Hacker Tinkering With Yahoo Stories

Lifter writes "A hacker named Adrian Lamo had access for three weeks to the web-based content control system for Yahoo!'s news section, according to a story at SecurityFocus. He tinkered with a couple of stories without anyone noticing, then edited an August Reuters story about Dmitry Sklyarov, so that it said that Dmitry's program raised "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope." He also added a quote by John Ashcroft,"They shall not overcome. Whoever told them that the truth shall set them free was obviously and grossly unfamiliar with federal law." Funny stuff in itself, but the SecurityFocus story explores the harm that could come from a trusted news site being easily hacked in these times."

text of the article

I had a hard time connecting.
Here's the original article. (Undoctored I promise ;-)

Yahoo! News hacked
Hacker tinkers with with news articles undetected.
By Kevin Poulsen
September 18, 2001 4:25 PM PT

In a development that exposes grave risks of news manipulation in a time of crisis, a hacker demonstrated Tuesday that he could rewrite the text of Yahoo! News articles at will, apparently using nothing more than a web browser and an easily-obtained Internet address.

Yahoo! News, which learned of the hack from SecurityFocus, says it has closed the security hole that allowed 20-year-old hacker Adrian Lamo to access the portal's web-based production tools Tuesday morning, and modify an August 23rd news story about Dmitry Sklyarov, a Russian computer programmer facing federal criminal charges under the controversial Digital Millennium Copyright Act (DMCA).

Sklyarov created a computer program that cracks the copy protection scheme used by Adobe Systems' eBook software. His prosecution has come under fire by computer programmers and electronic civil libertarians who argue that the DMCA is an unconstitutional impingement on speech, and interferes with consumers' traditional right to make personal copies of books, movies and music that they've purchased.

Lamo tampered with Yahoo!'s copy of a Reuters story that described a delay in Sklyarov's court proceedings, so that the text reported, incorrectly, that the Russian was facing the death penalty.

The modified story warned sardonically that Sklyarov's work raised "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope."

The text went on to report that Attorney General John Ashcroft held a press conference about the case before "cheering hordes", and incorrectly quoted Ashcroft as saying, "They shall not overcome. Whoever told them that the truth shall set them free was obviously and grossly unfamiliar with federal law."
It's more difficult to get into their advertising reporting statistics than their news production tools.

Lamo says he's had the ability to change Yahoo! News stories for three weeks, and made minor experimental changes to other stories that have since cycled off the site.

The hacker provided SecurityFocus with a screen shot showing an August 10th Reuters story about a Senate committee?s report on the National Security Agency. The screen shot shows the story on Yahoo! News with a false quote attributed to the report: ?Rebuilding the NSA is the committee?s top priority. In partnership with AOL Time Warner, we fully expect to bring you a service you can?t refuse.?

According to Lamo, the NSA story remained on the portal for three days, before being cycled off.

He says he deliberately chose an old story Tuesday so it would be seen by few readers, while still demonstrating the vulnerability.

"Yahoo! takes security across its network very seriously, and we have taken appropriate steps to restrict unauthorized access to help ensure that we maintain a secure environment," said Kourosh Karimkhany, senior producer at Yahoo! News, in a statement. The company declined further comment.

'Subversion of Information Attack'
The hack highlights a risk that's troubled security experts since 1998, when a group called "Hacking for Girlies" defaced the web site of the New York Times, replacing the front page with a ramshackle tirade that criticized a Times reporter, and defended then-imprisoned hacker Kevin Mitnick.

"There's always been a concern that somebody would gain access to a news site and make more subtle changes," says Dorothy Denning, professor of Computer Science and director of the Georgetown Institute for Information Assurance at Georgetown University.

One year ago hackers modified a news story on the California Orange County Register web site to report that Microsoft founder Bill Gates had been arrested for hacking into NASA computers.

Experts warn that malicious corruption of content at a respected news source -- sometimes called a 'subversion of information attack' -- could have serious consequences during a crisis.

In the hours following the September 11th terrorist attacks on New York and Washington, millions turned to the Internet for information. Top news sites reported as many as 15 million unique users. Yahoo! reportedly had double the traffic that it received for the entire month of August.

"You can imagine someone changing lists of people who were on the planes, or reported missing, or all kinds of things that could cause a lot of grief," says Denning. "Or posting stories attributing attacks to certain people."

Lamo agrees, and says he's troubled that he had the power to modify news stories that day.

"At that point I had more potential readership than the Washington Post," says Lamo. "It could have caused a lot of people who were interested in the days events a lot of unwarranted grief if false and misleading information had been put up."

Proxy problems
Yahoo! declined to comment on the specifics of the hack, but as described by Lamo, modifying the portal's news stories didn't require much hacking. He made the changes using an ordinary web browser, and didn't need to do so much as enter a password.

The culprit in this case was a trio of proxy web servers that bridged Yahoo!'s internal corporate network to the public Internet. By configuring a web browser to go through one of the proxies, anyone on the Internet could masquerade as a Yahoo! insider, says Lamo, winning instant trust from the company's web-based content management system.

