Hacker explains recent WorldCom network exploits

A 20-year-old computer hacker who last weekend alerted telecommunications giant WorldCom Inc. about security holes he uncovered inside the company’s network said he enters corporate Web sites without permission to satisfy his curiosity.

Adrian Lamo, who has a publicized history of exploring the inner workings of corporate computer networks in search of system weaknesses, said in an interview with Computerworld that he sees himself as helping companies improve their system security by reporting flaws.

“I try to engage in harm reduction when I’m inside a computer network,” said Lamo. “I’ve never intentionally done damage in a network.”

Lamo, who lives in San Francisco, said he contacted WorldCom through an intermediary at consulting firm SecurityFocus.com Inc. to advise the telecommunications giant of the vulnerabilities, which he said gave him clear access to the networks of some of WorldCom’s largest customers.

WorldCom provides telecommunications and data services to many of the nation’s largest companies.

Lamo said his perusal of WorldCom began several months ago, when a company banner ad caught his eye as he was viewing a Web page. “It was one of those things where I was in the correct mind-set for doing these kinds of things,” he said. He began fooling around with the company’s domain name, adding and removing extra words or numbers until he was able to access internal company Web pages – including many with sensitive information such as passwords – that aren’t for public use but are connected to the site.

Until reporting the flaws to WorldCom earlier this month, Lamo said, he was able to dig deep into the company’s network, gaining access to in-house system tools offering access to the networks of WorldCom’s customers. Those customers include AOL Time Warner Inc., Bank of America Corp., Citigroup Inc., McDonald’s Corp. and Sun Microsystems Inc., he said. His explorations even allowed him to find router numbers and passwords for log-ins and administration that would have allowed him to take control of the routers and shut out WorldCom technicians.

“”All the information that I needed (to access those networks) was there,” he said.

WorldCom spokeswoman Jennifer Baker confirmed that Lamo reported the security flaws to the company and that he assisted in ensuring that repairs closed the holes in the network. She said the company appreciated Lamo’s help.

No customer networks were compromised before the repairs were made, Baker said. The problem was apparently due to a human error that allowed a router to use an “inappropriate filter.” Once the filter was removed, the router was reconfigured to close the hole.

Analysts have other views of Lamo’s actions and even WorldCom’s response.

Pete Lindstrom, of the Hurwitz Group Inc. in Framingham, Mass., said he was “flabbergasted and amazed” by WorldCom’s lackadaisical attitude about having its customer networks invaded by a 20-year-old hacker. Then the company went even further, he said, by actually thanking Lamo for uncovering the flaws after entering the company’s network without permission.

“What (WorldCom is) saying here is that security doesn’t matter,” Lindstrom said. “If these guys don’t do a full-blown audit of every system on their network,” it won’t be acceptable, he said. “They already know they have to change all passwords and phone numbers for their routers.”

Lindstrom said he “hopes” lawsuits will be filed by WorldCom customers in connection with this incident. “If Bank of America doesn’t sue WorldCom, I’ll be amazed.”

Lamo should get jail time, and the company should be the subject of a class-action lawsuit for its “negligence,” he said. “I am absolutely astounded by the indifference, nay, graciousness, with which a company like WorldCom is treating the hacking nomad, Adrian Lamo.”

Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston, said Lamo’s actions were questionable.

“It’s the equivalent of someone poking around your house from the outside and finding an open door,” which they enter, Hemmendinger said. “Then they say: ‘I didn’t take anything’.”

Greg Shipley, a networking and security consultant at consulting firm Neohapsis Inc. in Chicago, said Lamo’s actions walk the delicate line between “black hat” hackers who seek to damage networks and “white hat” hackers who point out flaws that need to be fixed.

“There is an increasing trend of people who walk the ‘gray hat’ area,” Shipley said. Part of what they do is legal, while part of it appears to be illegal, he said. “These guys run the risk of getting in big trouble if they go public with their information” that they uncover.

Lamo, who describes himself more as a “security researcher” than as a hacker, said he neither sought nor received any payment for his information.

He said he’s uncovered similar security lapses in networks run by America Online Inc., Excite@Home Inc., Yahoo Inc. and Microsoft Corp.

He does this kind of work, he said, because he enjoys solving such mysteries. Lamo doesn’t hold a full-time job because, he said, it would be too restrictive and time-consuming. To support himself, he occasionally does networking and other computer work for non-profit groups, with occasional stints in corporate settings. He said he’s never been contacted by any law enforcement agencies in connection with his network and Internet explorations.

“I try to see what’s out there from all angles that generally aren’t considered by other people,” he said.