Pengamanan Sistem Komputer Kasus Kejahatan Komputer

Oleh:

Nama NIM

: Lestia Habshary : J1F107024

DEPARTEMEN PENDIDIKAN NASIONAL UNIVERSITAS LAMBUNG MANGKURAT FAKULTAS MATEMATIKA DAN ILMU PENGETAHUAN ALAM PROGRAM STUDI S1-ILMU KOMPUTER BANJARBARU 2009

New York Times dihack

Adrian Lamo, 21 tahun berhasil menghack situs surat kabar New York. Menurutnya, ia telah menemukan tujuh server miskonfigurasi yang mengijinkan hacker untuk masuk ke jaringan rahasia surat kabar tersebut melalui situs publik. Ia dapat melakukan browsing nama dan nomor social security karyawan, order deliveri kustomer dan informasi kontak yang digunakan oleh para penulis dan editor pada meja Metro dan Business. Ia mengatakan dapat mengakses suatu database dari 3000 kontributor termasuk nomor Social Security bagi selebritis dan pejabat pemerintah. Menurut Lamo, yang pertama kali ia lakukan adalah menjalankan proxy terbuka. Lamo terfokus pada jaringan perusahaan, tes mengirim email ke autoresponder koran, pemusnahan alamat IP, dan akhirnya tersandung ke dalam Sub-jaringan yang dikontrol, antara lain, database yang berisi informasi tentang halaman editorial penulis. Banyak nama, nomor telepon dan alamat rumah terlampir, bersama dengan catatan bidang keahlian, sejarah pembayaran, dan editorial temperamen. Setelah melakukan sedikit browsing, Lamo menambahkan dirinya sendiri ke daftar, tanpa malu-malu memberikan nama lengkap dan nomor ponsel.. Setelah browsing sedikit, Lamo menambahkan dirinya sendiri ke daftar, tanpa malu-malu memberikan nama lengkap dan nomor ponsel. (Untuk keahliannya, ia menuliskan "komputer hacking, keamanan nasional, intelijen komunikasi."). Sementara di dalam jaringan internal, Lamo telah mendirikan lima nama fiktif identifikasi pengguna dan password di bawah Times account dengan LexisNexis, layanan berlangganan online yang menyediakan berita dan informasi lainnya untuk biaya. LexisNexis dimiliki oleh konglomerat media Reed Elsevier NV.

1. Owner dalam kasus ini adalah perusahaan New York Times. Asset yang dilindungi adalah database yang berisi halaman editorial penulis, data-data contributor, selebritis, dan pejabat pemerintah Threat agent: seorang konsultan security paruh waktu dari San Francisco, Adrian Lamo. Threats: Hacker dapat mengakses data melalui server yang miskonfigurasi dan melihat data-data pribadi perusahaan. Risk: Karena hacker dapat mengakses data-data pribadi dan dapat manambah, mengedit, dan menghapus data, data dalam database menjadi tidak dapat diyakini benar-benar asli, pihak New York Times juga mengalami kerugian materil. Countermeasure: karyawan harus memiliki username dan password untuk mengakses data. Vulnarebilities: terdapat tujuh server miskonfigurasi yang menjadi pintu penghubung antara situs publik dan jaringan rahasia New York Times. 2. Aspek-aspek keamanan: Dalam database New York Times terdapat Privacy atau segala sesuatu yang bersifat kerahasiaan pribadi, yang dilindungi. New York times menggunakan username dan password untuk masuk ke dalam situs pribadinya,sehingga yang bias menambah, mengedit, dan menghapus data adalah orangorang yang mempunyai hak (aspek integritas). 3. Security gagal karena masih terdapat server yang miskonfigurasi sehingga masih dapat diakses oleh situs publik. Akibatnya hacker dapat mengakses data yang seharusnya hanya boleh dilihat oleh pihak karyawan New York Times.

