Lamo strikes again: WorldCom

It's dusk in San Francisco, and at a Kinkos copy shop deep in the financial district Adrian Lamo shrugs off his overstuffed backpack and pulls out a battered Toshiba laptop. With a few keystrokes, the hacker fills the computer's display with a map of the United States, crisscrossed with hundreds of colored lines, crowded with geometric symbols and tiny text.

On inspection, the map charts in astonishing detail the physical infrastructure underlying much of the Internet: underground cables, repeaters, satellite earth stations, junctions, terminals, and the cable heads where a dozen transoceanic cables come ashore. As a trophy, however, the one-megabyte PDF file's most salient feature is a detail in the lower right hand corner, a warning in bold red, "RESTRICTED DO NOT REPRODUCE." Another notice reads, "Not to be reproduced in any manner or disclosed to unauthorized individuals," and a third warning runs sidewise up the edge of the map: "WorldCom RESTRICTED."

WorldCom is the latest target of a clean-cut 20-year-old hacker who's already drawn national attention discovering, exploiting, and then warning about serious security lapses at AOL, Excite@Home, Yahoo! and Microsoft. Like those other companies, security staff at the $20 billion communications giant might be surprised to learn they were compromised by a lone vagabond hacker who lives out of a weathered L.L. Bean backpack and does most of his work from Kinkos 'laptop stations,' using little more than a Web browser and his wits.

"The downside is, I'm running out of major U.S. corporations," says Lamo, as he plugs the Toshiba into the copy shop's free Internet link, and summons a Netscape window.

Web applications are an overlooked chink in many organizations' network security armor, Lamo explains. Sometimes, the weakness is an improperly configured Access Control List (ACL) that allows anyone on the Internet to visit an application that should be restricted. Other times, network administrators deliberately leave secret Web page wide open, counting on nobody stumbling across the URL.

Lamo is a master of this unlisted Web. He can direct you to the Web site at Apple Computer that yields a trove of detailed circuit diagrams and schematics, marked "proprietary," but available to anyone with knowledge of the URL. He knows a particular Web address at the prestigious Journal of Commerce (JoC) that routes to an unprotected administrative tool that grants access to the publication's database of online subscribers, their names, email addresses and passwords. Credit card numbers aren't displayed, but Lamo "theorizes" that one out of five passwords would also work on the subscriber's mail account. (JoC Online editor Stuart Chirls declined to comment.)

The hacker makes his discoveries during marathon all-night sessions in front of his laptop. He scans Internet address ranges for undocumented Web servers, or uses well-known software bugs to find the names of private files on otherwise-public servers. Sometimes, he just guesses. At any given moment, Lamo has a long list of "interesting" Web sites he may or may-not look into further, depending on the vagaries of his ever-shifting curiosity.

Some of the ones he has looked into have made news. In September, Lamo discovered an exposed server at Microsoft that gave anyone with knowledge of the URL access to billing, shipping and purchasing data for any customer who purchased Microsoft products online. Earlier the same month, he used an exposed Web-based production tool to tamper with a wire service story on Yahoo! News, deliberately choosing an old story to minimize the impact.

The Problem with Proxies

As he has with other networks, Lamo found the keys to WorldCom's kingdom in open Internet proxy servers. In normal operation, a proxy server is a dedicated machine that sits between a local network and the outside world, passing internal surfers' Web requests out to the Internet, often caching the results to speed up subsequent visits to the same URL.

But it's easy and common for administrators to inadvertently misconfigure proxy servers, allowing anyone on the Internet to channel through them. Sometimes companies and organizations even unknowingly run proxies. Hackers and privacy-conscious netizens catalog these open proxies, using them to anonymize their surfing. Lamo has perfected a different use: jumping through them to pose as a node on a company's internal network.

Using a common hacker tool called "Proxy Hunter," Lamo scanned WorldCom's corporate Internet address space, and quickly found five open proxies -- one of them hiding in plain site at wireless.wcom.com. From there, he needed only to configure his browser to use one of the proxies, and he could surf WorldCom's private network as an employee.

