Hacker penetrates N.Y. Times' network

In an e-mail interview Wednesday with CNET News.com, Lamo described the attack, saying he viewed employee records--including Social Security numbers--and accessed the contact information for the paper's sources and columnists, including such well-known contributors as former U.S. President Jimmy Carter, former Marine Col. Oliver North and hip-hop artist Queen Latifah.

Lamo even added himself as a contact as a "computer hacking, national security and communications intelligence" specialist.

"This raises some questions about their handling of the data the company receives," Lamo said. "But in terms of the overall impact on the Times, it's an order of magnitude less than it could have been if people had been able to alter content" on the newspaper's public Web site, NYTimes.com.

On Wednesday, the publishing giant confirmed that the security of the internal network of its flagship newspaper had been breached. New York Times Co. spokeswoman Christine Mohan said the newspaper had addressed the security flaws, though it is still trying to determine what information was accessed and when the intrusion took place.

The security breach is the latest by Lamo, whose hack-and-tell exploits include breaking into WorldCom in December, Microsoft in October, Yahoo in September and Excite@Home in May.

Although Lamo's activities are well known, his intrusions have not resulted in any charges being filed against him. In every case, he has convinced targets that his intentions are good, notifying companies of breaches before going public. His targets have not necessarily welcomed the bad news, but his actions have allowed them to bolster their security.

The New York Times Co. would not say whether it is considering prosecuting Lamo. "Right now, we are focusing on investigating the situation," said Mohan. "We are determining what our next step will be in terms of dealing with this hacker, this security breach."

Like his wanderings in WorldCom, Lamo searched the New York Times site for open proxy servers. These computers, normally used by a company to filter data on an Internet connection, in this case had been installed on a Web server by accident when the server had been configured.

He said that only got him a foot in the door.

"A great deal of attention is paid to the role of the proxy servers in this compromise and ones like it," he said. "A proxy server, once located, delivers me to the same level of access as any random employee."

To be able to wander around the network virtually, he had to figure out the network structure, how to authenticate himself to the network, the workings of the internal proprietary systems, and how to make those work in ways they weren't intended.

"Scanning for proxies is easy," he said. "A total outsider figuring out how to run a network remotely is pretty much a self-administered IT orientation course on meth."

Lamo said that after he gained access to the proxy server, he mistakenly typed a wrong URL for an internal Web site and got a helpful nudge from an internal server on how to access the network.

Although it seemed that he had access to a heap of uninteresting data at first, he soon found a way to pose as another user--an administrative assistant--and expand his access. He then had the ability to create a new account, search and edit the freelancer lists, find out which laptops were assigned to which writers, and even view a list of salaries.

He then contacted Internet security site SecurityFocus and told it of the breach. The site contacted The New York Times, which closed the holes before publishing a story late Tuesday.

Lamo said he had no particular reason for going after the newspaper's network.

"I did what came naturally to me," he said. "I don't have any rationale or explanation or justification that I'm trying to sell about this to make it all OK.

"I recognize that some people will see my actions as illegal, immoral or worse...I've done my best to act in good faith and avoid harm to the company and employees involved," he added.