Hacker Points Out WorldCom Network Flaw

information week ^ | Dec. 6, 2001 | George V. Hulme

[classygreeneyedblonde]

Hackers can be good guys to

[AStack75]

All your social security numbers are belong to Lamo.

[evolved_rage]

Hackers are good guys. Crackers are evil hackers. (I know there are several definitions of crackers)

[sigSEGV]

Pete Lindstrom, director of security strategies for Hurwitz Group, is more critical. "Why was some random, well-meaning hacker able to find this problem before the internal WorldCom security management group?"

Because they are probably an overworked bunch that spend most of their time reacting to problems that arise instead of being able to proactively fix things. Management usually underestimates the amount of work it takes to effectively harden networks.

[Huusker]

Sorry this triggers my bull**** detector. What exactly was this miraculous "weakness"? Lack of specific information is telling here.

[sigSEGV]

My guess is something along the lines of allowing source routed packets and not doing proper ingress / egress filtering

[strela]

According to Dshield.org, the most probed ports (in descending order) are:

80
HTTP Web server

21
FTP servers typically run on this port

53
DNS. Attack against old versions of BIND

111
RPC. vulnurable on many Linux systems. Can get root

4665
?

22
Secure Shell, old versions are vulnerable

520
?

6346
Gnutella is a peer-to-peer file sharing tool

27374
Scan for Windows SubSeven Trojan

4
?

[philetus]

Everyone from the south is a evil hacker???

[sigSEGV]

Adrian Lamo prides himself on hacking networks with only a web browser. Probably just a misconfigured proxy server he attached to.

[strela]

The problem is that there are lots of bozos out there passing for IS people these days.

Ayup. I remain firmly convinced that a chimpanzee could easily work as an "IS professional" in many companies if it had an MBA and didn't poop on the conference room table during staff meetings.

[higgmeister]

I suspect he used social engineering to find
out information from employees at other
locations that allowed him to ultimately gain
enough knowledge of the network to
do his hack.  That is otherwise known as
fraud.

Good intentions don't alleviate what he has
claimed to have done.  He should be held
accountable and prosecuted if he intentionally
defrauded for his own purposes.

I don't believe that he was able to get into
the customer networks and at the same
time the WorldCom Corporate network
because there is physical separation
between the internal network and what
is sold to customers.  This sounds like false
bravado from an young punk.

But then, what do I know?  I'm just a
Worldcom technician.
 

[sigSEGV]

http://www.securityfocus.com/news/296

[sigSEGV]

He's really just another script kiddie. Just a really patient script kiddie.

[classygreeneyedblonde]

I knowa guy that went to carnigie mellon and he was paid 100,000 for 90 seconds of work....... this bank paid that to whomever could break into their highly sophicated security system........now he is workin for that bank making millions

[billybudd]

Probably because there's a lot of technical stuff involved, which most people wouldn't be able to follow.

[billybudd]

Interesting use of the phrase "social engineering".