Once inside, he found other layers of security protecting various intranet sites from employees who might exceed their authorized access. But after a couple of months of sporadic exploring, Lamo has made substantial inroads. He can use WorldCom human resources system to list names and matching social security numbers for any or all of the company's 86,000 employees. With this information, all he needs is a birth date (he swears by anybirthday.com) and he can reset an employee's password and access his or her payroll records, including information like their salary, emergency contacts, and direct deposit instructions, complete with bank account numbers. He could even modify the employee's direct deposit bank account, and divert a paycheck to his own account, if he wanted to. "A lot of people would be willing to blow town for a couple hundred thousand dollars," says Lamo.

He has some access to customer records, too, primarily subscribers to WorldCom's data services. He can browse notes and circuit diagrams for AOL's new T1 cross border link between its Virginia offices and AOL Mexico, and a detailed engineering order for a connection between the World Bank's Washington headquarters and its Buenos Aires resident mission.

More significantly, he can control a Web application called the Web Access Router Maintenance tool (WARM). The tool is a legacy from one of WorldCom's acquisitions, ANS Communications, purchased from AOL in 1997 for $175 million. WARM gives its users access to all of the routers on the private wide area networks provisioned by ANS. The list of customers is long, and includes Bank of America, JP Morgan, Citicorp, Sun Microsystems, and AOL itself. With a little manipulation, Lamo was able to pull down dial-up phone numbers and passwords for many of the routers, which would give him direct access to the networks. WARM is accessible to anyone on WorldCom's intranet, Lamo says, protected only by a Javascript password routine that's plainly readable in the source code for the page, which is to say, not protected at all.

"For everyone at WordCom, the intranet is this boring thing that comes up in their web browser," says Lamo. "For me, it's a massive playground that's slowly and inexorably crumbling away at their security infrastructure."

No Forwarding Address

A worker glances at Lamo from behind the counter, then turns his attention back to a print job. "The nights I'm alone in the city and I have nowhere to crash, I spend all night in the Kinkos," Lamo says. "They never kick you out."

One could call the copy shop chain Lamo's home-away-from-home, except that he has no home to be away from. The hacker leads a deliberately nomadic existence, traveling the country by Greyhound, crashing with friends, sometimes sleeping in abandoned buildings, always lugging the backpack that contains such necessities as a first aid kit, a thermal blanket, a change of clothes, the laptop with two missing keys.

When he was 17, Lamo's parents moved from San Francisco to the quieter environs of Sacramento, 80 miles to the east. Addicted to city life, Lamo chose to stay behind. He'd already tested out of high school and was performing computer work for non-profit groups, sometimes sleeping in their offices at night. Later, he did three months of network security consulting for Levi Strauss -- the only paid security work on his résumé -- and six months with a San Francisco private investigator that he doesn't like to talk about.

Today, Lamo lives off a modest savings, and spends most of his time in San Francisco and the suburbs of Washington D.C. -- both regions where he lived growing up, during a childhood that also included three years in Colombia. He sometimes stays with his parents in Sacramento, but wherever he goes, he becomes restless in he lingers in one place for too long. "I much prefer being mobile," he says. Nonetheless, Lamo doesn't know how to drive a car, relying instead on public transportation. For long distances, he prefers the bus over airliners or rail because he likes the atmosphere. "On Greyhound, you know you're America... Also, it's the last mode of transit that doesn't require identification."

Something of an urban explorer, Lamo sometimes goes 'dumpster diving' with friends, rummaging for interesting papers, manuals and other corporate artifacts amid downtown San Francisco's towering office buildings. A recent trip to Washington found Lamo trudging through the flooded remains of a long-abandoned electric plant along the James river. At 20, the hacker admits he doesn't yet know what he wants to be when he grows up; the question itself is absurd. "I don't feel obligated to set goals," says Lamo. "All the interesting things that have happened to me have been the result of synchronicity and organized chaos."

