A soap opera is playing out on the mailing lists of several security newsgroups this morning, complete with people hiding behind pseudonyms, people "outing" one another and rumors of death threats against the major players. At stake? A possible worm for Apple's Mac OS X operating system.
Over the weekend, someone using the name Infosec Sellout posted on the BugTraq mailing list news of a worm exploiting a vulnerability in mDNSResponder, a component of Apple's Bonjour automatic network service. Apple in May, but the author claims there remains an unpatched vulnerability. The author also claims to have a proof-of-concept worm ready to go, named Rape.osx, but says he won't release the worm. In a security vendor blog, McAfee quotes the author as saying he was compensated for this work.
As news of the posting and possible worm spread, skepticism grew. The author suffered harsh criticism from security colleagues for hiding behind a pseudonym, and for not providing any proof of the worm. The author also reportedly received death threats in reader posts to his blog site. In response, Infosec Sellout says in a blog post that he removed all prior postings on his blog site. Is that true? Last night someone else claiming to be Infosec Sellout claims the site in question, called Security Information, is not the real Infosec Sellout blog site, but a hijacked site, hence the lack of prior posts.
The story gets weirder. One of the names thought to be behind the hijack of Infosec Sellout is David Maynor of Errata Security, who might be using the name "LMH." Last summer, during BlackHat USA, security researchers David Maynor and Johnny Cache disclosed a wireless vulnerability using an Apple Computer Macbook. The team found that malformed network traffic could allow the laptop to be compromised, and they provided a video of the attack. The researchers did use a third-party wireless card for their video demonstration, but said repeatedly that the Apple Airport wireless driver was also vulnerable. Two months after BlackHat, Apple quietly released a patch, which, if the vulnerability that was fixed had been exploited, could have compromised the Airport wireless drivers in MacBooks.
This morning in a post on the Fuzzing mailing list, someone calling himself David Maynor responded. In a post called "The Truth," the author using the name LMH says he is David Maynor and then proceeds to confess that after last summer he needed to hide behind the name "LMH" to get the word out about new vulnerablities. Yet if you go over to the Errata Security blog site, the real David Maynor says the Fuzzing mailing list post is a sham, and cites several factual errors. We took the text and put it through Hacker Factor Solutions Gender Guesser and it appears a male did indeed write the Fuzzing plot. But based on the words chosen and sentence length, the tool also suggests it was a male European who wrote it. David Maynor has been based near Atlanta, Ga., for years.
Remember all of this intrigue concerns a proof-of-concept worm that no one has seen that supposedly affects a patched vulnerability in mDNSResponder on Apple OS X.
Stay tuned for more weirdness.