Security hole at Worldcom left internal computer networks at risk

Thursday, December 6th 2001, 12:00 am
By: News On 6

WASHINGTON (AP) _ A security hole at telecommunications giant Worldcom left internal networks at several of the nation's top companies open to hackers, according to Worldcom and the security researcher who discovered the problem.

Adrian Lamo, a consultant in San Francisco, worked with Worldcom to fix the months-old problem over the weekend, and the company said there is no evidence hackers exploited the security hole.

Internal networks belonging to AOL Time Warner, Bank of America, CitiCorp, News Corp., JP Morgan, McDonald's Corp., Sun Microsystems and many other companies were vulnerable, he said.

``These networks were never designed to be connected to the Internet,'' Lamo said. ``They were private circuits running between locations.''

The security problem could have allowed hackers to reconfigure or shut down the corporate networks, also known as intranets, that are used for everything from e-mail to financial transactions.

Worldcom spokeswoman Jennifer Baker said none of Worldcom's customers were affected.

``Adrian worked very cooperatively with us throughout the weekend,'' Baker said. ``It was a human error on a router.''

A router is a device that serves as a traffic light for messages on computer networks.

Lamo said he found the hole by poking through Worldcom's public Web site.

``Tons of times there's data that shouldn't be available to anybody that is out on a public Web server,'' Lamo said.

Lamo praised Worldcom's security procedures, and said he used an unconventional way to enter the company network that is not often addressed by security experts. He stressed that he didn't attempt to damage the internal networks.

Within the last several months, Lamo has found security problems at several major computer firms, including Microsoft and AOL Time Warner. In September, he discovered a hole on Yahoo's news site that allowed him to alter several stories.

In addition to Worldcom's clients, the company itself was also at risk, Lamo said.

Lamo found ways to reset company passwords, give himself all the computer power of a company director, redirect e-mail and find personal information for Worldcom's employees.

``It would have been possible for anyone who was really motivated to change direct deposit information for employee paychecks to arbitrary accounts without the employee being notified,'' Lamo said.