Hacker had WorldCom in his hands

Internet backbone provider MCI WorldCom has acknowledged that network-intrusion specialist Adrian Lamo used a security hole in a company Web server to grant himself access to its administrative network.

The quizzical hacker poked around WorldCom's system four times over the past two months, ending last Friday when he told the company of the hole and helped it secure a misconfigured server.

"I was looking for something to do," the sometimes consultant and security researcher said of his desire to probe the infrastructure. Lamo considers himself a harmless intruder, which he asserts is far better than one bent on misdeeds.

"It's definitely better than it would have been if someone wanted to attack Bank of America's sites and have it blamed on WorldCom," said Lamo, who is based in San Francisco. In addition to Bank of America, WorldCom's customers include America Online, Providian and oil titan BP.

WorldCom apparently agrees with Lamo's assessment.

"We would rather know than not," said Jennifer Baker, a spokeswoman for the Internet service provider. Although she would not give details of the discussions the company had with Lamo, Baker did say he helped the company.

"We are definitely appreciative, and we have secured our system," she said.

MCI WorldCom is the fourth major company to find itself on the wrong end of a security hole exploited by Lamo. Microsoft, Excite@Home and Yahoo have all been tested by Lamo and found insecure.

In the latest case, Lamo exploited a so-called open proxy, a server that is normally used by a company to filter data on an Internet connection but, in this case, had been installed on a Web server by accident when the server had been configured.

Such mistakes are a major problem in computer security, said Chris Wysopal, director of research and development for network-protection company @Stake.

"Not only are (open proxies) offering anonymity to all comers, but they are allowing people to appear as if they are on their trusted network via proxied IP address," Wysopal said.

Using, for the most part, a run-of-the-mill Web browser, Lamo read WorldCom's documentation on how to use its network and put it to his own use. Lamo "only" gained access to the company's administrative network, Baker said. But Lamo asserts that a malicious intruder could have accessed the infrastructure driving the networks of the ISP's customers, he said.

The access to the administrative network "exposed all the information to dial into these other networks, into their routers," Lamo said. Because WorldCom configures many of its customers' routers, Lamo asserts that he could have done so as well.

For example, he said, another hacker could have downed the networks of America Online and Bank of America.

For all his good intentions, though, Lamo isn't exactly on solid legal footing.

Wysopal asserts that poking around the Internet in the way Lamo does aids companies' security and shouldn't be considered illegal.

"He is not using exploits, merely exploring using public anonymous protocols," Wysopal said. "This is sort of like wandering around in the woods not caring about invisible property lines that aren't posted, yet respecting fences and No Trespassing signs."

For his part, Lamo acknowledges that the situation is legally complex but said that his personal code of conduct has kept companies from prosecuting him.

"I don't have any right or moral authority to do what I do," he said. "I know that I'm on more-than-questionable legal grounds."

That said, Lamo asserts he isn't doing anything wrong. In the end, the hacker said, he's helping companies secure their networks--and having a good time while he's at it.

"I don't necessarily think that curiosity and corporate interests need to be in conflict," he said.

"Pragmatically speaking, this is going to happen. It might as well be the least destructive and least harmful experience for everyone involved."