Adrian Lamo — Part 1

444 pages · May 15, 2026 · Broad topic: General · Topic: Adrian Lamo · 444 pages OCR'd

‹

THUUNITESSIAL ALL INFORMATION 7 HEREIN If Ut TATE 02-15 02/26/2002 07:37 PM To: cc: Sudject: some hints to the WorldCom hacking that might apply to us from that same article. _http:/fonline.securityfocus.com/news/296 did he do the same on NYT Co's intranet? The Problem with Proxies As he has with other networks, Lamo found the keys to WorldCom's kingdom in open Internet proxy servers. In normal operation, a proxy server is a dedicated machine that sits between a local network and the outside world, passing internal surfers’ Web requests out to the Internet, often caching the results to speed up subsequent visits to the same URL. But it's easy and common for administrators to inadvertently misconfigure proxy servers, allowing anyone on the Internet to channel through them. Sometimes companies and organizations even unknowingly run proxies. Hackers and Privacy-conscious netizens catalog these open proxies, using them to anonymize their surfing. Lamo has perfected a different use: jumping through them to pose as a node ona company's internal network. Using a common hacker tool called "Proxy Hunter," Lamo scanned WorldCom's corporate Internet address space, and quickly found five open proxies -- one of them hiding in plain site at wireless.wcom.com. From there, he needed only to configure his browser to use one of the proxies, and he could surf WorldCom's private network as an employee. Once inside, he found other layers of security protecting various intranet sites from employees who might exceed their authorized access. But after a couple of months of sporadic exploring, Lamo has made substantial inroads. He can use WerldCom human resources system to list names and matching social security numbers for any or all of the company's 86,000 employees. With this information, all he needs is a birth date (he swears by anybirthday.com) and-he can reset an employee's password and access his or her payroll records, including information like their salary, emergency contacts, and direct deposit instructions, complete with bank account numbers. He could even modify the employee's direct deposit bank account, and divert a paycheck to his own account, if he wanted to. "A lot of people would be willing to blow town for a couple hundred thousand dollars,” says Lamo. FBI(19-cv-1495)-99

›

THUUNITESSIAL

ALL INFORMATION 7
HEREIN If Ut

TATE 02-15

02/26/2002 07:37 PM

To:

cc:

Sudject: some hints to the WorldCom hacking that might apply to us

from that same article. _http:/fonline.securityfocus.com/news/296

did he do the same on NYT Co's intranet?

The Problem with Proxies

As he has with other networks, Lamo found the keys to WorldCom's kingdom in open Internet
proxy servers. In normal

operation, a proxy server is a dedicated machine that sits between a local network and the
outside world, passing

internal surfers’ Web requests out to the Internet, often caching the results to speed up
subsequent visits to the same

URL.

But it's easy and common for administrators to inadvertently misconfigure proxy servers,
allowing anyone on the Internet

to channel through them. Sometimes companies and organizations even unknowingly run
proxies. Hackers and

Privacy-conscious netizens catalog these open proxies, using them to anonymize their surfing.
Lamo has perfected a

different use: jumping through them to pose as a node ona company's internal network.

Using a common hacker tool called "Proxy Hunter," Lamo scanned WorldCom's corporate
Internet address space, and

quickly found five open proxies -- one of them hiding in plain site at wireless.wcom.com. From
there, he needed only to

configure his browser to use one of the proxies, and he could surf WorldCom's private network
as an employee.

Once inside, he found other layers of security protecting various intranet sites from employees
who might exceed their

authorized access. But after a couple of months of sporadic exploring, Lamo has made
substantial inroads. He can use

WerldCom human resources system to list names and matching social security numbers for any
or all of the company's

86,000 employees. With this information, all he needs is a birth date (he swears by
anybirthday.com) and-he can reset

an employee's password and access his or her payroll records, including information like their
salary, emergency

contacts, and direct deposit instructions, complete with bank account numbers. He could even
modify the employee's

direct deposit bank account, and divert a paycheck to his own account, if he wanted to. "A lot of
people would be willing

to blow town for a couple hundred thousand dollars,” says Lamo.

FBI(19-cv-1495)-99