Features

SAN JOSE — The dangers of Internet worms and viruses are well known, but security experts are warning of a more pernicious and potentially more damaging kind of attack — the manipulation of content on trusted Web sites. 

Last week, Yahoo was alerted by security intelligence company SecurityFocus.com that a hacker had rather easily entered Yahoo’s news pages and inserted phony quotes and wrong information on stories. 

The hacker, 20-year-old Adrian Lamo of San Francisco, says he wanted to show Yahoo! Inc. that it needed to fix what he considers a basic mistake in its network setup. 

Yahoo said it has taken steps to solve the problem. Nevertheless, the incident highlights how vulnerable the Internet could be as a tool for quickly spreading misinformation. 

That premise could be dangerous, considering the sensitivity of the news surrounding the Sept. 11 terrorist attacks and their aftermath. 

Yahoo, which claims to have 200 million registered users, is one of the Internet’s most popular sources of information. The company aggregates information from several news providers, including The Associated Press. 

“A lot of attention has been given to the fact that data is stolen, but not necessarily that the integrity has been altered,” said Elias Ladopoulos, a former hacker who is launching a wireless security company in New York called Digital Frameworks. 

“Any hacker, given enough skill, can change the content to produce whatever they like,” Ladopoulos said. “Once content gets out on the Internet, it’s pretty hard to retract that.” 

Bruce Schneier, chief technology officer at Counterpane Internet Security in Cupertino, said he expects a new wave of such incidents. He calls them “semantic attacks,” or assaults on meaning, rather than on computer networks themselves. 

With network administrators improving their detection of viruses, worms and other threats, Schneier said some hackers will resort to subtle tactics that play off people’s tendency to believe everything they read. 

News organizations’ sites have been defaced by boastful hackers before, but the changing of their content is a more damaging assault on their credibility. 

Last year, someone broke into the Orange County Register’s Web site and replaced the name of an arrested hacker with that of Microsoft Corp. chairman Bill Gates. 

Last Wednesday, someone put a false story on the site of the Daily Californian, the student newspaper at the University of California, Berkeley. The bogus piece said the paper’s editors had apologized for a controversial political cartoon. 

Lamo said he was troubled by how easily he got access to Yahoo’s news pages. He exploited a flaw that let its corporate network be tricked into thinking it was communicating with an internal computer. 

He also said he believes other parts of Yahoo’s site and other Internet content providers are vulnerable in similar ways, with video archives and stock prices subject to being manipulated. 

In particular, Lamo tinkered with an Aug. 23 story by the Reuters news agency about Dmitry Sklyarov, the Russian computer programmer charged with circumventing copyrights on Adobe Systems Inc. software. 

The converted piece said Sklyarov could face the death penalty if convicted (the real maximum is five years in prison), and included a fake quote from Attorney General John Ashcroft. 

Lamo said he had doctored quotes in other Reuters articles that eventually expired from Yahoo’s news pages, though he kept images of how those stories appeared. Yahoo said it could not confirm Lamo had altered more than one story. 

Lamo alerted Yahoo to what he had done by telling SecurityFocus.com. Lamo said he did not inform Yahoo directly because “hackers contacting companies personally have a dismal success rate.” 

“I’d be gratified to see it bring about sweeping changes in network security,” he told the AP. 

Yahoo released a statement saying it had taken “appropriate steps to block unauthorized access to help ensure that we maintain a secure environment.” A spokesman would not elaborate, nor would he say whether the company would complain to federal authorities. 

The FBI said Monday it did not appear that a complaint has been filed, however. 

Reuters spokeswoman Nancy Bobrowitz said Yahoo has given the agency “strong assurances” that its news pages could not be hacked again. 

“They have taken it very seriously,” she said. “Our priority is to make sure subscribers are protecting the integrity of the news which we take such great care to produce. ... We are not aware of any other incidents where our content has been hacked.” 

Some security experts say the integrity of online information could be assured with more certainty if more companies would use digital signatures, which are based on a technology that makes a signature invalid if content is changed after it is sent. 

But the technology is not being widely implemented because it increases networks’ cost and complexity. 

And Schneier thinks digital signatures would only make the problem worse — he believes they are not as foolproof as advertised. He suggests companies use monitoring software that alerts network administrators when Web pages have been changed. 

——— 

On the Net: 

http://www.yahoo.com 

http://www.counterpane.com