◆ SpookStack

« at & » + aRMITZORSUP > Hurwitz wituee TYENAUWATCH A Star Is Born, Security Suffers Pete Lindstrom, Director, Security Strategies December 7, 2001 Hurwitz TrendWatch — Thinking Out Loud Yesterday, we were all witness to the worst case of security apathy in the public world. If I had seen this in a movie, I'd have waiked out because the plot was just too unbelievable. A 20 year-old "do-good” hacker poked and prodded his way into one of the largest networks in the world, owned by WorldCom, gained access to all sorts of information that was apparently considered insignificant, and by the end of the story the WorldCom team is THANKING him for it. It is enough to make me retch. The Incident So the “wandering" dumpster diver, Adrian Lamo, apparently used a widely-available hacker tool to find a hole in WorldCom's network and proceeded to masquerade as an insider. Reportedly, he spent a month getting access to highly detailed diagrams of WorldCom's physical network infrastructure, employee records (with claims to be able to change an employee's direct deposit information), and passwords to gain access to the networks of WorldCom's client companies like Bank of America, JP Morgan, Citicorp, Sun Microsystems, and AOL (I sure hope they are screaming). Then he confessed. The Response Apparently, when WorldCom found out, they all got together to make nice. He willingly signed a non-disclosure agreement and showed the WorldCom folks their security vulnerability. They proceeded to SHOWER HIM WITH PRAISE like "We really appreciate his efforts to work with us" and asserted “At that end of the day, what he did wasn't destructive or harmful." This jast comment, of course, is the key indicator that WorldCom has NOT LEARNED ITS LESSON. The Resolution Whew! I suppose it is over and everyone can go home happy. Lamo got the attention he wanted, WorldCom got a 20-year-old hacker's seal of approval, and security professionals around the world got a slap in the face. Why is it that we scream about rogue viruses and ignore a hacker with free reign over one of the biggest telecom company's intranet? Let me be clearer: Iam absolutely astounded at the indifference, nay graciousness, with which a company like WorldCom is treating the hacking nomad, Adrian Lamo, after he spent a month FBI(19-cv-1495)-163