Hacker explains recent exploits inside WorldCom network

A 20-year-old computer hacker who last weekend alerted telecommunications giant WorldCom about security holes he uncovered inside the company's network said he enters corporate Web sites without permission to satisfy his curiosity.

Adrian Lamo, who has a publicized history of exploring the inner workings of corporate computer networks in search of system weaknesses, said in an interview with Computerworld that he sees himself as helping companies improve their system security by reporting flaws.

"I try to engage in harm reduction when I'm inside a computer network," said Lamo. "I've never intentionally done damage in a network."

Lamo, who lives in San Francisco, said he contacted WorldCom through an intermediary at consulting firm SecurityFocus.com Inc. to advise the telecommunications giant of the vulnerabilities, which he said gave him clear access to the networks of some of WorldCom's largest customers.

WorldCom provides telecommunications and data services to many of the nation's largest companies.

Lamo said his perusal of WorldCom began several months ago, when a company banner ad caught his eye as he was viewing a Web page. "It was one of those things where I was in the correct mind-set for doing these kinds of things," he said. He began fooling around with the company's domain name, adding and removing extra words or numbers until he was able to access internal company Web pages -- including many with sensitive information such as passwords -- that aren't for public use but are connected to the site.

Until reporting the flaws to WorldCom earlier this month, Lamo said, he was able to dig deep into the company's network, gaining access to in-house system tools offering access to the networks of WorldCom's customers. Those customers include AOL Time Warner Inc., Bank of America Corp., Citigroup Inc., McDonald's Corp. and Sun Microsystems Inc., he said. His explorations even allowed him to find router numbers and passwords for log-ins and administration that would have allowed him to take control of the routers and shut out WorldCom technicians.

""All the information that I needed (to access those networks) was there," he said.

WorldCom spokeswoman Jennifer Baker confirmed that Lamo reported the security flaws to the company and that he assisted in ensuring that repairs closed the holes in the network. She said the company appreciated Lamo's help.

No customer networks were compromised before the repairs were made, Baker said. The problem was apparently due to a human error that allowed a router to use an "inappropriate filter." Once the filter was removed, the router was reconfigured to close the hole.

Analysts have other views of Lamo's actions and even WorldCom's response.

Pete Lindstrom, of the Hurwitz Group Inc. in Framingham, Mass., said he was "flabbergasted and amazed" by WorldCom's lackadaisical attitude about having its customer networks invaded by a 20-year-old hacker. Then the company went even further, he said, by actually thanking Lamo for uncovering the flaws after entering the company's network without permission.

"What (WorldCom is) saying here is that security doesn't matter," Lindstrom said. "If these guys don't do a full-blown audit of every system on their network," it won't be acceptable, he said. "They already know they have to change all passwords and phone numbers for their routers."

Lindstrom said he "hopes" lawsuits will be filed by WorldCom customers in connection with this incident. "If Bank of America doesn't sue WorldCom, I'll be amazed."

Lamo should get jail time, and the company should be the subject of a class-action lawsuit for its "negligence," he said. "I am absolutely astounded by the indifference, nay, graciousness, with which a company like WorldCom is treating the hacking nomad, Adrian Lamo."

Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston, said Lamo's actions were questionable.

"It's the equivalent of someone poking around your house from the outside and finding an open door," which they enter, Hemmendinger said. "Then they say, 'I didn't take anything.'" Greg Shipley, a networking and security consultant at consulting firm Neohapsis Inc. in Chicago, said Lamo's actions walk the delicate line between "black hat" hackers who seek to damage networks and "white hat" hackers who point out flaws that need to be fixed.

"There is an increasing trend of people who walk the 'gray hat' area," Shipley said. Part of what they do is legal, while part of it appears to be illegal, he said. "These guys run the risk of getting in big trouble if they go public with their information" that they uncover.

Lamo, who describes himself more as a "security researcher" than as a hacker, said he neither sought nor received any payment for his information.

He said he's uncovered similar security lapses in networks run by America Online Inc., Excite@Home Inc., Yahoo Inc. and Microsoft Corp.

He does this kind of work, he said, because he enjoys solving such mysteries. Lamo doesn't hold a full-time job because, he said, it would be too restrictive and time-consuming. To support himself, he occasionally does networking and other computer work for nonprofit groups, with occasional stints in corporate settings. He said he's never been contacted by any law enforcement agencies in connection with his network and Internet explorations.

"I try to see what's out there from all angles that generally aren't considered by other people," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Todd R. Weiss

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?