The hacker criticized the web giant for not prioritizing security on the systems that allow editing and creation of news stories.

"There are more secure parts of their network," says Lamo. "It's more difficult to get into their advertising reporting statistics than their news production tools."

The hacker has a history of exposing the security foibles of corporate behemoths. Last year he helped expose a bug that was allowing hackers to take over AOL Instant Messenger (AIM) accounts. And in May, he warned troubled broadband provider Excite@Home that its customer list of 2.95 million cable modem subscribers was accessible to hackers.

Lamo's hobby is a risky one. Unlike the software vulnerabilities routinely exposed by 'white hat' hackers, the holes Lamo goes after are specific to particular networks, and generally cannot be discovered without violating U.S. computer crime law. With every hack, Lamo is betting that the target company will be grateful for the warning, rather than angry over the intrusion.

"I can't give you an exact answer why he does that," says Matthew Griffiths, a computer security worker and a long-time friend of Lamo. "He's kind of a superhero of the Internet."

"I agree that it's not the safest thing I could be doing with my time," says Lamo. "If they prosecute me, they prosecute me."

Re:MD5/PGP Signing could prevent this.

[Nater]

"Signing" content with MD5 would be pointless. If I were going to modify the content, I'd update the MD5 sum, too. You can't do that with PGP unless you've got the private key.

Re: Flight announcement - Explosive Decompression

[Chris+Y+Taylor]

No, the Comet jetliners did NOT explode due to explosive decompression. That doesn't even make sense; it is sort of like saying a match burns because it combusts.

What happened with the Comet was a result of crack propagation and stress concentration.

Stress concentration (for those who don't already know) is a phenomenon that occurs when you have a discontinuity in a load bearing structure. Imagine a plate with a hole in it which is under load. The area of the plate away from the hole has a fairly constant stress that can be calculated with your "ideal" equations. As you get near the hole, however, the stress in the material increases; it is as if the hole literally concentrates the stress into that area, hence the name "stress concentration." The smaller the radius of the hole, the greater the stress concentration. In order to keep the stress in the material low, engineers will design things so that they have as large a radius as possible anywhere the geometry changes. Square corners are avoided, because at a perfectly sharp corner you have an infinitely small radius and therefore an infinite stress concentration. Take a look at the rounded corners and stress reliefs on some items around your home or office. The material around a sharp corner will fail under almost any load. At the point of cracks or tears you also have one of these "near infinite" stress concentrations. That is how the little sharp cut at the "tear here" location of potato chip bags and ketchup packets works.

Well, the engineers who made the Comet put in square windows, with those wonderful stress concentrators in the corners. As the aircraft was pressurized and depressurized it stressed the material and in the area around the corners of the window the stress was highly concentrated and the material failed... it cracked. And the crack is also as stress concentrator, so the crack grew with every cycle of pressurization and depressurization until the structural integrity of the airplane was compromised and the force caused by the pressure difference between the inside and outside of the aircraft "unzipped" it like someone opening a bag of chips. Cracks in aircraft structures still cause problems, but it doesn't cause the airplane to "explode" like something out of the movies. One or two sections of the skin may be peeled off, and the airplane decompresses "suddenly" (which is why it is called explosive) but the airplane doesn't just detonate. Some of you may remember back in the 1980s this happened at the intersection of a structural support and skin to a 737 headed to Hawaii and it lost 18 ft. of skin (and a flight attendant).

Could a bullet hole cause similar rapid crack propagation and sudden decompression? Not a clean one, the radius is too big. I suppose little star cracks could exist around the hole that could propagate, in theory; but I doubt the damage would ever be worse than that experienced by the aforementioned 737. I am familiar with aircraft conceptual design, but am not an expert on aircraft survivability so IANAEOAS, however I have never heard of any survivability enhancement programs that focus on preventing structural failure from projectile or fragmentation damage to the skin of pressurized aircraft. Structural failure is one of the rarest causes of military aircraft loss(fuel and propulsion systems are the big problems), and is not usually a high priority on increasing aircraft damage tolerance. Civilian aircraft structures are not sufficiently different to negate the usefulness of this historical data. Of the 34 modern airliners that were subjected to in-flight bombings, 56% survived; of those only 10 crashed because of structural failure. If anyone is interested in the effects of aircraft pressurization on enhancing damage can take a look at http://www.dtic.mil/ndia/aircraft/21.pdf. It is significant, but not what I suspect most people would imagine. My best guess, is that any shot which punctures the skin will cause pressure loss. It would take a lucky shot in an older aircraft to unzip a portion of the skin, even then aircraft would likely not be lost. A modern airliner with multiple load paths would be even harder to "unzip," maybe impossible without multiple penetrations. As I said, though IANAEOAS, so if anyone does have specialized knowledge to the contrary I'd certainly like to see it. If no one does have any data or specilized knowledge in this area that contradicts this, then lets please stop rehashing this "bullets vs. aircraft" debate. Of course the smart thing would just be to use frangible bullets that won't penetrate.