With Friends Like This

Meet Adrian Lamo. At 21 years old, Lamo is clean-cut and soft-spoken, his deliberate speech marked by a slight stutter. A short, thinly built, former vegetarian, he takes a seat facing the door at the South Street Diner in Philadelphia, picking at his chicken Caesar salad and keenly eying his surroundings as he explains why and how he does what he does. And that's hack into a business' network, alert the company to his actions, offer to help fix the problem for free, and, once the holes are patched, go public with the breach.

Why he does this is a little less clear. "I've never made an argument that there's any particular right or moral principle that makes the exploration of private domains OK," he says. "I'm not saying it's right. It's what I do."

That moral ambiguity belies the zeal Lamo brings to his mission. "I challenge others to find another way to get companies to take these issues seriously," he says. "To get AOL to admit to a widespread security problem isn't going to happen based on a few phone calls." Two years ago, Lamo published on the Internet details about how hackers were taking advantage of a flaw in America Online's AIM registration server to hijack Instant Messenger accounts.

Lamo's mission has led him to expose computer security flaws at companies such as Microsoft, The New York Times, WorldCom, Yahoo, and the now-defunct Excite@home. To publicize his work, he's often tapped ex-hacker-turned-journalist Kevin Poulsen as his go-between: Poulsen contacts the hacked company, alerts it to the break-in, offers Lamo's cooperation, then reports the hack on the SecurityFocus Online Web site, where he's a news editor.

Lamo may be the most controversial hacker since Kevin Mitnick, who gained fame in the mid-'90s by breaking into the computer systems of high-tech companies and stealing proprietary software code. To the extent that Lamo brings a moral justification to his actions--and that people buy into that argument--he may be even more dangerous.

Lamo claims he never intentionally interrupts service, and he doesn't sell, distribute, or destroy the data he accesses. "Destroying data is near sacrilege--it's like burning the last known copy of the Bible," he says. Still, unlawful entry into a private network is a misdemeanor. And if it could be proved that his digital trespassing caused $5,000 or more in damage to a company, even unintentionally, Lamo could face felony charges, says Mark Rasch, former head of the Justice Department's Computer Crime Unit, who prosecuted Poulsen and Mitnick. With a jump in the number of U.S. companies reporting downtime related to security breaches or espionage, according to InformationWeek Research's annual Global Information Security Survey (see story, p. 36), and the threat of cyberterrorism greater than ever, many business-technology managers and security experts have little tolerance for Lamo's tactics, even if they do raise awareness about lax corporate security.

"If you're not invited, you shouldn't be there," says Diane Bunch, VP of IS at the Tennessee Valley Authority, who believes legislation against hacking and prosecution of hackers needs to be tougher. "It's like my house--if I didn't invite you in off the street, I don't expect to see you there," she says.

Bruce Schneier, founder and chief technology officer of managed security services provider Counterpane Internet Security Inc., says he isn't impressed by the hacking-to-build-awareness argument. "It's like committing arson to build forest-fire awareness," Schneier says. "There are other ways to build awareness."

Executives at The New York Times, which was victimized by Lamo in February, would likely agree. The media company said last week it hasn't ruled out asking law enforcement to press charges against the hacker. "We're still exploring our options, and discussions with the authorities is one of those options," a spokeswoman says.

Lamo accessed a database holding the personal information of 3,000 New York Times employees, as well as that of big-name editorial contributors such as Jimmy Carter and Robert Redford. He says he surfed in from the Web, scanned the Times' internal network, and found as many as eight open proxy servers. By viewing header information in an auto-reply E-mail, he found references to servers on the internal network and was able to hack into the database, logging himself on as an administrative assistant.

Lamo claims he breaks into companies' networks using only an old Toshiba notebook that's missing seven keys, a Web browser, and rented network connections at Internet cafes or copy shops.

Born in Massachusetts, Lamo moved around quite a bit growing up; he lived in Connecticut, Virginia, California, and even spent a few years in Colombia. Lamo dropped out of high school (he has a GED), and his computer skills are largely self-taught, beginning with peeking into the code of the role-playing adventure games he ran on his Commodore 64 computer. Lamo says he's homeless, and spends his nights on friends' couches or squatting in abandoned buildings. He travels on foot or by Greyhound bus because "it's the last form of public transportation that doesn't require a photo ID." He earns money from odd jobs, he says: When you "don't have rent or a car payment, you don't need much money to survive."

