Wesley 'Arthur' Kenzie, aka Securikai

This is supporting email evidence for the article titled ' '. Below are emails between Arthur Kenzie and HD Moore. Kenzie initiated the email contact, warning HD Moore of a "vulnerability" in his domain related to email. The mails from Kenzie were PGP encrypted and signed, but appear only in their unencrypted form below. Kenzie's stupid email disclaimer has been included one time, and removed from subsequent emails.

From: Arthur (Wesley) Kenzie (wkenzie@securikai.com)
Subject: Disclosure regarding email vulnerability
Date: Thu, 29 Dec 2011 20:58:46 -0800
To: hdm[at]digitaloffense.net

Decrypted (PGP):

I have important information to discuss with you regarding an email vulnerability 
that I have discovered affecting your organization.

More information about this vulnerability can be found at my web site 
https://securikai.com under the category "Black Hole" email vulnerability.

Sincerely,

Arthur (Wesley) Kenzie
wkenzie@securikai.com
GPG/PGP public key 0x831b2c89
Skype wkenzie
iMessage wkenzie@me.com

Confidentiality Statement: This e-mail, including attachments, may include confidential 
and/or proprietary information, and may be used only by the person or entity to which it 
is addressed. If the reader of this e-mail is not the intended recipient or his or her 
authorized agent, the reader is hereby notified that any dissemination, distribution or 
copying of this e-mail is prohibited. If you have received this e-mail in error, please 
notify the sender by replying to this message and delete this e-mail immediately. Thank 
you.


Date: Thu, 29 Dec 2011 23:49:10 -0600
From: HD Moore (hdm[at]digitaloffense.net)
To: "Arthur (Wesley) Kenzie" (wkenzie@securikai.com)
Subject: Re: Disclosure regarding email vulnerability

On 12/29/2011 10:58 PM, Arthur (Wesley) Kenzie wrote:

: I have important information to discuss with you regarding an email
: vulnerability that I have discovered affecting your organization.
:
: More information about this vulnerability can be found at my web
: site https://securikai.com  under the category
: "Black Hole" email vulnerability.


Hello,

I read through your description of this vulnerability, and as far as I
can surmise, its that I didn't purchase name names with common
misspellings? As a domain that hosts one and only one user, this doesn't
represent a risk that I actually care about. Even in the case of my
employer (rapid7.com), the number of possible mis-spellings greatly
exceeds any level of reasonable defense. Can you explain what criteria
you use to determine common misspellings? DigitalOffense may be
ambiguous for those who use "c" instead of an "s", is that what you
consider data leakage?

I agree that law firms and other agencies that communicate with a large
number of recipients should be aware of this, but I also believe that
the problem is not email, http, or dns, but the lack of security used to
conduct legal business over the internet. Mandating the use of GPG or a
secure intermediate server for contacting clients, associates, and other
parties involved in a suit would solve this problem in a better fashion
than trying to catch all misspellings of a particular domain name. This
is already being done many by many organizations.

Snarfing typo domain email content is interesting (and fun I imagine),
but I don't see a practical defense, and registering all possible typo
permutations seems like the wrong approach for sensitive data.

-HD


From: Arthur (Wesley) Kenzie (wkenzie@securikai.com)
Subject: Re: Disclosure regarding email vulnerability
Date: Fri, 30 Dec 2011 10:29:54 -0800
To: HD Moore (hdm[at]digitaloffense.net)


Decrypted (PGP):

Hello, HD. Thank you for getting back to me. All that follows is presented Without Prejudice. 
And is both signed and encrypted.

First, my standard disclosure narrative:

I discovered this vulnerability - which I am calling the ?Black Hole? email vulnerability - 
while doing passive reconnaissance of Digital Offense's public Internet presence. This 
vulnerability allows an adversary to covertly obtain copies of certain emails intended for 
delivery to your organization. The way this vulnerability can be exploited is explained in 
my November 22 posting on my web site at  
https://securikai.com/2011/11/what-is-the-black-hole-email-vulnerability/ and my November 23 
posting at https://securikai.com/2011/11/legitimate-interest/. 

The specific vulnerability I discovered during my research that affects your organization is 
associated with the digitaloffence.net domain name. I was able to observe 6 unencrypted 
emails with this vulnerability in about 52 days between October 1 and November 22: 5 of these 
were from the austinblackcarservice.com domain, and 1 from software.com.pl (Hakin9 magazine).

1 of the 6 emails contained an attachment, which was in PDF format, and appeared to be an 
invoice.

Only your "hdm" email address was exposed.

I have no bad faith interest in these emails myself, I have not read any of their content 
(other than the Subject line, Sender(s), Recipient(s) and email headers), nor have I made 
copies, nor allowed anyone else to read them. In fact, after a short period of observation and 
evidence gathering, I am no longer studying this exploit, but I have recently put in place 
automatic re-direction of vulnerable emails to the "blackhole@digitaloffense.net" email 
address. You can read more about this in general terms at 
https://securikai.com/2011/11/blackholeyourdomain-com/. I have also put in place automatic 
forwarding of http access to digitaloffence.net to http://www.digitaloffense.net.

As soon as you create a ?blackhole? email account, you will for the first time be able to 
gather your own evidence of this vulnerability. I recommend that you send an email to 
?hdm[at]digitaloffence.net? in order to confirm this is working properly.

To the best of my knowledge I have no obligation to report this vulnerability to you. The 
flaw I discovered has likely been in existence for quite a while, and your own information 
security practices and policies have obviously failed to protect your organization from 
exploitation of it.

