Re: Lamo Hacks Cingular Claims Site

[InfoSec News <isn () c4i org>]

Forwarded from: Steven Moshlak <smoshlak () interserv com>

"Dumpster-Diving" for information is as old ad, well, J Edgar Hoover's
boy's used to do it (they busted a spy ring or two), competitors would
go through the trash, searching for hardcopy print-out's, not to
mention the criminal element, which has made identity theft, which
until late, has become a major and prolific problem.

The solution is simple; if it is worth securing, it is worth shredding
and/or securing your sensitive documentation.  This happened in
California? So what else is new?

-Steve


----- Original Message ----- 
From: "InfoSec News" <isn () c4i org>
To: <isn () attrition org>
Sent: Friday, May 30, 2003 1:38 AM
Subject: [ISN] Lamo Hacks Cingular Claims Site


> http://www.wired.com/news/privacy/0,1848,59024,00.html
>
> By Christopher Null
> May. 29, 2003
>
> Cingular can issue insurance to its mobile-phone customers to
> protect them against loss and damage, but it apparently can't ensure
> that hackers won't have full access to their personal data.
>
> Adrian Lamo, a hacker who in the past has broken into The New York
> Times and Yahoo, found a gaping security hole in a website run by a
> company that issues the insurance to Cingular customers. By
> accessing the site, Lamo said he could have pulled up millions of
> customer records had he wanted to.
>
> He said he discovered the problem this weekend through a random
> finding in a Sacramento Dumpster, where a Cingular store had
> discarded records about a customer's insurance claim for a lost
> phone. By simply typing in a URL listed on the detritus, Lamo was
> taken to the customer's claim page on a site run by lock\line LLC,
> which provides the claim management services to Cingular.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.