Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Hacker penetrates N.Y. Times' network

Hacker penetrates N.Y. Times' network

by Nikola Strahija on March 2nd, 2002 Adrian Lamo--the curious hacker who has hit such high-profile companies as Yahoo, Microsoft and [email protected] struck again, this time gaining access to The New York Times' internal operations network.


He said he found at least seven misconfigured servers that would allow hackers to enter the newspaper's private network through its public Web site. He said he browsed through names and Social Security numbers of the paper's employees, home delivery customers' orders and contact information used by writers and editors on the Metro and Business desks.

He said he accessed a database of 3,000 contributors to the Times' op-ed page, which included Social Security numbers for celebrities and government officials.
"This raises some questions about their handling of the data the company receives," Lamo said. "But in terms of the overall impact on the Times, it's an order of magnitude less than it could have been if people had been able to alter content" on the newspaper's public Web site, NYTimes.com.

On Wednesday, the publishing giant confirmed that the security of the internal network of its flagship newspaper had been breached. New York Times Co. spokeswoman Christine Mohan said the newspaper had addressed the security flaws, though it is still trying to determine what information was accessed and when the intrusion took place.

The security breach is the latest by Lamo, whose hack-and-tell exploits include breaking into WorldCom in December, Microsoft in October, Yahoo in September and [email protected] in May.

Although Lamo's activities are well known, his intrusions have not resulted in any charges being filed against him. In every case, he has convinced targets that his intentions are good, notifying companies of breaches before going public. His targets have not necessarily welcomed the bad news, but his actions have allowed them to bolster their security.

The New York Times Co. would not say whether it is considering prosecuting Lamo. "Right now, we are focusing on investigating the situation," said Mohan. "We are determining what our next step will be in terms of dealing with this hacker, this security breach."

He said that only got him a foot in the door.

"A great deal of attention is paid to the role of the proxy servers in this compromise and ones like it," he said. "A proxy server, once located, delivers me to the same level of access as any random employee."

To be able to wander around the network virtually, he had to figure out the network structure, how to authenticate himself to the network, the workings of the internal proprietary systems, and how to make those work in ways they weren't intended.

"Scanning for proxies is easy," he said. "A total outsider figuring out how to run a network remotely is pretty much a self-administered IT orientation course on meth."

Lamo said that after he gained access to the proxy server, he mistakenly typed a wrong URL for an internal Web site and got a helpful nudge from an internal server on how to access the network.

Although it seemed that he had access to a heap of uninteresting data at first, he soon found a way to pose as another user--an administrative assistant--and expand his access. He then had the ability to create a new account, search and edit the freelancer lists, find out which laptops were assigned to which writers, and even view a list of salaries.

He then contacted Internet security site SecurityFocus and told it of the breach. The site contacted The New York Times, which closed the holes before publishing a story late Tuesday.

Lamo said he had no particular reason for going after the newspaper's network.

"I did what came naturally to me," he said. "I don't have any rationale or explanation or justification that I'm trying to sell about this to make it all OK.

"I recognize that some people will see my actions as illegal, immoral or worse...I've done my best to act in good faith and avoid harm to the company and employees involved," he added.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »