Security holes closed in New York Times intranet after hacker intrusion

Computerworld - Security holes in the intranet of The New York Times Co. have been patched following an intrusion by a 21-year-old hacker who peered into the company's databases earlier this month using Web browsers.
The hacker, Adrian Lamo, a self-described security consultant in San Francisco, said he found the holes Feb. 15 while browsing various Internet sites he chose at random.
By going through proxy servers and "figuring out the network and organizational structure," Lamo said he was able to access the company's databases in the intranet that included subscriber names and correspondence, editorial contact names, addresses and phone numbers, as well as Social Security numbers and other information about new employees. No credit card information was available, he said. The New York Times newspaper's Web site wasn't affected.
After finding the holes and the information, Lamo, who is known for previous excursions into the Web sites of companies including WorldCom Inc. (see story) and the former Excite@Home, said he contacted an intermediary at security firm SecurityFocus in San Mateo, Calif., to help him report the information to the newspaper. The paper was notified of the intrusion yesterday, Lamo said.
Toby Usnik, a Times spokesman, confirmed that the company had been notified of the security breach and has since fixed the holes that allowed Lamo to enter the intranet.
"We're continuing to investigate to ensure the security of the network," Usnik said. "At this point, we're determining what information may have been exposed. We take these kinds of potential security flaws very seriously."
Usnik wouldn't comment on what other actions might be taken by the company in connection with the incident.
Among the information Lamo said he viewed within the intranet were the home phone numbers for conservative political commentators Rush Limbaugh and Oliver North, who was a key figure in the Iran-Contra hearings during the 1980s.
While in the address database, Lamo said, he entered his own contact information along with a note describing himself as a security consultant. "It was more of a whim than anything else," he said. "It just came naturally to me while I was there."
Lamo said he didn't post notices of his penetration of the Times intranet on any public security forums and waited until the newspaper fixed the holes before going public with the information.
Lamo said he's not trying to find such holes to make corporate computing safer but rather follows his interests to see what he can find. "There was no motive behind the act. I realize that some people will