◆ SpookStack

1of2 New York Times Intranet, Source Database u® hitp://www.newsbytes.conv/ogi, ud...client.id-newsbytes&story.id=174792 New York Times Intranet, Source Database Hacked BINE> es bé -1 exC FE BRW/DRSRYS p7c -1 The New York Times' corporate Intranet and Web-based applications that handle everything from payroll accounts to the newsroom's source database were penetrated by a freelance security researcher this week using nothing more than a Web browser, Newsbytes has learned. By Brian Krebs, Newsbytes I WASHINGTON, D.C., US.A., 26 Feb 2002, 7:52 PM CST The discovery was made by 21-year-old Adrian Lamo, a white-hat hacker known for tracking down and alerting Fortune 500 companies that employ lackluster or non-existent security measures on their Web sites. The internal Web site included pages with detailed instructions for stringers and correspondents on how to file from the field, complete with dial-in modem numbers and accounts. The intranet also lists each Times employee's contact information, as well as their Social Security numbers. According to screenshots obtained by Newsbytes, the Times’ own “Everyone, Everywhere” newsroom contact database was also available via the corporate Intranet. The database contains phone numbers and contact information for such household names such as Yogi Berra, Warren Beatty, and Robert Redford, as well as high-profile political figures - including Palestinian leader Yassir Arafat and Secretary of State Colin Powell. The source database also contains Social Security numbers for all of the Times' guest op-ed writers, including Democratic operative James Carville and Internet policy guru Lawrence Lessig. Also spotted in the file were entries for William F. Buckley Jr., Rush Limbaugh, Microsoft founder Bill Gates, and New York Mayor Michael Bloomberg. In September 1998, a hacker group known as “Hacking for Girlies" broke into the New York Times Web site, replacing the main page with its insignia and a lengthy diatribe against New York Times technology columnist John Markoff for his book "Takedown," which the group said painted an inaccurate picture of hacker icon Kevin Mitnick. The New York Times subsequently moved the servers for its public Web sites to a more secure Internet address block. But the company left many Web pages created for use by employees and field reporters open to just about anyone curious enough to look for them, Lamo said. Times spokeswoman Christine Mohan confirmed that the company is “actively investigating a potential security breach. "The New York Times Company takes the security of its network very seriously," Mohan said. "Based on the results of this investigation, we will take appropriate steps if necessary to ensure the security of our network." Lamo located the internal network after querying publicly accessible Internet address records for mail servers on the New York Times address space, armed with the knowledge that e-mail is often processed by the same systems and networks that manage a corporation's firewall. Lamo gained access to the network using Web proxies located on the network. Proxies are machines that allows users to route through - or into - networks, often skirting past firewalls. The whole process from search to discovery took less than two minutes. “It struck me as being a part of their network more likely to be placed in a trusted location,” he said. , FBI(19-cv-1495)-163 2/21/02 8:36 AM ‘|