http://www.wired.com/news/privacy/0,1848,59024,00.html By Christopher Null May. 29, 2003 Cingular can issue insurance to its mobile-phone customers to protect them against loss and damage, but it apparently can't ensure that hackers won't have full access to their personal data. Adrian Lamo, a hacker who in the past has broken into The New York Times and Yahoo, found a gaping security hole in a website run by a company that issues the insurance to Cingular customers. By accessing the site, Lamo said he could have pulled up millions of customer records had he wanted to. He said he discovered the problem this weekend through a random finding in a Sacramento Dumpster, where a Cingular store had discarded records about a customer's insurance claim for a lost phone. By simply typing in a URL listed on the detritus, Lamo was taken to the customer's claim page on a site run by lock\line LLC, which provides the claim management services to Cingular. Normally, this page should have been reachable only by passing through a password-protected gateway, but by simply entering the valid URL, Lamo discovered that individual claims pages could be accessed, no password authentication needed. Each page contained the customer's name, address and phone number, along with details on the insurance claim being made. Altering the claim ID numbers (which were assigned sequentially) in the URL gave Lamo access to the entire history of Cingular claims processed through lock\line, comprising some 2.5 million customer claims dating back to 1998. Lamo said the hack was similar to his discovery of a security hole at Microsoft in October 2001, where the server was configured to assume that if a user could reach a certain URL that was otherwise unpublished on the Internet, that user must be authorized to do so and must already be logged in. As with his other hacks, Lamo said he had no intent of profiting from the exploit, just pointing out a security flaw. Lamo first exposed the problem to Wired News. After this reporter pointed out the flaw, Cingular and lock\line closed the hole by Wednesday morning. Cingular spokesman Tony Carter said lock\line has enabled password protection for the site and has now incorporated "obfuscation techniques" that scramble URLs so that, even in the event of a site compromise, additional records should not be easily accessible. Lock\line spokesman Reed Garrett confirmed the hack. Carter noted that no financial information or social security number data were taken and the information wasn't even available to lock\line. "We screwed up," said Carter. "Our policy is that any time there is a document with customer information on it is to be shredded. They've been trained on this. They just didn't do it. There's no excuse for it." The event highlights the problems of managing vendor relationships when customer information needs to be shared but each company has different processes for handling that information. Carter says Cingular has nearly 40,000 vendors, and staying on top of them all is an "arduous" task, which the company continues to evaluate. Jerry Brady, CTO of security services company Guardent, said incidents like the Cingular episode are not that uncommon. "This usually happens because people whip together quick-and-dirty front ends without much thought to the construction of the data," he said. "You see this all the time, not just in the private sector, but in government systems as well. You just can't expect that outsourcer (to) treat confidential data the same way as the firm. They have no vested interest in worrying about the customer." Lamo noted that outsourcing arrangements continue to yield a treasure trove of weak links in electronic security. Said Lamo, "As companies begin to outsource more and more of their businesses, the line of where security begins and ends gets blurry." He added that in this case, the security was "tremendously bad." The Cingular discovery is the latest in a line of exploits from Lamo. In the past few years, Lamo has found his way into the database containing sources for the The New York Times, has altered news stories on Yahoo and has repeatedly compromised AOL. Companies have contemplated suing him, but security experts have lauded his efforts for pointing out flaws. Lamo, 22, doesn't have a permanent address. He wanders cross-country on foot or by public bus. Spring and summer usually bring him to Northern California. Until recently, he used terminals at Kinko's to perform his hacks. He has graduated to using a Wi-Fi-ready laptop at Starbucks to do his work. For Lamo, there's a bigger issue at stake with the Cingular hack. "If only they had recycled the document instead of throwing it away," he quipped, "this wouldn't have happened." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri May 30 2003 - 01:42:03 PDT