New York Times internal network hacked

Classic blunder: open proxies

  • alert
  • submit to reddit

Website security in corporate America

Security holes in the New York Times internal network left sensitive databases exposed to hackers, including a file containing Social Security numbers and home phone numbers for contributors to the Times op-ed page, SecurityFocus Online has learned.

In a two-minute scan performed on a whim, twenty-one-year-old hacker and sometimes-security consultant Adrian Lamo discovered no less than seven misconfigured proxy servers acting as doorways between the public Internet and the Times' private intranet, making the latter accessible to anyone capable of properly configuring their Web browser.

"The very first server I looked at was running an open proxy," says Lamo. "The server practically approached me."

Once on the newspaper's network, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders, instructions and computer dial-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the "WireWatch" keywords particular reporters had selected for monitoring wire services.

But measured by sheer star power, the hack is most notable for Lamo's access to a database of 3,000 contributors to the Times op-ed page, the august soap box of the cultural elite and politically powerful.

The roster includes Social Security numbers for former U.N. weapons inspector Richard Butler, Democratic operative James Carville, ex-NSA chief Bobby Inman, Nannygate veteran Zoe Baird, former secretary of state James Baker, Internet policy thinker Larry Lessig, and thespian activist Robert Redford, who last May authored an op-ed on President Bush's environmental policies.

Entries with home telephone numbers include Lawrence Walsh, William F. Buckley Jr., Jeanne Kirkpatrick, Rush Limbaugh, Vint Cerf, Warren Beatty and former president Jimmy Carter.

The database includes details on contributors' areas of expertise and what books they've written, and the odd note on how easily they succumb to editing or how much they were paid.

Lamo notified the Times of the vulnerabilities Tuesday through a reporter, and provided them with a list of the open proxies. In a statement, a spokesperson for the paper said the Times takes security "very seriously."

"We are actively investigating a potential security breach," wrote Times spokesperson Christine Mohan. "Based on the results of this investigation we will take appropriate steps to ensure the security of our network."

Hacker's Helpful History

Adrian Lamo has built an unusual reputation exposing security holes at large corporations, then voluntarily helping them fix the vulnerabilities he exploited -- sometimes visiting their offices or signing non-disclosure agreements in the process.

In December, Lamo was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others.

In September, the hacker used a vulnerable Web-based production tool to tamper with a wire service story on Yahoo! News, deliberately choosing an old story to minimize the impact.

The hacker professes relief at discovering that the Times intranet afforded him no similar opportunity to modify stories in the paper's print edition, without clearing human hurdles in the Times editorial process. "It's really better for everybody if the New York Times has the ability to runs something unusually every now and then without people checking it for my writing style," says Lamo.

The newspaper's public Web site -- the target of a high-profile defacement in 1998 -- is outsourced, and wasn't affected by the vulnerabilities.

Privacy Concerns

Lamo says he began his excursion at a proxy in the Times home delivery department and scanned the newspaper's IP address range for Web servers. "The proxy was on a different network, dealing with management of subscription information, but it was trusted by their internal network," says Lamo. He quickly found the intranet homepage, and an unprotected copy of a database that cataloged employees' names and Social Security numbers. "From what I've been able to tell, it was a backup database being used for research."

Armed with that information, the hacker could use the intranet account of any employee that hadn't changed their password from the default -- the last four digits of the person's Social Security number. One of those belonged to a worker that had the power to create new accounts, so Lamo set up his own account on the network with higher privileges.

From there, it was a short hop to the op-ed database.

"This is sort of a situation where security and privacy intersect," says David Sobel, an attorney with the Electronic Privacy Information Center (EPIC). "One of the concerns with the online availability of personal information is the lack of security that often surrounds those kinds of systems... There's an ethical obligation to protect this data, given the harm that can result in the form of identity theft from obtaining a Social Security number."

This isn't the first time personal information on the rich and powerful has been compromised by weak network security. One year ago, anti-globalization hackers penetrated a database maintained by the World Economic Forum, and downloaded similar data on attendees of the group's summit on global economic trends in Davos, Switzerland, including Bill Gates, Bill Clinton, South African President Thabo Mbeki and Japanese Prime Minister Yoshiro Mori.

But with the Times hack Lamo may have gone one better. Rather than merely crossing the information wake left by the elite, Lamo says he actually joined their ranks, creating his own entry in the 'L' section of the Times database, complete with his real name, cell phone number, and email address.

In the space set aside for a description of the contributor's expertise, Lamo wrote, "Computer hacking, national security, communications intelligence."

© 2001 SecurityFocus.com, all rights reserved.

Related Stories

Lamo strikes again: WorldCom
@Home's mis-configured proxy Excites hacker

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.