New York Times Intranet, Source Database Hacked

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/174792.html

By Brian Krebs, Newsbytes
WASHINGTON, D.C., U.S.A.,
26 Feb 2002, 7:52 PM CST
 
The New York Times' corporate Intranet and Web-based applications that
handle everything from payroll accounts to the newsroom's source
database were penetrated by a freelance security researcher this week
using nothing more than a Web browser, Newsbytes has learned.

The discovery was made by 21-year-old Adrian Lamo, a white-hat hacker
known for tracking down and alerting Fortune 500 companies that employ
lackluster or non-existent security measures on their Web sites.
 
The internal Web site included pages with detailed instructions for
stringers and correspondents on how to file from the field, complete
with dial-in modem numbers and accounts. The intranet also lists each
Times employee's contact information, as well as their Social Security
numbers.

According to screenshots obtained by Newsbytes, the Times' own
"Everyone, Everywhere" newsroom contact database was also available
via the corporate Intranet. The database contains phone numbers and
contact information for such household names such as Yogi Berra,
Warren Beatty, and Robert Redford, as well as high-profile political
figures - including Palestinian leader Yassir Arafat and Secretary of
State Colin Powell.

The source database also contains Social Security numbers for all of
the Times' guest op-ed writers, including Democratic operative James
Carville and Internet policy guru Lawrence Lessig. Also spotted in the
file were entries for William F. Buckley Jr., Rush Limbaugh, Microsoft
founder Bill Gates, and New York Mayor Michael Bloomberg.

In September 1998, a hacker group known as "Hacking for Girlies" broke
into the New York Times Web site, replacing the main page with its
insignia and a lengthy diatribe against New York Times technology
columnist John Markoff for his book "Takedown," which the group said
painted an inaccurate picture of hacker icon Kevin Mitnick.

The New York Times subsequently moved the servers for its public Web
sites to a more secure Internet address block.

But the company left many Web pages created for use by employees and
field reporters open to just about anyone curious enough to look for
them, Lamo said.

Times spokeswoman Christine Mohan confirmed that the company is
"actively investigating a potential security breach.

"The New York Times Company takes the security of its network very
seriously," Mohan said. "Based on the results of this investigation,
we will take appropriate steps if necessary to ensure the security of
our network."

Lamo located the internal network after querying publicly accessible
Internet address records for mail servers on the New York Times
address space, armed with the knowledge that e-mail is often processed
by the same systems and networks that manage a corporation's firewall.

Lamo gained access to the network using Web proxies located on the
network. Proxies are machines that allows users to route through - or
into - networks, often skirting past firewalls. The whole process from
search to discovery took less than two minutes.

"It struck me as being a part of their network more likely to be
placed in a trusted location," he said. "Ironically, it wasn't until I
mistyped a URL that I found what I was looking for - the error message
invited me to 'try the main New York Times intranet site' instead."

The Times' corporate intranet also allows users to access other
sensitive areas, including the company's human resources department,
as well as tools used to submit advertisements that accompany stories
in the daily paper and the New York Times Web site,
http://www.nytimes.com .

The discovery highlights just how susceptible the Internet can be as a
tool for spreading misinformation. Lamo said had he been so inclined,
he probably would have been able to figure out how to successfully
submit a small news item or advertisement for publication.

Days after the Sept. 11 attacks, Lamo used a proxy on the Yahoo
network to add satirical comment to a story on the company's Web site
about Russian programmer Dmitry Sklyarov, a stunt that raised public
concern about the integrity of online media.

Last week, Lamo alerted SBC Communications that several of its Web
pages containing tens of thousands of subscriber user names and
passwords were exposed to the Web and completely unprotected.

In December, Lamo discovered an Internet-accessible Web tool that
provided easy access to the keys to private network routers for dozens
of companies, including AOL Time Warner, Bank of America, Citicorp,
Fox News Corp., JP Morgan, McDonalds, and Sun Microsystems - to name
just a few.

When asked why he does what he does, Lamo is noncommittal and somewhat
cagey, downplaying his penchant for seeing things in ways that often
go unnoticed by most.

That didn't stop him, however, from quietly adding his name to the
newsroom's source list as an expert on computer hacking.

"I'm not trying to bring about any sort of specific change anywhere by
what I do - but in doing what I do, acting in good faith doesn't seem
like a bad thing, and hoping that someone in a similar situation in
some undefined future might have options that aren't all a downwards
spiral doesn't seem unreasonable either," Lamo said. "It would be
nice."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.