Hacker Points Out WorldCom Network Flaw

A hacker who has discovered and warned about major security failures at Microsoft, America Online, and Yahoo has found another problem, this time at WorldCom. According to 20-year-old Adrian Lamo, WorldCom's security vulnerability could have exposed many of the company's customer networks to attack, including those belonging to Bank of America, Citicorp, JP Morgan, and Sun Microsystems.

A WorldCom spokeswoman says the company secured its networks within hours of being notified by Lamo about the problem. There is no evidence of any impact for WorldCom customers, she says. Human error, according to the spokeswoman, resulted in the wrong filter being used on a router.

Lamo says the improper configuration is not something always covered in security audits. Security personnel are "mostly looking for known vulnerabilities, and this wouldn't typically come up," he says.

Lamo says he was able to surf WorldCom's internal network just as if he were a company employee. He says he would have been able to list names and Social Security numbers "in batches of 500" for the telecom's more than 80,000 employees. But WorldCom shouldn't be faulted for not having found the security problem before he did, he adds. "It's the same thing that affected Yahoo, Microsoft, and Excite@Home."

Pete Lindstrom, director of security strategies for Hurwitz Group, is more critical. "Why was some random, well-meaning hacker able to find this problem before the internal WorldCom security management group?"