Feeds

@Home's mis-configured proxy Excites hacker

But only for three months

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

A single misconfigured server exposed broadband provider Excite@Home's internal corporate network to hackers for at least three months, making its customer list of 2.95 million cable modem subscribers accessible to anyone with a Web browser and a modicum of cyber smarts, SecurityFocus has learned.

An Excite@Home spokesperson confirmed that the company recently shut down a rogue proxy server that had been running at its Redwood City, California headquarters. By configuring a Web browser to channel traffic through that proxy server, an outsider could surf the company's internal Web-based applications as an employee.

"It wasn't anything resembling rocket science," said Adrian Lamo, the hacker who discovered the hole, and reported it to Excite@Home last month. At twenty years-old, Lamo has carved out a niche exposing the security foibles of corporate behemoths, usually the Virginia-based America Online. Last year he helped expose a bug that was allowing hackers to hijack AOL Instant Messenger (AIM) accounts.

In January of this year, Lamo turned his attention to Excite@Home. He says he found the company's backbone network -- which serves cable modem subscribers throughout North America -- to be relatively secure. But the corporate network was another story. Wielding a common hacker tool called "Proxy Hunter," Lamo scanned the company's address space, and quickly discovered an open proxy running on a computer named "buddylee".

With buddylee's help, Lamo was able to hit a number of Web-based resources on the internal network, including the official Excite@Home employee directory, where he added his own name, "repeatedly," he says... just for fun.

More seriously, Lamo discovered a customer support Web site designed to be used by Excite@Home's cable company resellers, AT&T, Cox Cable, Century Communications, and dozens of others. He cracked it with a password he found posted on another internal Web site, and gained access to a database of names, email addresses, billing addresses, cable modem serial numbers, current IP addresses, computer operating system, and other technical information on all of the company's broadband subscribers. The company boasted 2.95 million customers as of November of last year.

"I was able to bring up the name of every Kennedy who subscribes, for example," said Lamo, who showed a sample of the data to SecurityFocus.

The company could not confirm that Lamo's access included all subscribers, but acknowledged that customer data was compromised. Company spokesperson Londonne Corder emphasized that no credit card data was involved, and that the proxy has since been taken down.

Widespread, overlooked

The incident highlights the danger that a single hole in a network's perimeter can pose. According to a member of Excite@Home's technical staff familiar with the incident, the proxy was set up automatically during a default install of a network management tool. But even after the system was shut down, other holes appeared. "We have 3,000 employees," says the staff member. "There have been other machines popping up with proxy servers on them."

The proxies are a weakness because they allow outsiders to masquerade as insiders, and Exite@Home's internal Web sites are programmed to trust surfers coming from company Internet addresses. "It's fairly widespread and poorly considered," says Lamo.

Computer security engineer Brian Martin of Maryland-based Digital Systems International Corporation says he hasn't seen proxies used to that effect before, but that in the abstract, the hole fits a timeworn pattern. "Misconfiguration, or not thinking of security as you set something up, in general that is very common," says Martin. "You see that every day."

Lamo said he continues to enjoy some level of access to the company network, and provided a convoluted Excite@Home URL that serves up access to the corporate directory, though Lamo's name no longer appears.

The company, meanwhile, seems grateful to the hacker. "He has demonstrated a certain amount of restraint, which we appreciate," says the technical staff member. "He hasn't done damage, we can't claim any sort of loss, and I don't believe we're interested in that."

Lamo brought the hole to the company's attention in late April, after skating around Excite@Home's internal web undetected for months. Following a late-night meeting at the company's headquarters, Lamo and corporate computer security experts converged on buddyholly -- which turned out to be a workstation on an employee's desk. While the security pros watched, Lamo closed the hole by cutting-off the offending machine from the Internet -- literally, using a pocket knife.

Today Lamo retains two trophies from the hack: the severed plug from buddylee's network cable, and an entry from the customer support database. The latter, by appearance, is the service record for Washington-state science fiction author Neal Stephenson, whose novels "Snowcrash" and "Cryptonomicon" grace many a hacker's bookshelf.

Lamo notes that Stephenson (or his namesake) reported his operating system as "CPM" -- an ancient operating system from the days of eight-bit microprocessors. It's an obscure joke that would likely be lost on a customer support representative, but draws an appreciative chuckle from the hacker.

© 2001 SecurityFocus.com, all rights reserved.

Security for virtualized datacentres

More from The Register

next story
Facebook's Zuckerberg in EBOLA VIRUS FIGHT: Billionaire battles bug
US Centers for Disease Control and Prevention contacted as site supremo coughs up
Space exploration is just so lame. NEW APPS are mankind's future
We feel obliged to point out the headline statement is total, utter cobblers
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
Swiss wildlife park serves up furry residents to visitors
'It's ecological' says spokesman, now how would you like your Bambi done?
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
STONER SHEEP get the MUNCHIES after feasting on £4k worth of cannabis plants
Baaaaaa! Fanny's Farm's woolly flock is high, maaaaaan
FedEx helps deliver THOUSANDS of spam messages DIRECT to its Blighty customers
Don't worry Wilson, I'll do all the paddling. You just hang on
Red Bull does NOT give you wings, $13.5m lawsuit says so
Website letting consumers claim $10 cash back crashes after stampede
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.