Security holes in the intranet of the New York Times Co. have been patched following an intrusion by a 21-year-old hacker who peered into the company's databases earlier this month using Web browsers.
The hacker, Adrian Lamo, a self-described security consultant in San Francisco, said he found the holes Feb. 15 while browsing various Internet sites he chose at random.
By going through proxy servers and "figuring out the network and organizational structure," Lamo said, he was able to access Times databases in the intranet that included subscriber names and correspondence, editorial contact names, addresses and phone numbers, as well as Social Security numbers and other information about new employees. No credit card information was available, he said. The New York Times newspaper's Web site was not affected.
After finding the holes and the information, Lamo, who is known for previous excursions into the Web sites of companies, including WorldCom Inc. and the former Excite@Home, said he contacted an intermediary at security firm SecurityFocus in San Mateo, California, to help him report the information to the newspaper. The paper was notified of the intrusion yesterday, Lamo said.
Toby Usnik, a Times spokesman, confirmed that the company had been notified of the security breach and has since fixed the holes that allowed Lamo to enter the intranet.
"We're continuing to investigate to ensure the security of the network," Usnik said. "At this point, we're determining what information may have been exposed. We take these kinds of potential security flaws very seriously."
Usnik wouldn't comment on what other actions might be taken by the company in connection with the incident.
Among the information Lamo said he viewed within the intranet were the home phone numbers for conservative political commentators Rush Limbaugh and Oliver North, who was a key figure in the Iran-Contra hearings during the 1980s.
While in the address database, Lamo said, he entered his own contact information along with a note describing himself as a security consultant. "It was more of a whim than anything else," he said. "It just came naturally to me while I was there."
Lamo said he didn't post notices of his penetration of the Times intranet on any public security forums and waited until the newspaper fixed the holes before going public with the information.
Lamo said he's not trying to find such holes to make corporate computing safer but rather follows his interests to see what he can find. "There was no motive behind the act. I realize that some people will see my actions as illegal, immoral or worse," he said. "It's not for me to contest them or try to win them over to the Adrian Lamo school of security."
Skepticism from outsiders about his actions is "understandable," he said. "Any motive that I could tack onto it would just be justification that would be invalid ... to someone somewhere. There's never been a real reason behind it."
Pete Lindstrom, an analyst with Framingham, Massachusetts-based Hurwitz Group Inc., said he's puzzled that network intrusions by hackers like Lamo are often met with inaction by the companies whose information is exposed. "There's a Robin Hood aspect to this for some reason," he said. WorldCom's reaction to Lamo's December attack was to thank him, rather than prosecute him, Lindstrom said.
"I would love to know what the New York Times' CEO thinks since WorldCom [and others] forced his hand" by not taking previous legal action against Lamo, Lindstrom said. "This is a wayward kid who doesn't realize the impact of his actions. They need to take away his notebook and give him some real work to do."