| Home » News » Roundups
February 27, 2002 12:15 AM UTC
UN weapons inspector Richard Butler, Democratic operative James Carville, ex-NSA chief Bobby Inman, Nannygate veteran Zoe Baird, secretary of state James Baker, Internet policy thinker Larry Lessig, actor Robert Redford, Lawrence Walsh, William F. Buckley Jr, Jeanne Kirkpatrick, Rush Limbaugh, TCP architect Vint Cerf, Warren Beatty, former president Jimmy Carter - all these people and 3,000 more have been exposed on the New York Times website, typically through lame system administration.
Adrian Lamo needed all of two minutes to see the gaping holes. 'The server practically approached me,' he said. Once on the newspaper's network, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders, instructions and computer dial-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the 'WireWatch' keywords particular reporters had selected for monitoring wire services.
The contributors database contains private information, areas of expertise, books written, willingness to allow editing, and fees paid.
Lamo himself used a proxy to notify the NYT, and in typically lame fashion NYT's Christine Mohan reported: 'We are actively investigating a potential security breach. <DUH> Based on the results of this investigation we will take appropriate steps to ensure the security of our network. <YAWN>'
In a short time Lamo has proven helpful to a number of major corporations, plugging holes at WorldCom which threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan and others, finding holes in the Yahoo! News wire service, and more.
The New York Times website has been outsourced since 1998.
After scanning the NYT IP address range for web servers, Lamo found that the home delivery proxy was on a different network from the other machines and trusted by the internal NYT LAN. He quickly found the internal home page and an unprotected copy of a database that cataloged employees' names and Social Security numbers. Armed with that information, Lamo could use the intranet account of any employee that hadn't changed their password from the default - the last four digits of their SSN. One of those belonged to a worker that had the power to create new accounts, so Lamo set up his own account on the network with higher privileges.
As a final coup Lamo left behind own celebrity contributor dossier. The areas of expertise he cited?
Computer hacking, national security, communications intelligence.
|