Lamo contends that, from an IT standpoint, many companies ignore their most vulnerable points. Companies that patch only known software vulnerabilities, then simply scan their applications and networks for potential security holes, are missing the bigger picture, he says. "They think if you have no known 'exploits' on your systems, they're secure," he says. "They're not. None of the intrusions I've been behind had anything to do with what would be called a known software exploit or vulnerability. It's more nebulous."

His break-in at troubled telecom vendor WorldCom in December, accomplished by way of several misconfigured proxy servers, is an example. Companies establish proxy servers to let employees access the Internet. When set up properly, they're one-way streets. But proxy servers are easy to misconfigure, and many are brought online in open mode, letting outsiders connect to the network while hiding their point of origin.

Once past a company's proxy servers and perimeter defenses, Lamo says, he's able to escape the notice of intrusion-detection systems. IDSs often have preconfigured definitions of anomalous activity, such as malformed packets and certain systems requests. "But when you have someone sitting at a Web browser looking at things the way an employee would look at them, that's not something that can be picked up by the IDS," Lamo says. "The IDS can't see a person's intent." With WorldCom, Lamo says he was able to view the names and Social Security numbers of thousands of its employees, as well as potentially cut services to most of the telecommunication provider's customers.

What Lamo did is "no different than showing up at a company wearing a UPS uniform," says Counterpane's Schneier. "Of course you're trusted." Companies that monitor only their front doors are prime targets for such attacks, Schneier says.

After the break-in became known, a WorldCom spokeswoman said the company appreciated Lamo's drawing its attention to the problem and the help he gave the company one weekend to fix the flaws. A spokeswoman reached last week wouldn't comment further. Poulsen says that, like WorldCom, officials at Excite@home also "expressed gratitude for Adrian."

At least one business-technology manager says there are worse things than to have a hacker such as Lamo break into his network. If someone "points out security holes and doesn't do any damage, I'd rather that happen than the holes be discovered by a competitor or terrorist," says the chief security officer at a Midwest consumer-goods manufacturer. "I could live without the media attention, but I'd personally be hard-pressed to call the police."

Despite the talk by The New York Times of possibly going to authorities, no charges have been filed against Lamo for any of the incidents. Indeed, few companies are interested in seriously investigating computer breaches internally, says former federal prosecutor Mitch Dembin, who litigated a number of computer and high-tech crimes and now heads IT forensics company EvidentData Inc. "My experience has been that unless the hackers do obvious damage, companies won't do anything," he says. "They patch and secure the holes and move on." It can take weeks and cost hundreds of thousands of dollars for an IT forensics company to determine the extent of a breach, put compromised systems through an extensive analysis, patch and close security holes, and conduct follow-up penetration tests.

The costs of taking a hacker to court can be even greater, including the negative publicity and the very real threat of hacker retaliation. Former FBI cybercrime investigator Charles Neal, now VP of managed security services at Exodus, a Cable & Wireless unit, says that only 3% to 5% of the companies he works with during investigations choose to contact law enforcement. Only 18% of the U.S. businesses surveyed for InformationWeek Research's new security survey say they notify government authorities after a breach.

The flip side of this moral equation may be that by not prosecuting Lamo, or hackers like him, companies are perpetuating the cycle and keeping the business community in general at risk. "It's a business decision," says EvidentData's Dembin. "It's not based on civic-mindedness." One security executive sees it as a resource issue. "We may react by getting the FBI involved and eat up vast quantities of internal and federal law-enforcement and forensic resources," says the chief information security officer at a large midwest utility. "That's resources taken away that could be used to investigate other serious threats against the infrastructure."

Lamo contends that the threat of prosecution isn't going to make hackers go away. Some may be deterred, just as some will be deterred by companies' technical countermeasures. But "you can never eliminate the threat entirely," he says. He adds that companies may want to consider being tolerant of actions that may ultimately help them achieve better security. "There's no point in overtly ignoring one of the ways you can reduce" security threats, Lamo says, "just because you might embarrass your company from time to time."