Lamo's Adventures in WorldCom

February 2001

The helpful hacker strikes again, this time finding a route into the communications company's private Web, then telling its security staff all about it. Who is Adrian Lamo, why does he do this, and would his life be the same if Kinkos kicked him out?

WorldCom is the latest target of a clean-cut 20-year-old hacker who's already drawn national attention discovering, exploiting, and then warning about serious security lapses at AOL, Excite@Home, Yahoo! and Microsoft. Like those other companies, security staff at the $20 billion communications giant might be surprised to learn they were compromised by a lone vagabond hacker who lives out of a weathered L.L. Bean backpack and does most of his work from Kinkos 'laptop stations,' using little more than a Web browser and his wits.

The hacker makes his discoveries during marathon all-night sessions in front of his laptop. He scans Internet address ranges for undocumented Web servers, or uses well-known software bugs to find the names of private files on otherwise-public servers. Sometimes, he just guesses. At any given moment, Lamo has a long list of "interesting" Web sites he may or may-not look into further, depending on the vagaries of his ever-shifting curiosity.

Some of the ones he has looked into have made news. In September, Lamo discovered an exposed server at Microsoft that gave anyone with knowledge of the URL access to billing, shipping and purchasing data for any customer who purchased Microsoft products online. Earlier the same month, he used an exposed Web-based production tool to tamper with a wire service story on Yahoo! News, deliberately choosing an old story to minimize the impact.

"For everyone at WordCom, the intranet is this boring thing that comes up in their web browser," says Lamo. "For me, it's a massive playground that's slowly and inexorably crumbling away at their security infrastructure."

Over a month after the Kinkos visit, Lamo has come clean with WorldCom, and the company is grateful. The hacker contacted the communications leviathan through SecurityFocus on Friday. Saturday morning, just as he crashed after an all-night hacking session on "an unrelated project," his cell phone rang. There were three WorldCom managers on the line, wondering of it was true that Lamo had cracked their global corporate intranet, and what they needed to do to fix it.

"I made it clear very quickly that all I was interested in doing was make it as positive an experience as possible for everyone," says Lamo. True to his word, the hacker would spend the rest of the weekend on conference calls and in email, bleary briefing the company on his months of illicit exploration. On Tuesday, the WorldCom turned to Lamo to give them a final bill of health. After a scan of their address space, he pronounced that WorldCom had successfully closed the proxy hole.
"What we discovered when we investigated Adrian's issues, was that there was a router with an inappropriate filter on it," says Baker. "In the end it was a human error, and we're really happy that he brought it to our attention... We really appreciate his efforts to work with us"

That instant willingness to cooperate, even to sign a non-disclosure agreement, with no strings attached is part of what's kept Lamo out of legal trouble, for what are indisputably violations of federal computer crime law. In May, when the hacker used an open proxy to crack ailing Excite@Home's internal Web, adding himself to the corporate directory and finding a route to millions of subscribers' records, he walked into the company's Redwood City, Calif. headquarters to brief network administrators in person, and he didn't leave before helping them plug the hole.

It also helps that Lamo's never tried to profit from his hacking. "There's an intangible something I can lay claim to now that would be irretrievably lost if I did," Lamo says. The fact that he doesn't hide behind a "handle" or pseudonym makes a difference, too. And once inside a network, there are lines -- particularly sensitive areas -- that he doesn't cross.

Source...

 

With Dionach you get:

• An efficient, friendly and flexible service
• To talk directly to the experts
• Straightforward assessment reports that get to the point
• Complete confidentiality and utmost discretion