Hacker Jebol New York Times Adrian Lamo, 21 tahun seorang konsultan security paruh waktu dari San Francisco mengatakan ia telah menghack situs surat kabar New York Time dan pengintaian beberapa kali kira-kira 10 hari lebih awal. Sedikitnya ia menemukan tujuh server miskonfigurasi yang mengijinkan hacker masuk jaringan rahasia surat kabar tersebut melalui situs publik. Ia mengatakan ia dapat browsing melalui nama dan nomor social security karyawan surat kabar, order deliveri kustomer dan informasi kontak yang digunakan oleh para penulis dan editor pada meja Metro dan Business. Ia mengatakan dapat mengakses suatu database dari 3000 kontributor termasuk nomor Social Security bagi selebritis dan pejabat pemerintah. Christine Mohan, seorang juru bicara New York Times mengjelaskan hari Rabu bahwa SecurityFocus web site telah memberitahukan surat kabar tersebut akan kemungkinan pelanggaran security. Mohan mengatakan ia tidak dapat mengomentari klaim Lamo secara khusus tentang informasi apa yang ia dapat akses karena kami sedang menentukan informasi apa yang telah diekspos. Investigasi sedang berlangsung. Kami melakukan security sangat serius, sehingga diperlukan banyak perhatian terhadap masalah tersebut saat ini, ujar Mohan seperti dilansir CNN, Kamis (28/02/02). (ya2n)

Adrian Lamo admits hacking into New York Times database A 22-year-old California man pleaded guilty today to hacking into The New York Times Co.'s computer network and entering a database containing personal information about Op-Ed page contributors

Adrian Lamo, who turned himself in to federal authorities in Sacramento in September (see story), pleaded guilty to one count of computer damage that resulted in more than $5,000 in losses to The New York Times. Under a plea deal reached with federal prosecutors, Lamo agreed to serve a prison term of between six months and one year. However, it will be up to the judge to determine his punishment during a sentencing hearing set for April 8. "I knew I crossed the line. ... I am genuinely remorseful," he said during his plea hearing in a Manhattan federal court. The charge accuses him of hacking into The New York Times' internal computer network between February and April of 2002 and accessing a database containing personal information, including home telephone numbers and Social Security numbers for more than 3,000 contributors to the newspaper's Op-Ed page. After accessing the system (see story), Lamo entered his name, his cellular telephone number -- (415) 505-HACK -- and a description of his areas of expertise as "computer hacking, national security, communications intelligence." While inside the internal network, Lamo had set up five fictitious user identification names and passwords under the Times' account with LexisNexis, an online subscription service that provides news and other information for a fee. LexisNexis is owned by media conglomerate Reed Elsevier NV. Prosecutors said Lamo used those names to conduct more than 3,000 searches on LexisNexis, with some of those searches for news stories about himself. When he was first charged in September, authorities said he had run up some $300,000 in bills. In February, Lamo had admitted on a Web site, SecurityFocus.com, that he had broken into the New York Times network and described in detail how he carried out the intrusion, prosecutors said. According to the government, he has also admitted to other intrusions in print and online articles, including entering the networks of large corporations such as Microsoft Corp., Cingular Wireless and Yahoo Inc.

New York Times Internal Network Hacked Kevin Poulsen, SecurityFocus 2002-02-26 How open proxies and default passwords led to Adrian Lamo padding his rolodex with information on 3,000 op-ed writers, from William F. Buckley Jr. to Jimmy Carter. Security holes in the New York Times internal network left sensitive databases exposed to hackers, including a file containing Social Security numbers and home phone numbers for contributors to the Times op-ed page, SecurityFocus Online has learned. In a two-minute scan performed on a whim, twenty-one-year-old hacker and sometimes-security consultant Adrian Lamo discovered no less than seven misconfigured proxy servers acting as doorways between the public Internet and the Times' private intranet, making the latter accessible to anyone capable of properly configuring their Web browser.

