CIS 625 Web Tech Related Articles- 6

Yahoo news hacking highlights quiet danger

SAN JOSE, California (AP) -- The dangers of Internet worms and viruses are well known, but security experts are warning of a more pernicious and potentially more damaging kind of attack -- the manipulation of content on trusted Web sites.

Last week, Yahoo was alerted by security intelligence company SecurityFocus.com that a hacker had rather easily entered Yahoo's news pages and inserted phony quotes and wrong information on stories.

The hacker, 20-year-old Adrian Lamo of San Francisco, says he wanted to show Yahoo! Inc. that it needed to fix what he considers a basic mistake in its network setup.

Yahoo said it has taken steps to solve the problem. Nevertheless, the incident highlights how vulnerable the Internet could be as a tool for quickly spreading misinformation.

That premise could be dangerous, considering the sensitivity of the news surrounding the September 11 terrorist attacks and their aftermath.

Yahoo, which claims to have 200 million registered users, is one of the Internet's most popular sources of information. The company aggregates information from several news providers, including The Associated Press.

"A lot of attention has been given to the fact that data is stolen, but not necessarily that the integrity has been altered," said Elias Ladopoulos, a former hacker.

"Any hacker, given enough skill, can change the content to produce whatever they like," Ladopoulos said. "Once content gets out on the Internet, it's pretty hard to retract that."

Bruce Schneier, chief technology officer at Counterpane Internet Security in Cupertino, said he expects a new wave of such incidents. He calls them "semantic attacks," or assaults on meaning, rather than on computer networks themselves.

With network administrators improving their detection of viruses, worms and other threats, Schneier said some hackers will resort to subtle tactics that play off people's tendency to believe everything they read.

News organizations' sites have been defaced by boastful hackers before, but the changing of their content is a more damaging assault on their credibility.

Last year, someone broke into the Orange County Register's Web site and replaced the name of an arrested hacker with that of Microsoft Corp. chairman Bill Gates.

Last Wednesday, someone put a false story on the site of the Daily Californian, the student newspaper at the University of California, Berkeley. The bogus piece said the paper's editors had apologized for a controversial political cartoon.

Lamo said he was troubled by how easily he got access to Yahoo's news pages. He exploited a flaw that let its corporate network be tricked into thinking it was communicating with an internal computer.

He also said he believes other parts of Yahoo's site and other Internet content providers are vulnerable in similar ways, with video archives and stock prices subject to being manipulated.

In particular, Lamo tinkered with an August 23 story by the Reuters news agency about Dmitry Sklyarov, the Russian computer programmer charged with circumventing copyrights on Adobe Systems Inc. software.

The converted piece said Sklyarov could face the death penalty if convicted (the real maximum is five years in prison), and included a fake quote from Attorney General John Ashcroft.

Lamo said he had doctored quotes in other Reuters articles, but Yahoo said it could not confirm Lamo had altered more than one story.

Yahoo released a statement saying it had taken "appropriate steps to block unauthorized access to help ensure that we maintain a secure environment."

Reuters spokeswoman Nancy Bobrowitz said Yahoo has given the agency "strong assurances" that its news pages could not be hacked again.

Copyright 2001 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Associated Press Notice

Associated Press text, photos, graphics, audio and/or video materials shall not directly or indirectly be published, rewritten for broadcast or publication or redistributed in any medium. Neither these AP materials nor any portion thereof may be stored in a computer except for personal and non-commercial use. Subscriber does not hold the AP liable for any delays, inaccuracies, errors or omissions therefrom or in the transmission or delivery of all or any part thereof or for any damage arising from any of the foregoing.

Copyright 1999 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Source: http://www.cnn.com/2001/TECH/internet/09/25/yahoo.hacked.ap/index.html