Read Bennett Gold LLP's privacy policies and practices regarding this web site.
LINK TO: Bennett Gold LLP's Privacy Policies and Practices. E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


YAHOO! NEWS HACKED

Hacker tinkers with news articles undetected

Source: Security Focus

Posted on September 25, 2001

      In a development that exposes grave risks of news manipulation in a time of crisis, a hacker demonstrated last Tuesday that he could rewrite the text of Yahoo! News articles at will, apparently using nothing more than a web browser and an easily-obtained Internet address.

      Yahoo! News, which learned of the hack from SecurityFocus, says it has closed the security hole that allowed 20-year-old hacker Adrian Lamo to access the portal's web-based production tools Tuesday morning, and modify an August 23rd news story about Dmitry Sklyarov, a Russian computer programmer facing federal criminal charges under the controversial Digital Millennium Copyright Act (DMCA).

      Sklyarov created a computer program that cracks the copy protection scheme used by Adobe Systems' eBook software. His prosecution has come under fire by computer programmers and electronic civil libertarians who argue that the DMCA is an unconstitutional impingement on speech, and interferes with consumers' traditional right to make personal copies of books, movies and music that they've purchased.

      Lamo tampered with Yahoo!'s copy of a Reuters story that described a delay in Sklyarov's court proceedings, so that the text reported, incorrectly, that the Russian was facing the death penalty.

      The modified story warned sardonically that Sklyarov's work raised "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope."

      The text went on to report that Attorney General John Ashcroft held a press conference about the case before "cheering hordes", and incorrectly quoted Ashcroft as saying, "They shall not overcome. Whoever told them that the truth shall set them free was obviously and grossly unfamiliar with federal law."

      Lamo says he's had the ability to change Yahoo! News stories for three weeks, and made minor experimental changes to other stories that have since cycled off the site.

      The hacker provided SecurityFocus with a screen shot showing an August 10th Reuters story about a Senate committee's report on the National Security Agency. The screen shot shows the story on Yahoo! News with a false quote attributed to the report: "Rebuilding the NSA is the committee's top priority. In partnership with AOL Time Warner, we fully expect to bring you a service you can't refuse."

      According to Lamo, the NSA story remained on the portal for three days, before being cycled off.

      He says he deliberately chose an old story Tuesday so it would be seen by few readers, while still demonstrating the vulnerability. "Yahoo! takes security across its network very seriously, and we have taken appropriate steps to restrict unauthorized access to help ensure that we maintain a secure environment," said Kourosh Karimkhany, senior producer at Yahoo! News, in a statement. The company declined further comment.

Subversion of Information Attack

      The hack highlights a risk that's troubled security experts since 1998, when a group called "Hacking for Girlies" defaced the web site of the New York Times, replacing the front page with a ramshackle tirade that criticized a Times reporter, and defended then-imprisoned hacker Kevin Mitnick.

      "There's always been a concern that somebody would gain access to a news site and make more subtle changes," says Dorothy Denning, professor of Computer Science and director of the Georgetown Institute for Information Assurance at Georgetown University.

      One year ago hackers modified a news story on the California Orange County Register web site to report that Microsoft founder Bill Gates had been arrested for hacking into NASA computers.

      Experts warn that malicious corruption of content at a respected news source -- sometimes called a 'subversion of information attack' -- could have serious consequences during a crisis.

      In the hours following the September 11th terrorist attacks on New York and Washington, millions turned to the Internet for information. Top news sites reported as many as 15 million unique users. Yahoo! reportedly had double the traffic that it received for the entire month of August.

      "You can imagine someone changing lists of people who were on the planes, or reported missing, or all kinds of things that could cause a lot of grief," says Denning. "Or posting stories attributing attacks to certain people."

      Lamo agrees, and says he's troubled that he had the power to modify news stories that day.

      "At that point I had more potential readership than the Washington Post," says Lamo. "It could have caused a lot of people who were interested in the days events a lot of unwarranted grief if false and misleading information had been put up."

Proxy problems

      Yahoo! declined to comment on the specifics of the hack, but as described by Lamo, modifying the portal's news stories didn't require much hacking. He made the changes using an ordinary web browser, and didn't need to do so much as enter a password.

      The culprit in this case was a trio of proxy web servers that bridged Yahoo!'s internal corporate network to the public Internet. By configuring a web browser to go through one of the proxies, anyone on the Internet could masquerade as a Yahoo! insider, says Lamo, winning instant trust from the company's web-based content management system.

      The hacker criticized the web giant for not prioritizing security on the systems that allow editing and creation of news stories.

      "There are more secure parts of their network," says Lamo. "It's more difficult to get into their advertising reporting statistics than their news production tools."

      The hacker has a history of exposing the security foibles of corporate behemoths. Last year he helped expose a bug that was allowing hackers to take over AOL Instant Messenger (AIM) accounts. And in May, he warned troubled broadband provider Excite@Home that its customer list of 2.95 million cable modem subscribers was accessible to hackers.

      Lamo's hobby is a risky one. Unlike the software vulnerabilities routinely exposed by 'white hat' hackers, the holes Lamo goes after are specific to particular networks, and generally cannot be discovered without violating U.S. computer crime law. With every hack, Lamo is betting that the target company will be grateful for the warning, rather than angry over the intrusion.

      "I can't give you an exact answer why he does that," says Matthew Griffiths, a computer security worker and a long-time friend of Lamo. "He's kind of a superhero of the Internet."

      "I agree that it's not the safest thing I could be doing with my time," says Lamo. "If they prosecute me, they prosecute me."




CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.


ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.