[iwar] [fc:Hacker.tinkers.with.with.news.articles.undetected.]

From: Fred Cohen (fc@all.net)
Date: 2001-09-19 19:10:26
Next message: Fred Cohen: "[iwar] [fc:What.September.11th.May.Mean.to.Netizens]"
Previous message: Fred Cohen: "[iwar] [fc:Afghanistan.asks.CNN.to.leave]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200109200210.TAA10227@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Wed, 19 Sep 2001 19:10:26 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Hacker.tinkers.with.with.news.articles.undetected.]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

[FC - Note the author of this article as well...]

Yahoo! News hacked
Hacker tinkers with with news articles undetected.
By Kevin Poulsen
September 18, 2001 4:25 PM PT

In a development that exposes grave risks of news manipulation in a time
of crisis, a hacker demonstrated Tuesday that he could rewrite the text
of Yahoo! News articles at will, apparently using nothing more than a
web browser and an easily-obtained Internet address. 

Yahoo! News, which learned of the hack from SecurityFocus, says it has
closed the security hole that allowed 20-year-old hacker Adrian Lamo to
access the portal's web-based production tools Tuesday morning, and
modify an August 23rd news story about Dmitry Sklyarov, a Russian
computer programmer facing federal criminal charges under the
controversial Digital Millennium Copyright Act (DMCA). 

Sklyarov created a computer program that cracks the copy protection
scheme used by Adobe Systems' eBook software.  His prosecution has come
under fire by computer programmers and electronic civil libertarians who
argue that the DMCA is an unconstitutional impingement on speech, and
interferes with consumers' traditional right to make personal copies of
books, movies and music that they've purchased. 

Lamo tampered with Yahoo!'s copy of a Reuters story that described a
delay in Sklyarov's court proceedings, so that the text reported,
incorrectly, that the Russian was facing the death penalty. 

The modified story warned sardonically that Sklyarov's work raised "the
haunting specter of inner-city minorities with unrestricted access to
literature, and through literature, hope."

The text went on to report that Attorney General John Ashcroft held a
press conference about the case before "cheering hordes", and
incorrectly quoted Ashcroft as saying, "They shall not overcome. 
Whoever told them that the truth shall set them free was obviously and
grossly unfamiliar with federal law."

It's more difficult to get into their advertising reporting statistics
than their news production tools. 

Lamo says he's had the ability to change Yahoo! News stories for three
weeks, and made minor experimental changes to other stories that have
since cycled off the site. 

The hacker provided SecurityFocus with a screen shot showing an August
10th Reuters story about a Senate committeešs report on the National
Security Agency.  The screen shot shows the story on Yahoo! News with a
false quote attributed to the report: łRebuilding the NSA is the
committeešs top priority.  In partnership with AOL Time Warner, we fully
expect to bring you a service you canšt refuse.˛

According to Lamo, the NSA story remained on the portal for three days,
before being cycled off. 

He says he deliberately chose an old story Tuesday so it would be seen
by few readers, while still demonstrating the vulnerability. 

"Yahoo! takes security across its network very seriously, and we have
taken appropriate steps to restrict unauthorized access to help ensure
that we maintain a secure environment," said Kourosh Karimkhany, senior
producer at Yahoo! News, in a statement.  The company declined further
comment. 

'Subversion of Information Attack' The hack highlights a risk that's
troubled security experts since 1998, when a group called "Hacking for
Girlies" defaced the web site of the New York Times, replacing the front
page with a ramshackle tirade that criticized a Times reporter, and
defended then-imprisoned hacker Kevin Mitnick. 

"There's always been a concern that somebody would gain access to a news
site and make more subtle changes," says Dorothy Denning, professor of
Computer Science and director of the Georgetown Institute for
Information Assurance at Georgetown University. 

One year ago hackers modified a news story on the California Orange
County Register web site to report that Microsoft founder Bill Gates had
been arrested for hacking into NASA computers. 

Experts warn that malicious corruption of content at a respected news
source -- sometimes called a 'subversion of information attack' -- could
have serious consequences during a crisis. 

In the hours following the September 11th terrorist attacks on New York
and Washington, millions turned to the Internet for information.  Top
news sites reported as many as 15 million unique users.  Yahoo!
reportedly had double the traffic that it received for the entire month
of August. 

"You can imagine someone changing lists of people who were on the
planes, or reported missing, or all kinds of things that could cause a
lot of grief," says Denning.  "Or posting stories attributing attacks to
certain people."

Lamo agrees, and says he's troubled that he had the power to modify news
stories that day. 

"At that point I had more potential readership than the Washington
Post," says Lamo.  "It could have caused a lot of people who were
interested in the days events a lot of unwarranted grief if false and
misleading information had been put up."

Proxy problems Yahoo! declined to comment on the specifics of the hack,
but as described by Lamo, modifying the portal's news stories didn't
require much hacking.  He made the changes using an ordinary web
browser, and didn't need to do so much as enter a password. 

The culprit in this case was a trio of proxy web servers that bridged
Yahoo!'s internal corporate network to the public Internet.  By
configuring a web browser to go through one of the proxies, anyone on
the Internet could masquerade as a Yahoo! insider, says Lamo, winning
instant trust from the company's web-based content management system. 

The hacker criticized the web giant for not prioritizing security on the
systems that allow editing and creation of news stories. 

"There are more secure parts of their network," says Lamo.  "It's more
difficult to get into their advertising reporting statistics than their
news production tools."

The hacker has a history of exposing the security foibles of corporate
behemoths.  Last year he helped expose a bug that was allowing hackers
to take over AOL Instant Messenger (AIM) accounts.  And in May, he
warned troubled broadband provider Excite@Home that its customer list of
2.95 million cable modem subscribers was accessible to hackers. 

Lamo's hobby is a risky one.  Unlike the software vulnerabilities
routinely exposed by 'white hat' hackers, the holes Lamo goes after are
specific to particular networks, and generally cannot be discovered
without violating U.S.  computer crime law.  With every hack, Lamo is
betting that the target company will be grateful for the warning, rather
than angry over the intrusion. 

"I can't give you an exact answer why he does that," says Matthew
Griffiths, a computer security worker and a long-time friend of Lamo. 
"He's kind of a superhero of the Internet."

"I agree that it's not the safest thing I could be doing with my time,"
says Lamo.  "If they prosecute me, they prosecute me."

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:What.September.11th.May.Mean.to.Netizens]"
Previous message: Fred Cohen: "[iwar] [fc:Afghanistan.asks.CNN.to.leave]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT