◆ SpookStack

Wired News: Lamo Hacks ng Claims Site ¥ Page 1 of 3 [e Home |{ } Technology jf Sreuwre |S Business { @ Politics |( (y Wired Mag |[ > Animation, Tessie AA A A Lamo Hacks Cingular Claims Site By Christopher Null @ | B® Atso by this reporter. 10:55 AM May. 29, 2003 PT Cingular can issue insurance to its mobile-phone customers to protect them against loss and damage, but it apparently can't ensure that hackers won't have full access to their personal data, Adrian Lamo, a hacker who in the past has broken into The New York Times and Yahoo, found a gaping security hole in a website run by a company that issues the insurance to Cingular customers. By accessing the site, Lamo said he could have pulled up millions of customer records had he wanted to. He said he discovered the problem this weekend through a random finding in a Sacramento Dumpster, where a Cingular store had discarded records about a customer's insurance claim for a lost phone. By simply typing in a URL listed on the detritus, Lamo was taken to the customer's claim page on a site run by lock\line LLC, which provides the claim management services to Cingular. Normally, this page should have been reachable only by passing through a password- protected gateway, but by simply entering the valid URL, Lamo discovered that individual claims pages could be accessed, no password authentication needed. Each page contained the customer's name, address and phone number, along with details on the insurance claim being made. Altering the claim ID numbers (which were assigned sequentially) in the URL gave Lamo access to the entire history of Cingular claims processed through lock\line, comprising some 2.5 million customer claims dating back to 1998. Lamo said the hack was similar to his discovery of a security hole at Microsoft in October 2001, where the server was configured to assume that if'a user could reach a certain URL that was otherwise unpublished on the Internet, that user must be authorized to do so and must already be logged in. As with his other hacks, Lamo said he had no intent of profiting from the exploit, just pointing out a security flaw. Lamo first exposed the problem to Wired News. After this reporter pointed out the flaw, Cingular and lock\line closed the hole by Wednesday morning. Cingular spokesman Tony Carter said lock\line has enabled password protection for the site and has now incorporated “obfuscation techniques” that scramble URLs so that, even in the event of a site compromise, additional records should not be easily accessible. bo bIC -1 -1 FBI(19-cv-1495)-1808 http://www.wired.com/news/privacy/0,1848,59024,00.htm1 6/12/2003