Hard Hacking Lesson From New York Times

Sunday, Sept. 13, was a busy day for The New York Times on the Web. Kenneth Starrs report had been posted on the Internet the Friday before, and people wanted information. By Saturday the Times Web site was already running about 35 percent above normal, and according to Times officials, Sundays are usually twice as busy as Saturdays.

Then something happened. The Times home page no longer carried all the virtual news fit to print. Instead, a page with numerous pornographic images greeted news-hungry visitors. The Times site had been hacked by a group posting information on the new home page that said they were supporters of a jailed computer hacker, Kevin Mitnick, whose arrest and imprisonment for computer-related fraud in 1995 had become a cause for the hacker community.

The group also singled out Times reporter John Markoff, who wrote Takedown, a book detailing the hunt for the then-elusive Mitnick.

Times programmers sprang into action and put up a new home page. The hackers struck back. The battle for control of The New York Times on the Web raged for almost two hours.

Then, just like a well-known commercial on television, the Times decided to pull the plug and take down its entire site for nine hours. Days later, whole sections of the site, such as the archives and forums, were still offline.

A one-time occurrence? Perhaps.

An act of cyber-terrorism. Probably. The timing was too much of a coincidence. Whoever hacked the Times site knew a lot more people than usual would be visiting that day.

The real lesson of this incident, however, is that no matter how fool proof you think your cybersecurity is, it may still be vulnerable to an unauthorized takeover. Times officials arent saying how the hackers entered their site. And most other programmers I talked to were reluctant to speculate about how the Times might have prevented this situation for fear of becoming a target themselves. Hackers, after all, love nothing so much as hearing that such and such a site cant be hacked. Its like throwing down a gauntlet.

My guess is that the group in question has known how to break into the Times site for a while and was waiting for the right moment to exploit that knowledge. (Almost all systems have back doors that experienced hackers can find, given enough time.) The interest in the Starr report gave them the large audience they wanted.

So is there anything that smaller Web sites with much less security can do to prevent this from happening? As of now, probably not.

On the other hand, most sites really dont need to worry. The Times was a target because of its involvement in the Mitnick case. Other major systems that have been hacked, like the Pentagons (a much more worrisome incident), capture hackers attention because they present the ultimate challenge penetrating seemingly invincible cyber-defenses.

Most hackers wont bother with smaller sites because they present no real test to their abilities.

Web sites and the computers that run them are somewhat like ocean liners. Occasionally, hackers can be spotted over the horizon. And sometimes not even the best evasive maneuvers can protect them.

* Tom Regan is the associate editor of The Christian Science Monitor's Electronic Edition. You can e-mail him at tom@csmonitor.com