Enriching The ‘RSA Employee #15666’ Dump + Stats

UPDATE 2014-03-29: fixed broken links to the gzip’d CSV and MySQL files.
In EXCLUSIVE: Leaked “RSA dump” appears authentic at Risky.biz I read that on August 15th 2011 the “RSA Employee #15666” dump was posted here. I have no opinion on its authenticity. Please read the post at Risky.biz for analysis; I merely provide additional data and stats here.

The original dump contains 870 entries consisting of:

1. hostname
2. IP address

I enriched the data by adding:

3. my own lookup of the A-record for (1)
4. my own lookup of the PTR-record for (2)
5. GeoIP data for (1) = country, state, city, zip, GPS, organization
6. IP2ASN mapping for (1) = ASN, network description via whois.cymru.com

All lookups were run from an IP address in AS1103 (SURFNET-NL) on August 18th 2011 at 20:00-21:30 UTC+2. I mention the latter because the DNS/AS situation may have been deliberately changed since the dump was publicly posted (August 15th) or announced (August 18th).

Here is the enriched dump (SSL cert sig should be 01:00:00:00:00:01:1C:9E:A3:54:3F):

20110818_RSA15666_enriched.csv.gz (CSV)
20110818_RSA15666_enriched.sql.gz (MySQL dump)

Some quick stats: HERE (mirror).

DO NOT TRUST MY DATA. VERIFY IT. If the data or stats are wrong, please inform me (Twitter: @mrkoot or e-mail: koot=>uva.nl). I will change this blogpost to reflect advancing insight.

2 thoughts on “Enriching The ‘RSA Employee #15666’ Dump + Stats

Leave a Reply

Your email address will not be published. Required fields are marked *