Putting himself in situations where "interesting things" can happen seems to motivate Lamo. Curiosity drives him as well. In a way, his Internet hacking is a natural extension of his real-life exploration. Born three years before the Macintosh, Lamo is part of the first generation of Americans to never know a society without personal computers -- a generation more comfortable than any before with the digital world. A WorldCom marketer might call him "Generation D." In fact, the company has another way of describing Adrian Lamo.

The Helpful Hacker

"Vint Cerf recently did a public service announcement in which, generally speaking, the message was it would be really great if the hacker community went back to its roots," says WorldCom spokesperson Jennifer Baker. "I guess that from a general industry standpoint, Adrian seems to be doing just that... At that end of the day, what he did wasn't destructive or harmful."

Over a month after the Kinkos visit, Lamo has come clean with WorldCom, and the company is grateful. The hacker contacted the communications leviathan through SecurityFocus on Friday. Saturday morning, just as he crashed after an all-night hacking session on "an unrelated project," his cell phone rang. There were three WorldCom managers on the line, wondering of it was true that Lamo had cracked their global corporate intranet, and what they needed to do to fix it.

"I made it clear very quickly that all I was interested in doing was make it as positive an experience as possible for everyone," says Lamo. True to his word, the hacker would spend the rest of the weekend on conference calls and in email, bleary briefing the company on his months of illicit exploration. On Tuesday, the WorldCom turned to Lamo to give them a final bill of health. After a scan of their address space, he pronounced that WorldCom had successfully closed the proxy hole.

"What we discovered when we investigated Adrian's issues, was that there was a router with an inappropriate filter on it," says Baker. "In the end it was a human error, and we're really happy that he brought it to our attention... We really appreciate his efforts to work with us"

That instant willingness to cooperate, even to sign a non-disclosure agreement, with no strings attached is part of what's kept Lamo out of legal trouble, for what are indisputably violations of federal computer crime law. In May, when the hacker used an open proxy to crack ailing Excite@Home's internal Web, adding himself to the corporate directory and finding a route to millions of subscribers' records, he walked into the company's Redwood City, Calif. headquarters to brief network administrators in person, and he didn't leave before helping them plug the hole.

It also helps that Lamo's never tried to profit from his hacking. "There's an intangible something I can lay claim to now that would be irretrievably lost if I did," Lamo says. The fact that he doesn't hide behind a "handle" or pseudonym makes a difference, too. And once inside a network, there are lines -- particularly sensitive areas -- that he doesn't cross.

Lamo prefers the term "security researcher" to "hacker," and steers clear of the usual cyberpunk justifications for his probing: he isn't trying to make the Internet a safer place. "I do what I do, there's no particular motive I can describe." At the same time, he wouldn't mind seeing the world become safe for his brand of curiosity, for the interactions he's had with some of these companies to be the norm. His is a style of hacking -- open, brash, illegal, but carefully observant of an unwritten code of ethics -- that went out of style in America at the time of the first hacker crackdowns a decade ago, when Lamo was ten years old. "I've always sort of resented the fact that people that do what I do are in a position where they feel like they have to run and hide," says Lamo. "I'd like it if more people saw curiosity and corporate interests as things that can coexist without contradiction."

In keeping with his philosophy of letting "interesting events" find him, Lamo accepts the possibility that someday his Internet exploration may lead to criminal prosecution. So far, that hasn't happened, but some of the victims/beneficiaries of his attention worry for him.

"Because of his approach and what he's doing, maybe he'll be okay," says a source at one of the companies Lamo's hit in the past. "But the bottom line is, it is unauthorized access, and it's clear when you get into a company's network that there are disclaimers everywhere you go. I suppose at some point he could make the wrong people angry, or the timing could be such that he doesn't get a chance to come forward and say, 'Here's how I did it,' because they find him first."

© 2001 SecurityFocus.com, all rights reserved.

Related Stories

Harvesting passwords from DSL routers
MS security glitch allowed access to customer records on Web
@Home's mis-configured proxy Excites hacker
AOL Instant Msgr accounts easily hijacked