Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
The Tunneling Scenario
In February, 2002, an article in the The Register reported that in a two-minute scan performed on a whim, 21-year-old hacker and sometimes security consultant Adrian Lamo discovered no less than seven misconfigured proxy servers acting as doorways between the public Internet and the New York Times' private intranet. These misconfigured proxy servers made the Times' private intranet accessible to anyone capable of properly configuring their web browser.
"The very first server I looked at was running an open proxy," says Lamo. "The server practically approached me!" The Register reported.
Lamo said he began his security scan at a proxy in the Times home delivery department and scanned the newspaper's IP address range for web servers. "The proxy was on a different network, dealing with management of subscription information, but it was trusted by their internal network," says Lamo. He quickly found the intranet home page and an unprotected copy of a database that catalogued employees' names and Social Security numbers. "From what I've been able to tell, it was a backup database being used for research."
Armed with that information, Lamo could use the intranet account of any employee who hadn't changed his or her password from the default—the last four digits of the user's Social Security number. One of those accounts belonged to a worker who had the power to create new accounts, so Lamo set up his own account on the network with higher privileges.
From there, it was a short hop to the op-ed database, where he found a file containing Social Security numbers and home phone numbers for contributors to the Times op-ed page. The roster includes Social Security numbers for former U.N. weapons inspector Richard Butler, Democratic operative James Carville, former NSA chief Bobby Inman, "Nannygate" veteran Zoe Baird, former secretary of state James Baker, Internet policy thinker Larry Lessig, and thespian activist Robert Redford, who last May authored an op-ed on President Bush's environmental policies.
Entries with home telephone numbers include Lawrence Walsh, William F. Buckley Jr., Jeanne Kirkpatrick, Rush Limbaugh, Vint Cerf, Warren Beatty, and former president Jimmy Carter. The database also included details on contributors' areas of expertise and what books they've written, and the odd note on how easily they succumb to editing or how much they were paid.
But with the Times hack Lamo may have gone one better. Rather than merely crossing the information wake left by the elite, Lamo says he actually joined their ranks, creating his own entry in the L section of the Times database, complete with his real name, cell phone number, and email address.
In the space set aside for a description of the contributor's expertise, Lamo wrote, "Computer hacking, national security, communications intelligence."