Most importantly for you, my discovery has the potential to save Digital Offense from 
significant damages, since an adversary (or competitor) with knowledge of it, and with 
malicious intent, could use it to covertly take possession of confidential information; 
learn within a short period of time the most effective ways to initiate a spear phishing 
campaign against your company, its customers, suppliers or peers; and/or impersonate 
members of your company, its customers, suppliers or peers in attacks directed at others.

The good news is that Digital Offense is now currently protected from this instance of the 
Black Hole email vulnerability, and you can read my November 25 posting at 
https://securikai.com/2011/11/how-to-protect-your-organization/ to learn about my 
preliminary recommendations for steps you can take to improve that protection.

If your organization would prefer to take ownership and control of the digitaloffence.net 
domain, and limit my ability to do any further future research on it, then I believe it 
would be irresponsible of me not to give serious consideration to any reasonable offer 
you might be prepared to make for it. I am not requesting such an offer, but you might 
want to consider it in the same way that many prominent software companies have implemented 
bug bounty programs as a way to engage researchers to help them identify vulnerabilities in 
their products. Alternatively, I would immediately agree to transfer the domain to your 
organization for a one-time nominal price of $295 provided that you would also agree in 
principle to paying me a negotiated or mediated non-improvident fee in consideration of my 
expertise in bringing this vulnerability to your attention and in ensuring that no 
malevolent entity is able to exploit it for their own purposes. 

Secondly, in response to your comments and questions:

For about $100 a year, you would be able to protect yourself from 10 different mis-spellings. 
I believe this to be a practical, cost effective, and relatively simple strategy. However, 
it may not be completely effective, given that you may not be able to obtain ownership of 
all mis-spellings. Your 18-character email domain name is relatively weak to this vulnerability, 
and so a better strategy may be to register a new, simpler domain name such as hdm.io for 
your email use.

I absolutely agree with your perspective that with proper use of encryption over the public 
Internet this vulnerability loses much of its bite. My research is targeted at increasing 
awareness of this, by publicly disclosing examples of what can be observed - and no doubt 
is currently being observed by adversaries.


Sincerely, and Without Prejudice:

Arthur (Wesley) Kenzie
wkenzie@securikai.com
GPG/PGP public key 0x831b2c89
Skype wkenzie
iMessage wkenzie@me.com

[Confidentiality Statement removed]


From: Arthur (Wesley) Kenzie (wkenzie@securikai.com)
Subject: Fwd: Disclosure regarding email vulnerability
Date: Wed, 4 Jan 2012 22:04:22 -0800
To: HD Moore (hdm[at]digitaloffense.net)


Decrypted (PGP):


Hello again, HD. I am interested in learning more about your reasons for not 
responding to my disclosure. Do you need more time to consider the information?

Also, would you object to my posting something on my blog about your 
vulnerability? Or would you like to have the opportunity to comment before I 
publish something about your vulnerability?

My goal is to increase awareness, and I presume you are Ok with that.

Arthur (Wesley) Kenzie
wkenzie@securikai.com
GPG/PGP public key 0x831b2c89
Skype wkenzie
iMessage wkenzie@me.com

[Confidentiality Statement removed]

Begin forwarded message:

: From: Arthur (Wesley) Kenzie (wkenzie@securikai.com)
: Date: December 30, 2011 10:29:54 AM PST
: To: HD Moore (hdm[at]digitaloffense.net)
: Subject: Re: Disclosure regarding email vulnerability
: mime-version: 1.0 (Apple Message framework v1084)
: content-transfer-encoding: 7bit
: x-pgp-agent: GPGMail 1.3.3


From: Arthur (Wesley) Kenzie (wkenzie@securikai.com)
Subject: updated contact info
Date: Thu, 12 Jan 2012 14:00:51 -0800
To: blackhole@digitaloffense.net
Cc: blackeloh@digitaloffense.net


test only...

Arthur (Wesley) Kenzie
wkenzie@securikai.com
GPG/PGP public key 0x831b2c89
Skype wkenzie
iMessage wkenzie@me.com

[Confidentiality Statement removed]


From: Arthur (Wesley) Kenzie 
Subject: updated updated contact info
Date: Thu, 12 Jan 2012 14:07:37 -0800
Cc: blackeloh@digitaloffence.net
To: blackhole@digitaloffence.net


not the previous test...

Arthur (Wesley) Kenzie
wkenzie@securikai.com
GPG/PGP public key 0x831b2c89
Skype wkenzie
iMessage wkenzie@me.com

[Confidentiality Statement removed]


After this article and comments on Twitter, Kenzie offers to give HD Moore the domain for free.

From: "Arthur (Wesley) Kenzie" (wkenzie@securikai.com)
Subject: digitaloffence.net domain
Date: Fri, 3 Feb 2012 12:49:47 -0800
To: HD Moore (hdm[at]digitaloffense.net)

HD, I am willing to transfer registration of the domain
digitaloffence.net to you at any time, at no cost. If you already have
an account at GoDaddy this could be done relatively quickly, but I would
require your GoDaddy account number to make it happen - if not, then I
will unlock the domain and send you the transfer auth code within 24
hours of receiving your request.

Arthur (Wesley) Kenzie
wkenzie@securikai.com
GPG/PGP public key 0x831b2c89
Skype wkenzie
iMessage wkenzie@me.com



main page ATTRITION feedback