, SecurityFocus 2001-09-18
Hacker tinkers with news articles undetected.
It's more difficult to get into their advertising reporting statistics than their news production tools.
Yahoo! News, which learned of the hack from SecurityFocus, says it has closed the security hole that allowed 20-year-old hacker Adrian Lamo to access the portal's web-based production tools Tuesday morning, and modify an August 23rd news story about Dmitry Sklyarov, a Russian computer programmer facing federal criminal charges under the controversial Digital Millennium Copyright Act (DMCA).
Sklyarov created a computer program that cracks the copy protection scheme used by Adobe Systems' eBook software. His prosecution has come under fire by computer programmers and electronic civil libertarians who argue that the DMCA is an unconstitutional impingement on speech, and interferes with consumers' traditional right to make personal copies of books, movies and music that they've purchased.
Lamo tampered with Yahoo!'s copy of a Reuters story that described a delay in Sklyarov's court proceedings, so that the text reported, incorrectly, that the Russian was facing the death penalty.
The modified story warned sardonically that Sklyarov's work raised "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope."
The text went on to report that Attorney General John Ashcroft held a press conference about the case before "cheering hordes", and incorrectly quoted Ashcroft as saying, "They shall not overcome. Whoever told them that the truth shall set them free was obviously and grossly unfamiliar with federal law."
Lamo says he's had the ability to change Yahoo! News stories for three weeks, and made minor experimental changes to other stories that have since cycled off the site.
The hacker provided SecurityFocus with a screen shot showing an August 10th Reuters story about a Senate committee?s report on the National Security Agency. The screen shot shows the story on Yahoo! News with a false quote attributed to the report: ?Rebuilding the NSA is the committee?s top priority. In partnership with AOL Time Warner, we fully expect to bring you a service you can?t refuse.?
According to Lamo, the NSA story remained on the portal for three days, before being cycled off.
He says he deliberately chose an old story Tuesday so it would be seen by few readers, while still demonstrating the vulnerability.
"Yahoo! takes security across its network very seriously, and we have taken appropriate steps to restrict unauthorized access to help ensure that we maintain a secure environment," said Kourosh Karimkhany, senior producer at Yahoo! News, in a statement. The company declined further comment.
The hack highlights a risk that's troubled security experts since 1998, when a group called "Hacking for Girlies" defaced the web site of the New York Times, replacing the front page with a ramshackle tirade that criticized a Times reporter, and defended then-imprisoned hacker Kevin Mitnick.
"There's always been a concern that somebody would gain access to a news site and make more subtle changes," says Dorothy Denning, professor of Computer Science and director of the Georgetown Institute for Information Assurance at Georgetown University.
One year ago hackers modified a news story on the California Orange County Register web site to report that Microsoft founder Bill Gates had been arrested for hacking into NASA computers.
Experts warn that malicious corruption of content at a respected news source -- sometimes called a 'subversion of information attack' -- could have serious consequences during a crisis.
In the hours following the September 11th terrorist attacks on New York and Washington, millions turned to the Internet for information. Top news sites reported as many as 15 million unique users. Yahoo! reportedly had double the traffic that it received for the entire month of August.
"You can imagine someone changing lists of people who were on the planes, or reported missing, or all kinds of things that could cause a lot of grief," says Denning. "Or posting stories attributing attacks to certain people."
Lamo agrees, and says he's troubled that he had the power to modify news stories that day.
"At that point I had more potential readership than the Washington Post," says Lamo. "It could have caused a lot of people who were interested in the days events a lot of unwarranted grief if false and misleading information had been put up."
Yahoo! declined to comment on the specifics of the hack, but as described by Lamo, modifying the portal's news stories didn't require much hacking. He made the changes using an ordinary web browser, and didn't need to do so much as enter a password.
The culprit in this case was a trio of proxy web servers that bridged Yahoo!'s internal corporate network to the public Internet. By configuring a web browser to go through one of the proxies, anyone on the Internet could masquerade as a Yahoo! insider, says Lamo, winning instant trust from the company's web-based content management system.
The hacker criticized the web giant for not prioritizing security on the systems that allow editing and creation of news stories.
"There are more secure parts of their network," says Lamo. "It's more difficult to get into their advertising reporting statistics than their news production tools."
The hacker has a history of exposing the security foibles of corporate behemoths. Last year he helped expose a bug that was allowing hackers to take over AOL Instant Messenger (AIM) accounts. And in May, he warned troubled broadband provider Excite@Home that its customer list of 2.95 million cable modem subscribers was accessible to hackers.
Lamo's hobby is a risky one. Unlike the software vulnerabilities routinely exposed by 'white hat' hackers, the holes Lamo goes after are specific to particular networks, and generally cannot be discovered without violating U.S. computer crime law. With every hack, Lamo is betting that the target company will be grateful for the warning, rather than angry over the intrusion.
"I can't give you an exact answer why he does that," says Matthew Griffiths, a computer security worker and a long-time friend of Lamo. "He's kind of a superhero of the Internet."
"I agree that it's not the safest thing I could be doing with my time," says Lamo. "If they prosecute me, they prosecute me."