http://www.newsbytes.com/news/02/174792.html By Brian Krebs, Newsbytes WASHINGTON, D.C., U.S.A., 26 Feb 2002, 7:52 PM CST The New York Times' corporate Intranet and Web-based applications that handle everything from payroll accounts to the newsroom's source database were penetrated by a freelance security researcher this week using nothing more than a Web browser, Newsbytes has learned. The discovery was made by 21-year-old Adrian Lamo, a white-hat hacker known for tracking down and alerting Fortune 500 companies that employ lackluster or non-existent security measures on their Web sites. The internal Web site included pages with detailed instructions for stringers and correspondents on how to file from the field, complete with dial-in modem numbers and accounts. The intranet also lists each Times employee's contact information, as well as their Social Security numbers. According to screenshots obtained by Newsbytes, the Times' own "Everyone, Everywhere" newsroom contact database was also available via the corporate Intranet. The database contains phone numbers and contact information for such household names such as Yogi Berra, Warren Beatty, and Robert Redford, as well as high-profile political figures - including Palestinian leader Yassir Arafat and Secretary of State Colin Powell. The source database also contains Social Security numbers for all of the Times' guest op-ed writers, including Democratic operative James Carville and Internet policy guru Lawrence Lessig. Also spotted in the file were entries for William F. Buckley Jr., Rush Limbaugh, Microsoft founder Bill Gates, and New York Mayor Michael Bloomberg. In September 1998, a hacker group known as "Hacking for Girlies" broke into the New York Times Web site, replacing the main page with its insignia and a lengthy diatribe against New York Times technology columnist John Markoff for his book "Takedown," which the group said painted an inaccurate picture of hacker icon Kevin Mitnick. The New York Times subsequently moved the servers for its public Web sites to a more secure Internet address block. But the company left many Web pages created for use by employees and field reporters open to just about anyone curious enough to look for them, Lamo said. Times spokeswoman Christine Mohan confirmed that the company is "actively investigating a potential security breach. "The New York Times Company takes the security of its network very seriously," Mohan said. "Based on the results of this investigation, we will take appropriate steps if necessary to ensure the security of our network." Lamo located the internal network after querying publicly accessible Internet address records for mail servers on the New York Times address space, armed with the knowledge that e-mail is often processed by the same systems and networks that manage a corporation's firewall. Lamo gained access to the network using Web proxies located on the network. Proxies are machines that allows users to route through - or into - networks, often skirting past firewalls. The whole process from search to discovery took less than two minutes. "It struck me as being a part of their network more likely to be placed in a trusted location," he said. "Ironically, it wasn't until I mistyped a URL that I found what I was looking for - the error message invited me to 'try the main New York Times intranet site' instead." The Times' corporate intranet also allows users to access other sensitive areas, including the company's human resources department, as well as tools used to submit advertisements that accompany stories in the daily paper and the New York Times Web site, http://www.nytimes.com . The discovery highlights just how susceptible the Internet can be as a tool for spreading misinformation. Lamo said had he been so inclined, he probably would have been able to figure out how to successfully submit a small news item or advertisement for publication. Days after the Sept. 11 attacks, Lamo used a proxy on the Yahoo network to add satirical comment to a story on the company's Web site about Russian programmer Dmitry Sklyarov, a stunt that raised public concern about the integrity of online media. Last week, Lamo alerted SBC Communications that several of its Web pages containing tens of thousands of subscriber user names and passwords were exposed to the Web and completely unprotected. In December, Lamo discovered an Internet-accessible Web tool that provided easy access to the keys to private network routers for dozens of companies, including AOL Time Warner, Bank of America, Citicorp, Fox News Corp., JP Morgan, McDonalds, and Sun Microsystems - to name just a few. When asked why he does what he does, Lamo is noncommittal and somewhat cagey, downplaying his penchant for seeing things in ways that often go unnoticed by most. That didn't stop him, however, from quietly adding his name to the newsroom's source list as an expert on computer hacking. "I'm not trying to bring about any sort of specific change anywhere by what I do - but in doing what I do, acting in good faith doesn't seem like a bad thing, and hoping that someone in a similar situation in some undefined future might have options that aren't all a downwards spiral doesn't seem unreasonable either," Lamo said. "It would be nice." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 05:03:40 PST