Lamo Hacks Cingular Claims Site

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/privacy/0,1848,59024,00.html

By Christopher Null 
May. 29, 2003

Cingular can issue insurance to its mobile-phone customers to protect
them against loss and damage, but it apparently can't ensure that
hackers won't have full access to their personal data.

Adrian Lamo, a hacker who in the past has broken into The New York
Times and Yahoo, found a gaping security hole in a website run by a
company that issues the insurance to Cingular customers. By accessing
the site, Lamo said he could have pulled up millions of customer
records had he wanted to.

He said he discovered the problem this weekend through a random
finding in a Sacramento Dumpster, where a Cingular store had discarded
records about a customer's insurance claim for a lost phone. By simply
typing in a URL listed on the detritus, Lamo was taken to the
customer's claim page on a site run by lock\line LLC, which provides
the claim management services to Cingular.

Normally, this page should have been reachable only by passing through
a password-protected gateway, but by simply entering the valid URL,
Lamo discovered that individual claims pages could be accessed, no
password authentication needed.

Each page contained the customer's name, address and phone number,
along with details on the insurance claim being made. Altering the
claim ID numbers (which were assigned sequentially) in the URL gave
Lamo access to the entire history of Cingular claims processed through
lock\line, comprising some 2.5 million customer claims dating back to
1998.

Lamo said the hack was similar to his discovery of a security hole at
Microsoft in October 2001, where the server was configured to assume
that if a user could reach a certain URL that was otherwise
unpublished on the Internet, that user must be authorized to do so and
must already be logged in.

As with his other hacks, Lamo said he had no intent of profiting from
the exploit, just pointing out a security flaw.

Lamo first exposed the problem to Wired News. After this reporter
pointed out the flaw, Cingular and lock\line closed the hole by
Wednesday morning.

Cingular spokesman Tony Carter said lock\line has enabled password
protection for the site and has now incorporated "obfuscation
techniques" that scramble URLs so that, even in the event of a site
compromise, additional records should not be easily accessible.

Lock\line spokesman Reed Garrett confirmed the hack. Carter noted that
no financial information or social security number data were taken and
the information wasn't even available to lock\line.

"We screwed up," said Carter. "Our policy is that any time there is a
document with customer information on it is to be shredded. They've
been trained on this. They just didn't do it. There's no excuse for
it."

The event highlights the problems of managing vendor relationships
when customer information needs to be shared but each company has
different processes for handling that information. Carter says
Cingular has nearly 40,000 vendors, and staying on top of them all is
an "arduous" task, which the company continues to evaluate.

Jerry Brady, CTO of security services company Guardent, said incidents
like the Cingular episode are not that uncommon.

"This usually happens because people whip together quick-and-dirty
front ends without much thought to the construction of the data," he
said. "You see this all the time, not just in the private sector, but
in government systems as well. You just can't expect that outsourcer
(to) treat confidential data the same way as the firm. They have no
vested interest in worrying about the customer."

Lamo noted that outsourcing arrangements continue to yield a treasure
trove of weak links in electronic security. Said Lamo, "As companies
begin to outsource more and more of their businesses, the line of
where security begins and ends gets blurry." He added that in this
case, the security was "tremendously bad."

The Cingular discovery is the latest in a line of exploits from Lamo.  
In the past few years, Lamo has found his way into the database
containing sources for the The New York Times, has altered news
stories on Yahoo and has repeatedly compromised AOL. Companies have
contemplated suing him, but security experts have lauded his efforts
for pointing out flaws.

Lamo, 22, doesn't have a permanent address. He wanders cross-country
on foot or by public bus. Spring and summer usually bring him to
Northern California. Until recently, he used terminals at Kinko's to
perform his hacks. He has graduated to using a Wi-Fi-ready laptop at
Starbucks to do his work.

For Lamo, there's a bigger issue at stake with the Cingular hack.

"If only they had recycled the document instead of throwing it away,"  
he quipped, "this wouldn't have happened."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.