[ISN] Can you Believe What you Read?

From: mea culpa (jerichoat_private)
Date: Fri Sep 18 1998 - 02:31:20 PDT

  • Next message: mea culpa: "[ISN] New Crypto Rules Leave Out Individual Privacy"

    Forwarded From: phreak moi <hackereliteat_private>
    Can You Believe What You Read?
    by Michael Stutz
    9:45am  16.Sep.98.PDT
    When The New York Times on the Web was hacked Sunday, the site was shut
    down for more than nine hours after technicians unsuccessfully fought a
    group of hackers for control of the system. 
    "This is something that all news media and all people who have credible
    information need to look out for," said Rich Meislin, editor in chief of
    electronic media at The New York Times. "Someone could have tampered with
    a minor detail in a story and that would have not been detected quite as
    But Meislin said that he or another editor would have found the spoof
    quickly enough and taken corrective action. 
    "One of our readers or editors would have got to it" he said. "We tend to
    live around our site." Meislin confirmed that the Times site is viewed
    millions of times every day. 
    In this case, the site's content was replaced with a mocked-up page of
    political statements. But what if a bogus, but very real-looking, news
    story had been posted, or hackers had tampered with an existing story to
    spread misinformation? 
    Nielsen said that the company's subscriber list was not touched during the
    hack and no stories in its archives were modified. 
    "If anything had been altered, or anything was changed, I would think that
    we'd know it." 
    But would they? The potential for creating misinformation is very real,
    said the editorial director of The Gate, the Web site for the San
    Francisco Chronicle, San Francisco Examiner, and several TV stations. 
    "What happens if someone posts a faux Gate?" said George Shirk. "What if
    it contains serious libel or a virus? 
    "We do the best we can under the circumstances to protect ourselves in a
    variety of different ways. However, it is very sobering indeed when the
    Times gets hacked," Shirk said. 
    A member of a Boston-based hacker collective called the L0pht said the
    hack was interesting, but not for the reasons most of the media have
    focused on. 
    "Here we have an organization whose purpose is to distribute accurate
    information to the general public," said the hacker, a network security
    expert who calls himself "Mudge." 
    "Given their goal of distributing accurate information and their choice
    for one of the vehicles to be the World Wide Web, one would imagine that
    the security and integrity of the information they are publishing would be
    important to them." 
    That said, Mudge raised the question: "If their site was hacked in such an
    obvious fashion -- where the intruders replaced their Web site -- how long
    were more subtle changes being done? How can anyone trust the information
    distributed by the Times in good faith after this?" 
    Information-warfare and computer-security expert Winn Schwartau said the
    damage done if a cracker were to modify or add a story would be
    "There's an awful lot of caveats in that statement, but [it would]
    certainly do a tremendous amount of damage,"  Schwartau said. 
    Mudge, who earlier this year testified before Congress on the topic of
    information warfare, said there was no easy solution to the problem. 
    "If there was one magical thing that could be done, do you think
    [security] would even be an industry?" he said. 
    The crackers' motive, according to Times spokeswoman Nancy Nielsen, was
    not to modify stories but to attack Times reporter John Markoff for his
    coverage of imprisoned cracker Kevin Mitnick. 
    What if the crackers had modified the text of Kenneth Starr's report on
    the Times site, for example, changing the facts in even a minor way? 
    "If something like that were to happen, and a story was altered in a way
    that was noticeable -- maybe if they added an outrageous fact -- a reader
    or Web viewer would notice it within minutes,"  Nielsen said. "They would
    call us, it would come to our attention, and then we would address it." 
    In other words, the same process used for correcting errors in newspapers
    would be applied online. 
    "I don't know why this pops to mind, but somehow, the pages in The New
    York Times, it's like knowing your own children -- you know it so well,
    that if there's one thing that's wrong, you spot it immediately," Nielsen
    said. "Or somebody will, and bring it to our attention." 
    Schwartau said that if some kind of digital signature mechanism were to be
    put in place, text could be at least be verified as accurate. 
    "You need to be part of the Public Key Infrastructures in one way or
    another,"  Schwartau said. "Either you'd be using PGP (Pretty Good
    Privacy), PK, [or] Certification Authority -- some of those types of
    mechanisms do a certification...  of the validity or integrity of the
    data.  That's all doable, and there's certainly been an ongoing nationwide
    effort to establish things like that." 
    But right now, news media don't use these "integrity wrappers" on their
    digital content, Schwartau said. 
    According to Nielsen, the Times' current systems have been certified by
    security consulting firms. The paper has the kind of in-house security
    team one would expect, she added, but declined to provide any details. The
    site underwent a security audit by Bellcore two years ago. 
    "Bellcore did some auditing work for us a couple of years ago, when we had
    our start-up site in Illinois," said Nielsen. "Now we have totally
    different hardware, it's here in New York, and as you know with
    technology, a 2-year-old report is like 100 years old." 
    While Bellcore conducted security assessments on the site, they did not
    "certify" it as secure. 
    "Bellcore does not 'certify' a Web site as secure," the company said
    Tuesday in a statement. "Instead, we conduct security assessments designed
    to provide customers with a realistic appraisal of security-related
    features and functions of their network and systems." 
    Schwartau agreed that Web-site security certification does not work. 
    "You can't certify something," said Schwartau. "That's absurd. You cannot
    certify something like this. The only way to certify it is to turn the
    power off." 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:39 PDT