[ISN] Security expert explains New York Times site break in

From: mea culpa (jerichoat_private)
Date: Fri Sep 18 1998 - 09:43:18 PDT

  • Next message: mea culpa: "Re: [ISN] Security expert explains New York Times site break in"

    Forwarded From: Sunit Nangia <nangiasat_private>
    September 18, 1998
    Web posted at: 11:01 AM ET 
    by Ellen Messmer 
    (IDG) -- Although the New York Times is not revealing the details of what
    happened last weekend when it was hijacked by a hacker group, one security
    expert has it figured out. 
    A group of hackers calling themselves Hackers for Girlies broke into the
    Times news site on Sunday. The hackers took control of the site to display
    their own diatribe complete with nude images and to protest the arrest of
    hacker Kevin Mitnick. The Times worked for half a day to regain command of
    its server. 
    Hackers often break in by exploiting security vulnerabilities associated
    with default Common Gateway Interface scripts that ship with Web servers,
    according to Patrick Taylor, director of strategic marketing at Internet
    Security Systems in Atlanta. They exploit these scripts to send a string
    of long commands to cause a buffer overflow that lets them into the
    operating system. They first give themselves an account in the system and
    then stick in a backdoor Trojan horse program such as "rootkit" to gain
    and maintain root control, he said. 
    "CGI scripts are intended to pass commands from the Web server to
    something in the operating system, perhaps to pull database information,"
    Taylor said. "But you should get rid of these superfluous CGI scripts and
    depend on your own custom scripts." 
    The Times may have had a long struggle regaining control of its Web site
    because the latest Trojan horses are designed so well that they hide
    within the operating system, encrypted or even providing the same checksum
    as the legitimate operating system. 
    "It's nefarious--the hacker essentially has remote administration of the
    Web server," Taylor said. "You can't rely on a backup of the machine.  You
    may have to reinstall the entire operating system." 
    By coincidence, the Times had once looked at using the ISS security gear,
    but decided not to, he said. The Times declined to discuss any aspect of
    its Web operations, saying it was "a matter of security." 
    The "Hackers for Girlies" ranted in its own posting to have "busted root"
    on the Times, and directed some invective toward Times reporter John
    Markoff and security expert Tsutomu Shimomura for their respective roles
    in the investigation of hacker Kevin Mitnick, now held in jail.  Markoff
    and Shimomura two years ago collaborated on a book entitled "Takedown"
    about the law enforcement pursuit of Mitnick. In its own account, the
    Times said the hacker incident at nytimes.com may be related to an
    upcoming trial in January of Mitnick. 
    While hacker rantings and pornography can be bad enough to discover on a
    Web site, a far more serious scenario involves a hijacker more
    surreptitiously posting information that has been slightly changed,
    leading the reader to view it as authentic. 
    "This could end up like 'War of the Worlds,' where people went into a
    panic because they didn't know what they were hearing on the radio was
    made up," commented Doug Barney, Network World news editor. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:44 PDT