Cybervandal ‘Edits’ Orange County Register’s Website

Adam L. Penenberg
Inside.com, 10.9.00

VISITORS TO THE ORANGE COUNTY REGISTER’S WEB SITE were rewarded with an incredible scoop Sept. 29. Bill Gates, the geek who coded Microsoft from the ground up and became a multibillionaire in the process, had been arrested for hacking into “hundreds, maybe thousands” of computers, including those of NASA’s Jet Propulsion Lab in Pasadena, Calif., and Stanford University.

The story, one of three that day about the arrest of a hacker known in cybercircles as “Shadow Knight” and “Dark Lord,” went on to detail Gates’ legal plight. Gates, it was reported, was facing two federal counts of breaking into NASA computers, one count of illegally obtaining credit card numbers and one count of making more than $1,000 in purchases through credit card fraud. The article concluded with the bizarre plea, “FREE THE SHADOW KNIGHT SAVE MY ANAL VIRGINITY OR ILL HAVE TO IZZOWN YOU ALL.”

Before this results in a flurry of rumor-mongering e-mail forwards, let us point out that none of the above revelations are true. The I’s Web site, it turns out, had been attacked by a cybervandal, and three of its news stories were “edited.” While other news organizations such as ABC.com, the Associated Press, George magazine, the Drudge Report and the The New York Times have suffered Web defacements, the Register breach is the first known instance of a “subversion of information attack” at a media Web site.

In most attacks, hackers replace the front page of a site with one of their own design, which usually trumpets their brazenness and technical skills. But because a subversion of information attack doesn’t necessarily call attention to itself, the result is much more sinister, said Brian Martin, a staff member for Attrition.org, a site that tracks computer crime and archives mirrors of hacked pages. “What if intruders were to make subtle changes to various stories without them being noticed?” Martin asks. “Unfortunately, no one has the ability to say it hasn’t happened yet because the nature of this threat prevents us from knowing.”

The three stories, originally published Sept. 22, stayed up on the Web site in their altered form for 90 minutes before the hack was noticed. The main article, “O.C. Man Charged in NASA Hacking,” focused on the arrest of 20-year-old Jason Diekman of Mission Viejo, Calif., and was originally written by veteran courthouse reporter John McDonald. In the story, the hacker used “find/replace” and changed Diekman’s name to Bill Gates. In “Hacking Suspect Known As A ‘Nice Kid,'” written by McDonald, Tony Saavedra and Valerie Godines, the unauthorized edits poked fun at some of Diekman’s neighbors who agreed to be interviewed, adding various sexual commentary and the usual puerile insults.

“With the Orange County Register attack, the idea that you can never trust what you read in the paper takes on an entirely new meaning,” says B.K. DeLong, another Attrition.org staff member. Most disturbing about the Register defacement was the apparent outing of a confidential source who had assisted law enforcement in building a case against Diekman. In the story “Hacking Suspect Known As ‘Nice Kid,'” the digital intruder, who goes by the handle “Exiled Dave,” amended the copy to read, “A confidential informant, *cough*CHRISTOPHER DUMAS*cough*, tipped investigators in October 1998 that Diekman was the hax0r they sought.” Arif Alikhan, the assistant U.S. Attorney who built the case against Diekman, says Exiled Dave got his facts wrong: “Christopher Dumas is not the name of the confidential informant.”

The Register’s Web site, owned by Freedom Communications, isn’t the first of the libertarian-leaning company’s outlets to get hit. Nine days before the Register attack, Freedom’s corporate Web site was vandalized, as were those of the Appeal-Democrat of Marysville, Calif.; the Times-News of Burlington, N.C.; the Monitor in McAllen, Texas; and a number of other small newspapers in Florida, North Carolina and Texas. In these attacks, the various home pages were replaced by ones created by the hackers.

The intruders apparently gained access to the various sites via a single point of connection, Freedom’s Domain Name Service server, which assigns a host name to the IP address. “If you get into one machine, you potentially have access to all the machines,” says Attrition.org’s DeLong.

Nancy Souza, a spokeswoman for the Register, says techies at the Register Web site were well aware that some of Freedom Communications’ other sites had been compromised and were on alert. But the Register intruder ” in a different way, through the [File Transfer Protocol] port,” she says. “We believe it was a different hacker. [Silicon Graphics, the maker of the server] didn’t know it could be exploited this way, and there is no known patch for it.”

The Department of Justice is understandably miffed, as the arrest of Diekman was one of its few recent successes in the fight against digital graffiti. Many high-profile hacks remain unsolved, from the defacement of the New York Times‘ Web site two years ago by a group calling itself “Hacking for Girlies,” to last February’s spate of denial-of-service attacks against e-commerce goliaths such as Yahoo and E-Trade, to daily assaults against Pentagon servers.

Although Diekman’s arrest received ample press coverage, McDonald believes that his stories were hit because the Register was the only paper to go to Diekman’s neighborhood and interview his neighbors. “I received warnings that friends of his were going to retaliate,” he says.

Copyright 2001 Adam L. Penenberg (penenberg.com)