Stories - Domino Hacking

Stacks Image 18
In 1997 while working in the Marketing group at IBM Storage Systems Division Scott conceived of the idea for an Extranet to link IBM’s biggest OEM Storage customers: HP, Apple, Dell, Bell Micro, etc... together with manufacturing, sales and R&D, using a new technology called Lotus Domino. Domino was a web interface to Lotus Notes. Scott named it the “IBM Edge” and the name stuck for four years. To give you an idea of the scope of this project it provided ALL of a customer’s own relevant SAP CRM data, and information on all the products they purchased, including confidential manufacturing and R&D reports, and in some cases it also enabled electronic ordering. In 1999 this system booked over $2B in electronic orders, making it the #2 system in the world behind IBM’s PC business, or so we were told. It earned Scott an Outstanding Technical Achievement Award, and a trip to IBM’s Board room. This isn’t even the interesting part.

During development of the system, prior to it going live, Scott tasked one of his developers, Nick Bushnell, with a project to build a Lotus Domino Cracking tool. Scott outlined the program flow, and all the necessary tricks that needed to be tested, roughly 57 in total. At this point we had also informed the Division CTO’s Information Asset Security person of these flaws and asked that she inform Lotus. By this time IBM had owned Lotus for roughly a year. After two weeks of development, and while Scott was out sick for a single day, he was told the program was completed. They arranged to test it the next day on some internal systems. That evening the programer, and another on Scott’s team, Matt Wuebbling, chose to run the tool on each of our internal servers and found nothing. They assumed it didn’t work so they ran it on, and several other well known Lotus owned/controlled websites. Furthermore when the tool pointed out vulnerabilities at these two tested one of them. They remapped to a dummy page on one of our external servers.

Now here’s where the story becomes interesting, nothing happened so Nick went home while Matt decided to stay later. Well we soon learned that Lotus’s servers rebooted at midnight, the changes they’d made had taken effect and we were receiving 100 legitimate hits an hour for Lotus Support to our bogus test page.

That next morning Scott got a call at home from Matt at 7AM. Now at that time Matt was the kinda guy whose eyes don’t normally open till at least 9am on a “work day”, and he’s asking Scott when he’s coming in. Scott said shortly and asked why, Matt requested that he rush as it was serious, but Matt would provide no more details. When Scott arrived Matt laid out what had transpired then they dove into their own server logs to see if Lotus had launched a counter attack.

From Midnight till 6AM, eastern time, Lotus’s Support page was mapped to our dummy page, which received over 500 hits. Then “normal” traffic stopped, and things really heated up for the next 45 minutes Lotus attempted to hack this IBM server using the same tricks we’d used. Having designed our probe program Scott had already locked down ALL his servers, internal and external, against the 57 flaws they’d already uncovered in Notes, and had reported. The fact that IBM owned Lotus and that Lotus tried to hack us and failed was a key part of Scott’s defense of his team when Lotus had requested later that day that they all be fired, then arrested. We dodged a bullet with this hack. It took Scott several very tense meetings with corporate council, Lotus (via teleconference), the CTO and HR to get things straightened out. In fact at the first meeting Scott had walked in, and had known everyone in the room except one person. She then introduced herself as the director of HR and requested that Scott sit next to her, and she then said “I’m here for you.” She implied it was to help, but her role fortunately never played out.

A week later Scott met with Lotus’s SVP of development, the same guy who had wanted them fired, and later that week IBM Research’s Tiger Team (white hats), and released his team’s code to both groups.