[ISN] New York Times Intranet, Source Database Hacked

From: InfoSec News (isnat_private)
Date: Wed Feb 27 2002 - 00:32:30 PST

  • Next message: InfoSec News: "[ISN] DEF CON TEN - Call for Papers"

    By Brian Krebs, Newsbytes
    26 Feb 2002, 7:52 PM CST
    The New York Times' corporate Intranet and Web-based applications that
    handle everything from payroll accounts to the newsroom's source
    database were penetrated by a freelance security researcher this week
    using nothing more than a Web browser, Newsbytes has learned.
    The discovery was made by 21-year-old Adrian Lamo, a white-hat hacker
    known for tracking down and alerting Fortune 500 companies that employ
    lackluster or non-existent security measures on their Web sites.
    The internal Web site included pages with detailed instructions for
    stringers and correspondents on how to file from the field, complete
    with dial-in modem numbers and accounts. The intranet also lists each
    Times employee's contact information, as well as their Social Security
    According to screenshots obtained by Newsbytes, the Times' own
    "Everyone, Everywhere" newsroom contact database was also available
    via the corporate Intranet. The database contains phone numbers and
    contact information for such household names such as Yogi Berra,
    Warren Beatty, and Robert Redford, as well as high-profile political
    figures - including Palestinian leader Yassir Arafat and Secretary of
    State Colin Powell.
    The source database also contains Social Security numbers for all of
    the Times' guest op-ed writers, including Democratic operative James
    Carville and Internet policy guru Lawrence Lessig. Also spotted in the
    file were entries for William F. Buckley Jr., Rush Limbaugh, Microsoft
    founder Bill Gates, and New York Mayor Michael Bloomberg.
    In September 1998, a hacker group known as "Hacking for Girlies" broke
    into the New York Times Web site, replacing the main page with its
    insignia and a lengthy diatribe against New York Times technology
    columnist John Markoff for his book "Takedown," which the group said
    painted an inaccurate picture of hacker icon Kevin Mitnick.
    The New York Times subsequently moved the servers for its public Web
    sites to a more secure Internet address block.
    But the company left many Web pages created for use by employees and
    field reporters open to just about anyone curious enough to look for
    them, Lamo said.
    Times spokeswoman Christine Mohan confirmed that the company is
    "actively investigating a potential security breach.
    "The New York Times Company takes the security of its network very
    seriously," Mohan said. "Based on the results of this investigation,
    we will take appropriate steps if necessary to ensure the security of
    our network."
    Lamo located the internal network after querying publicly accessible
    Internet address records for mail servers on the New York Times
    address space, armed with the knowledge that e-mail is often processed
    by the same systems and networks that manage a corporation's firewall.
    Lamo gained access to the network using Web proxies located on the
    network. Proxies are machines that allows users to route through - or
    into - networks, often skirting past firewalls. The whole process from
    search to discovery took less than two minutes.
    "It struck me as being a part of their network more likely to be
    placed in a trusted location," he said. "Ironically, it wasn't until I
    mistyped a URL that I found what I was looking for - the error message
    invited me to 'try the main New York Times intranet site' instead."
    The Times' corporate intranet also allows users to access other
    sensitive areas, including the company's human resources department,
    as well as tools used to submit advertisements that accompany stories
    in the daily paper and the New York Times Web site,
    http://www.nytimes.com .
    The discovery highlights just how susceptible the Internet can be as a
    tool for spreading misinformation. Lamo said had he been so inclined,
    he probably would have been able to figure out how to successfully
    submit a small news item or advertisement for publication.
    Days after the Sept. 11 attacks, Lamo used a proxy on the Yahoo
    network to add satirical comment to a story on the company's Web site
    about Russian programmer Dmitry Sklyarov, a stunt that raised public
    concern about the integrity of online media.
    Last week, Lamo alerted SBC Communications that several of its Web
    pages containing tens of thousands of subscriber user names and
    passwords were exposed to the Web and completely unprotected.
    In December, Lamo discovered an Internet-accessible Web tool that
    provided easy access to the keys to private network routers for dozens
    of companies, including AOL Time Warner, Bank of America, Citicorp,
    Fox News Corp., JP Morgan, McDonalds, and Sun Microsystems - to name
    just a few.
    When asked why he does what he does, Lamo is noncommittal and somewhat
    cagey, downplaying his penchant for seeing things in ways that often
    go unnoticed by most.
    That didn't stop him, however, from quietly adding his name to the
    newsroom's source list as an expert on computer hacking.
    "I'm not trying to bring about any sort of specific change anywhere by
    what I do - but in doing what I do, acting in good faith doesn't seem
    like a bad thing, and hoping that someone in a similar situation in
    some undefined future might have options that aren't all a downwards
    spiral doesn't seem unreasonable either," Lamo said. "It would be
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 05:03:40 PST