@Home's mis-configured proxy Excites hacker
By Kevin Poulsen
Published Saturday 30th June 2001 12:15 GMT

Link(active as of 10/22/06): http://www.theregister.co.uk/content/8/19279.html



A single misconfigured server exposed broadband provider Excite@Home's
internal corporate network to hackers for at least three months, 
making its customer list of 2.95 million cable modem subscribers 
accessible to anyone with a Web browser and a modicum of cyber smarts, 
SecurityFocus has learned.

An Excite@Home spokesperson confirmed that the company recently shut 
down a rogue proxy server that had been running at its Redwood City, 
California headquarters. By configuring a Web browser to channel 
traffic through that proxy server, an outsider could surf the 
company's internal Web-based applications as an employee.

"It wasn't anything resembling rocket science," said Adrian Lamo, 
the hacker who discovered the hole, and reported it to Excite@Home 
last month. At twenty years-old, Lamo has carved out a niche exposing 
the security foibles of corporate behemoths, usually the 
Virginia-based America Online. Last year he helped expose a bug that 
was allowing hackers to hijack AOL Instant Messenger (AIM) accounts.

In January of this year, Lamo turned his attention to Excite@Home. 
He says he found the company's backbone network -- which serves cable 
modem subscribers throughout North America -- to be relatively secure. 
But the corporate network was another story. Wielding a common hacker 
tool called "Proxy Hunter," Lamo scanned the company's address space, 
and quickly discovered an open proxy running on a computer named 
"buddylee".

With buddylee's help, Lamo was able to hit a number of Web-based 
resources on the internal network, including the official Excite@Home 
employee directory, where he added his own name, "repeatedly," he 
says... just for fun.

More seriously, Lamo discovered a customer support Web site designed to 
be used by Excite@Home's cable company resellers, AT&T, Cox Cable, 
Century Communications, and dozens of others. He cracked it with a 
password he found posted on another internal Web site, and gained 
access to a database of names, email addresses, billing addresses, 
cable modem serial numbers, current IP addresses, computer operating 
system, and other technical information on all of the company's 
broadband subscribers. The company boasted 2.95 million customers as 
of November of last year.

"I was able to bring up the name of every Kennedy who subscribes, for 
example," said Lamo, who showed a sample of the data to SecurityFocus.

The company could not confirm that Lamo's access included all 
subscribers, but acknowledged that customer data was compromised. 
Company spokesperson Londonne Corder emphasized that no credit card 
data was involved, and that the proxy has since been taken down.

[snip...]