Missing Observer column from March 3
The New York Times’ was broken into recently. In a two-minute scan performed on a whim, a 21-year old hacker named Adrian Lamo — who also works as an offbeat security consultant — discovered no fewer than seven mis-configured proxy servers acting as doorways between the public Internet and the newspaper’s private intranet, making the latter accessible to anyone capable of properly configuring their Web browser.
Once on the Times’ network, Lamo exploited weaknesses in its password policies to broaden his access, eventually reaching confidential data such as the names and Social Security numbers of the paper’s employees, logs of stop and start orders for home delivery customers, computer dial-up instructions for stringers to file stories and lists of contacts used by the Metro and Business desks.
More interestingly, Lamo gained access to a database of 3,000 contributors to the Times op-ed page — the bully pulpit of America’s elite. This gave him Social Security numbers for, inter alia, former U.N. weapons inspector Richard Butler, Democratic spin-doctor James Carville, ex-NSA chief Bobby Inman, former secretary of state James Baker, Stanford professor Larry Lessig and actor Robert Redford. He also obtained the home phone numbers of people like William F. Buckley Jr., Jeanne Kirkpatrick, Rush Limbaugh, Vint Cerf, Warren Beatty and former president Jimmy Carter, plus fascinating information on contributors’ areas of expertise , what books they’ve written and the odd note on how easily they succumb to editing or how much they were paid.
No lasting harm was done — save to the Times’s substantial dignity — because Mr. Lamo notified the newspaper’s managers through a reporter. (As it happens, he has done things like this before [^] and indeed has built an unusual reputation exposing security holes at large corporations, then voluntarily helping them fix the vulnerabilities he exploited. According to a leading online security journal, he was praised last December by communications giant WorldCom after he discovered security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others.)
So Mr. Lamo is thus a Good Egg. His little exploit, however, ought to make us pause. What if he’d been differently motivated? For example: what if instead of rummaging around on the paper’s intranet, he’d actually got to the paper’s published website and made some subtle alterations to the copy. (It’s not as though it couldn’t happen: the Times’ site was hacked once before in 1998, but the intruders contented themselves then with vulgar defacement.) We live, remember, in an age where news and comment flashes around the globe at the speed of light and where, in particular, stock markets are incredibly (and often irrationally) sensitive to bad news. Our world is one in which information published in an organ like the ‘Times’ is taken seriously — and acted upon.
We’ve had some dry runs for these ‘semantic attacks’ — as security expert Bruce Schneier calls them. On 25 August 2000, for example, the press release distribution service Internet Wire received a forged e-mail that appeared to come from the Emulex corporation. reporting that the company’s CEO had resigned and its earnings would be restated. Internet Wire posted the press release, not bothering to verify either its origin or contents. Several financial news services and Web sites further distributed the false information, and the stock dropped 61% (from $113 to $43) before the hoax was exposed.
“Despite its amateurish execution”, writes Schneier, (the perpetrator, trying to make money on the stock movements, was caught in less than 24 hours), “$2.54 billion in market capitalisation disappeared, only to reappear hours later. With better planning a similar attack could do more damage and be more difficult to detect”. The only question is when will it materialise. And whether it will be covered by the Times.