't have anything to do with Zimbra.

The IP address leads to a machine in Mexico, with the URL niie2e.nextel.com.mx. This machine seems to have all ports open, i.e. it's either a totally open proxy server, or some sort of disguise for something else.

That URL to 'secure.zimbra.com' was actually an alias in the email (no I did not click on it, I am not stupid), for "http://www.contactme.com/4fcf723e2e22a2000103d1b6". From their website I can't tell what the hell contactme is, but it looks their site was probably co-opted. I wonder what's there...

Anyways, the relationship to the NASA thing is just coincidental timing, but makes me a bit paranoid.

*edit 6-19-12*
Got called down to to the network office this morning to change my password; apparently the NASA thing had gotten distributed to everyone whose ids were leaked. The admin forwarded to me the info he'd gotten through the Harvard IT director, and based on that I found this:


http://pastebin.com/nSJ9Nn9Z

who knows how long that link will stay alive. anyways, it's a list of the email addresses, but no passwords, for everyone that attended that workshop.

the header on the document:

[HACKED] NASA.GOV - AMES RESEARCH CENTER - By ZYKLON B
 ...
Join me on twitter : https://twitter.com/#!/bzyklon

Author : ZYKLON B
Target : NASA Ames Research Center - Ocular Imaging Laboratory (ace.arc.nasa.gov)
Reason : Curiosity, Challenge.

IS THE TARGET COMPROMISED ? YES.
Note : NASA Glenn research center already hacked 5-6 weeks ago.

anyways, that's interesting. you look down the document, and there we all are! yeah, hackers have twitter accounts!

No comments:

Post a Comment