NY Times Internal Network Hacked By Ryan Naraine
The New York Times on Wednesday confirmed a computer hacker broke into its internal network, accessing files and folders containing personal information of some of its biggest op-ed contributors.
Acting on a whim, 21-year-old California hacker Adrian Lamo found seven misconfigured proxy servers that served as doorways between the Internet and the company's private intranet.
Once he got in, Lamo breached weaknesses in the password policies of the New York Times to expand his access to a database of op-ed contributors, which included social security numbers of people like former U.N weapons inspector Richard Butler, former Clinton aide James Carville, radio personality Rush Limbaugh, Microsoft kingpin Bill Gates, and New York City mayor Mike Bloomberg.
New York Times spokeswoman Christine Mohan confirmed the breach and said an active investigation was underway. "The New York Times Company takes the security of its network very seriously...We will take appropriate steps if necessary to ensure the security of our network," she told atNewYork.
Mohan said the company had not contacted Lamo or had not yet identified the source of the intrusion although it is widely known that the hacker immediately contacted the media company with the help of a journalist from SecurityFocus Online Web site, which first reported the story.
It is the second time the Times has been the target of hackers. In 1998, a group known as "Hacking for Girlies" (HFG) defaced the company's flagship NYTimes.com site with profanities and racial rants which targeted reporter John Markoff, who authored "TakeDown," a book on the search for convicted hacker Kevin Mitnick.
Although the latest breach happened behind the scenes, it highlights the potential security nightmares facing companies that do business on the Internet.
Lamo, who gained notoriety last year after breaching the systems of Yahoo!, Microsoft ISP WorldCom, said he was surprised at the ease in which he got access into the Times' database.
"It literally just took a couple minutes, but that isn't to say they weren't secure in the classic, industry sense of the term -- they'd patched their bugs, had firewall software going," he said in an interview with atNewYork.
"The intrusion avenue I tend to take isn't something that gets addressed by most classic security deployments. So their security wasn't shabby, but it wasn't intended to deal with unexpected avenues of intrusion, either," Lamo added.
"You can't sell someone a $5,000 seminar and software patches and have that all be okay afterwards. Infrastructure is an overused term, but it really is more vulnerabilities in corporate infrastructure than specific system properties," he said.
The Sacramento native, who admittedly uses an archaic laptop (Windows 98, 64 MB of RAM, Pentium III 600mhz, broken keyboard) and free workstations at Kinko's for his hacking exploits, says the emphasis on securing proxy servers is somewhat misguided.
"Most approaches to intrusion and intrusion prevention are system-centric. You secure systems, sometimes you secure network segments, but in terms of information resources, inherent trust, the permeability of shared applications, and some of the foibles inherent in the way people communicate and have computers communicate, that's a lot more nebulous."
Lamo, who once gained access to a PDF file with the map of WorldCom's complete network infrastructure, then won praise for notifying the ISP, said there was no specific reason for targeting the New York Times.
"They (the Times) were there, and I did what came naturally to me. I don't have any rationale or explanation or justification that I'm trying to sell about this to make it all okay," he said, admitting that his actions can be considered "illegal, immoral, or worse."
"It's not for me to contest them or try to win them over to the Adrian Lamo School of Security. Similarly, I've done my best to act in good faith and avoid harm to the company and employees involved, but that's not something I feel is appropriate to spin as some kind of explanation or mitigation for my actions. It's just something else I do," he said.
"I'm aware that there are potential consequences for what I do. I try to minimize the impact for everyone involved, and make it as positive/helpful an experience as possible -- but that's not a rationale or an excuse for why I do it...I don't think I'm immune to the law. Life is gradiations of risk."
In addition to accessing private information and browsing through the Times' private intranet, Lamo signed off with a dash of elan. He actually joined the ranks of the newspaper's elite contributors, adding his own entry into a section of the database.
After inserting his real name, cell phone number and e-mail address, he listed his expertise as "Computer hacking, national security, communications intelligence."