"The very first server I looked at was running an open proxy," says Lamo. "The server practically approached me." Once on the newspaper's network, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper's employees, logs of home delivery customers' stop and start orders, instructions and computer dial-ups for stringers to file stories, lists of contacts used by the Metro and Business desks, and the "WireWatch" keywords particular reporters had selected for monitoring wire services. But measured by sheer star power, the hack is most notable for Lamo's access to a database of 3,000 contributors to the Times op-ed page, the august soap box of the cultural elite and politically powerful. The roster includes Social Security numbers for former U.N. weapons inspector Richard Butler, Democratic operative James Carville, ex-NSA chief Bobby Inman, Nannygate veteran Zoe Baird, former secretary of state James Baker, Internet policy thinker Larry Lessig, and thespian activist Robert Redford, who last May authored an op-ed on President Bush's environmental policies. Entries with home telephone numbers include Lawrence Walsh, William F. Buckley Jr., Jeanne Kirkpatrick, Rush Limbaugh, Vint Cerf, Warren Beatty and former president Jimmy Carter. The database includes details on contributors' areas of expertise and what books they've written, and the odd note on how easily they succumb to editing or how much they were paid. Lamo notified the Times of the vulnerabilities Tuesday through a reporter, and provided them with a list of the open proxies. In a statement, a spokesperson for the paper said the Times takes security "very seriously." "We are actively investigating a potential security breach," wrote Times spokesperson Christine Mohan. "Based on the results of this investigation we will take appropriate steps to ensure the security of our network." Hacker's Helpful HistoryAdrian Lamo has built an unusual reputation exposing security holes at large corporations, then voluntarily helping them fix the vulnerabilities he exploited -- sometimes visiting their offices or signing non-disclosure agreements in the process. In December, Lamo was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others. In September, the hacker used a vulnerable Web-based production tool to tamper with a wire service story on

Yahoo! News, deliberately choosing an old story to minimize the impact. The hacker professes relief at discovering that the Times intranet afforded him no similar opportunity to modify stories in the paper's print edition, without clearing human hurdles in the Times editorial process. "It's really better for everybody if the New York Times has the ability to runs something unusually every now and then without people checking it for my writing style," says Lamo. The newspaper's public Web site -- the target of a high-profile defacement in 1998 -- is outsourced, and wasn't affected by the vulnerabilities. Privacy Concerns Lamo says he began his excursion at a proxy in the Times home delivery department and scanned the newspaper's IP address range for Web servers. "The proxy was on a different network, dealing with management of subscription information, but it was trusted by their internal network," says Lamo. He quickly found the intranet homepage, and an unprotected copy of a database that cataloged employees' names and Social Security numbers. "From what I've been able to tell, it was a backup database being used for research." Armed with that information, the hacker could use the intranet account of any employee that hadn't changed their password from the default -- the last four digits of the person's Social Security number. One of those belonged to a worker that had the power to create new accounts, so Lamo set up his own account on the network with higher privileges. From there, it was a short hop to the op-ed database. "This is sort of a situation where security and privacy intersect," says David Sobel, an attorney with the Electronic Privacy Information Center (EPIC). "One of the concerns with the online availability of personal information is the lack of security that often surrounds those kinds of systems... There's an ethical obligation to protect this data, given the harm that can result in the form of identity theft from obtaining a Social Security number." This isn't the first time personal information on the rich and powerful has been compromised by weak network security. One year ago, anti-globalization hackers penetrated a database maintained by the World Economic Forum, and downloaded similar data on attendees of the group's summit on global economic trends in Davos, Switzerland, including Bill Gates, Bill Clinton, South African President Thabo Mbeki and Japanese Prime Minister Yoshiro Mori. But with the Times hack Lamo may have gone one better. Rather than merely crossing the information wake left by the elite, Lamo says he actually joined their ranks, creating his own entry in the 'L' section of the Times database, complete with his real name, cell phone number, and email address. In the space set aside for a description of the contributor's expertise, Lamo wrote, "Computer hacking, national security, communications intelligence."