◆ SpookStack

ouunt | AboutUs | Advert J By Agozunt Ato ERIMETER | WATCH sitive (ay orate é: Bugtraq | Mailing Lists | Library & NEWS a New York Times Internal Network Hacked How open proxies and default passwords led to Adrian Lamo padding his tolodex with information on 3,000 op-ed writers, from William F. Buckley dr. to Jimmy Carter, By Kevin Poulsen Feb 26 1980 4:15PM PT Security holes in the New York Times internal network left sensitive databases exposed to hackers, including a file containing Social Security numbers and home phone numbers for contributors to the Times op-ed page, SecurityFocus Online has learned. In a two-minute scan performed on a whim, twenty-one-year-old hacker and sometimes-security consultant Adrian Lamo discovered no less than seven misconfigured proxy servers acting as doorways between the public Internet and the Times' private intranet, making the latter accessible to anyone capable of properly configuring their Web browser. "The very first server | looked at was running an open proxy," says Lamo. “The server practically approached me." Once on the newspaper's network, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the . paper's employees, logs of home delivery customers’ stop and start orders, instructions and computer dia!-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the "WireWatch" keywords particular reporters had selected for monitoring wire services. _—— pone, Adcian Lamo does most af his hacking ‘aith an ordinary Web brovwier, But measured by sheer star power, the hack is most notable for Lamo's access to a database of 3,000 contributors to the Times op-ed page, the august soap box of the cultural elite and politically powerful. The roster includes Social Security numbers for former U.N. weapons inspector Richard Butler, Democratic operative James Carville, ex-NSA chief Bobby Inman, Nannygate veteran Zoe Baird, former secretary of state James Baker, Internet policy thinker Larry Lessig, and thespian activist Robert Redford, who Jast May authored an op-ed on President Bush's environmental policies. Fniries with home telenhone numbers include | awrence Walsh. William F. http://online.security focus.com/news/342 -1 -1 NEWS New York Times Internal Network Hacked Feb 26 Software That Asks ‘Who Goes There?’ Feb 26 MP3 Files Not Always Safe Feb 25 FAA: Air Traffic Control Holes Plugged Feb 21 {more...] COMMENTARY GREENE: MS to force IT-security censorship Nov 02 LEVY: Security in an Open Electronic Society Oct 21 i.) symantec LEVY: The Blind Leading the Blind Aug 30 LEVY: Full Disclosure is a necessary evil 2127102 . FBI(19-cv-1495)-1614