◆ SpookStack

SecurityFocus HOME News: Lary Scventures m Worldcom ® Page 2 ot 5 ‘ ¢ restricted. Other times, network administrators deliberately leave secret Web page wide open, counting on nobody stumbling across the URL. Lamo is a master of this unlisted Web. He can direct you to the Web site at Apple Computer that yields a trove of detailed circuit diagrams and schematics, marked “proprietary,” but available to anyone with knowledge of the URL. He knows a particular Web address at the prestigious Journal of Commerce (JoC) that routes to an unprotected administrative tool that grants access to the publication's database of online subscribers, their names, email addresses and passwords. Credit card numbers aren't displayed, but Lamo “theorizes” that one out of five passwords would also work on the subscriber's mail account. oC Online editor Stuart Chirls declined to comment.) The hacker makes his discoveries during marathon all-night sessions in front of his laptop. He scans Internet address ranges for undocumented Web servers, or uses well-known software bugs to find the names of private files on otherwise-public servers. Sometimes, he just guesses, At any given moment, Lamo has a long list of "interesting" Web sites he may or may~not fook into further, depending on the vagaries of his ever-shifting curiosity. Some of the ones he has looked into have made news. In September, Lamo discovered an exposed server at Microsoft that gave anyone with knowledge of the URL access to billing, shipping and purchasing data for any customer who purchased Microsoft products online. Earlier the same month, he used an exposed Web-based production tool to tamper with a wire Service story on Yahoo! News, deliberately choosing an oid story to minimize the impact. The Problem with Proxies As he has with other networks, Lamo found the keys to WorldCom's kingdom in open Internet proxy servers. In normat operation, a proxy server is a dedicated machine that sits between 4 local network and the outside world, passing internal surfers' Web requests out to the Internet, often caching the results to speed up subsequent visits to the same URL. But it's easy and common for administrators to inadvertently misconfigure proxy servers, allowing anyone on the Internet to channel through them. Sometimes companies and organizations even unknowingly run proxies. Hackers and privacy-conscious netizens catalog these open proxies, using them to anonymize their surfing. Lamo has perfected a different use: jumping through them to pose as a node on a company's internal network. Using a common hacker tool called "Proxy Hunter," Lamo scanned WorldCom's corporate Internet address space, and quickly found five open proxies -- one of them hiding in plain site at wireless.wcom.com. From there, he needed only te configure his browser to use one of the proxies, and he could surf WorldCom's private network as an employee. Once inside, he found other layers of security protecting various intranet sites from employees who might exceed their authorized access, But after a coupie of months of sporadic exploring, Lamo has made substantial inroads. He can use WorldCom human resources system to list names and matching social security numbers for.any or ait of the company’s 86,000 employees. With this information, all he needs is a birth date (he swears by anybirthday.com) and he can reset an employee's password and access his or her payroil records, including information like their salary, emergency contacts, and direct deposit instructions, complete with bank account numbers. He could even modify the employee's direct deposit bank account, and divert a paycheck to his own account, if he wanted to. "A lot of people would be willing to blow town for a couple hundred thousand dollars,” says Lamo. http://www.securityfocus.com/news/296 17/2003 FBI(19-cv-1495)-1046