By Kim Zetter
October 03, 2007
A Department of Homeland Security mailing list that provides
unclassified daily news reports on critical infrastructure information
experienced a meltdown today when the list apparently got misconfigured
and began routing any reply that someone sent to another person on the
list to every subscriber on the list. The list was further configured to
reveal the e-mail address of the senders so that the names and contact
details of hundreds of list members -- including government workers in
critical infrastructure positions -- were exposed. The mishap also
revealed an interesting tidbit -- at least one member of the list works
in some capacity with Iran's Ministry of Defense.
The problem began early this morning when a subscriber to the DHS Daily
Open Source Infrastructure Report mail list sent an e-mail to the list
address saying he was switching jobs and asking to have the daily report
sent to his new e-mail address. Another list member replied to his
message telling him that he'd inadvertently sent his request to the
wrong address. That reply, however, also went to everyone on the DHS
mail list, as did every other reply from people on the list telling the
first two posters that their messages had spammed the entire list.
Subsequent e-mails pleading with members to "stop hitting the
reply-to-all button" also were spammed to the entire list. By midday,
hundreds of such e-mails were clogging the list.
At one point someone suggested lightly that the mailing mix-up was a
great way for list members to network and get to know one another, which
then resulted in a free-for-all internet party as members spammed the
list with still more e-mail, jokingly exchanging astrological signs and
romantic details ("I like long walks on the beach and a nice chardonnay
with my roasted duck," wrote one member), networking for jobs and, in
the case of at least one list member, campaigning for political office.
One government worker, however, wasn't amused.
From: Kinder, Mike [mailto:XXXXXXX@tswg.gov]
Subject: URGENT REQUEST FROM DOD RE: DHS_Daily_Report_2007-10-02
This is your COMBATING TERRORISM OFFICE for DOD asking you to kindly
stop now please. We actually have work to do.
Not to be a buzz kill but this is NOT a networking tool. I will make
a list of these responses to have all of you removed if it
Infrastructure Protection SETA Support to the TSWG
The Technical Support Working Group (TSWG) is the U.S. Government's
national forum that identifies, prioritizes, and coordinates
interagency and international research and development (R&D)
requirements for combating terrorism. Through the Department of
Defense's Combating Terrorism Technology Support Program and funding
provided by other agencies, the TSWG rapidly develops technologies
and equipment to meet the high priority needs of the combating
terrorism community, and addresses joint international operational
requirements through cooperative R&D with major allies. For
information on TSWG technology projects, transition opportunities,
and other user information, please visit the TSWG web page at
The list is run by a government contractor Computer Sciences
Corporation. List subscribers include government workers involved in
security and counterterrorism efforts, employees of government
contractors and security companies, as well as journalists and
researchers. None of the information exchanged on the list is classified
and can all be obtained from other sources. But many of the messages
included signatures at the bottom of the e-mail disclosing the sender's
government title and contact details, which could potentially be of use
to someone wanting to social engineer the government worker to obtain
information or spoof the worker's e-mail address and pose as him.
The problem with the list continued for at least six hours before
someone finally fixed it -- but not before more than 500 messages had
been spammed to list members. One State Department worker complained
that the mishap cost her agency money since she was working overseas and
being billed for every message that arrived to her handheld device.
Some of the list members were surprised when the worker from Iran, Amir
Ferdosi, popped up with this message.
From: Amir Ferdosi
To: DHS Daily OSIR Distribution List
Sent: Wednesday, October 3, 2007 3:24:28 PM
Subject: Is this being a joke?
why are so many messages today?
Sazeman-e Sana'et-e Defa'
He added in another message:
This is very distracting to my messages. I read English slowly. My
main office is in Iran, but I commute to Europe. I am a researcher
for the defence ministry. Today I am just outside Marseille, France--it is
very mild temperature.
My brother lives in Tustin, California. Is that near you. I visited
several years ago.
with respenct, amir
This sparked an alarming response from another list member:
From: Marshall Odom
To: Amir Ferdosi , DHS Daily OSIR Distribution List
Subject: Give it a read you may see yourself in here!!!!!
Wow a reply from Iran!!!! Open source really does mean open
source!!!!! For those of you that have responded to this email from
an official computer with your snazzy little signature at the
bottom, especially those that have every piece of contact
information listed, including those of you that have disclosed
sensitive phone numbers and classified email addresses have
knowingly provided this information to people all over the world
some of which I am sure are deemed "undesirables'. Folks wise up.
This is an open report that anyone with an email address can
subscribe to. Although some of you responses have been humorous to
say the least (leave poor alex alone) you are opening doors to
people that you do not want to. I notice some of you are in jobs
that use this list as a way of staying informed although you have no
true capacity in the world of infrastructure security and I applaud
you for using this tool to stay abreast of all the information
But those of you that are in the military or provide services
through any official office you should know better than to advertise
who you are and who you work for. The best tool that someone can use
to gain access to information they should not have is to befriend
you and what better way than through some harmless emails. besides
now they have all your information. This is trade craft 101 folks.
Wise up and don't reply to something just because you can. I know
that I now have access to hundreds of IP addresses, email addresses,
phone numbers, names of personnel in sensitive positions and
locations, I am only a cover story and a fake letterhead away from
trolling for intel.
I wrote Ferdosi asking him to elaborate on what he does for the Ministry
of Defense. He replied that he doesn't actually work for the ministry
but "for a company that creates products for security and other uses."
He didn't respond to a follow-up question asking him the name of the
company he works for, but a Google search on Sazeman-e Sana'et-e Defa'
turns up what appears to be the Defense Industries Organization, a
state-owned subsidiary of Iran's Ministry of Defense.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com