[ISN] Old 'New' hack on AOL security.

From: William Knowles (erehwonat_private)
Date: Thu May 28 1998 - 11:38:03 PDT

  • Next message: mea culpa: "[ISN] UK Encryption Wars"

    AOL security lapse opens accounts
    By Jim Hu
    Staff Writer, CNET NEWS.COM
    May 28, 1998, 4 a.m. PT
    URL: http://www.news.com/News/Item/0,4,22512,00.html
    Hackers have discovered an apparent security lapse in America Online
    that has on some occasions yielded them access to subscriber and AOL
    staff accounts, giving them free reign to alter or deface company
    pages or subscriber profiles.
    The lapse may explain a series of vandalized company and organization
    pages featured on the proprietary online service, including last
    week's attack on the American Civil Liberties Union AOL site.
    And it comes just months after AOL said it would redouble its efforts
    to protect private information. An AOL spokeswoman said that the lapse
    was an exception and the firm is investigating the matter. A spokesman 
    for the ACLU said he does not blame AOL for the problem.
    But others worry that the incident may not have been exceptional.
    An AOL insider who asked to remain anonymous said that more than one 
    would-be vandal has been able to call up AOL support lines armed with 
    user information such as screen name, real name, and address and
    convince some customer service representatives to reset the 
    unsuspecting user's password. The hackers, then armed with a new
    password, are given exclusive access to the account.
    The process is a "social engineering" hack, so called because it
    involves a hacker convincing or tricking someone into willingly
    handing over information.
    In this type of case, the culprit apparently convinces a customer
    service representative that he or she is the account owner without
    disclosing billing information. Hackers can obtain other member
    information by looking at member profiles, which are self-descriptions
    in the AOL community.
    Sometimes members include their home addresses and telephone numbers
    in their profiles, which hackers then can use to take over accounts.
    Hackers also can use more obvious means of getting information such as
    addresses--by looking in public phone directories, for instance.
    AOL has emphasized that company policy prohibits service
    representatives from disclosing information without asking for proper
    proof, which usually comes in the form of a credit card or checking
    account number.
    But in these instances, the source said the hacker, who he said goes
    by the screen name "PhatEndo," convinced an AOL representative that he
    was the remote staff member who had publishing privileges in the
    ACLU's AOL site.
    "[Endo] got the account by calling AOL, pretending to be the account
    owner, and having the password reset," said the source, who has been
    in communication with the ACLU hacker for a few months. "He didn't
    even give the account owner's name."
    Someone using the screen name PhatEndo claimed credit for the hack in
    online interviews using AOL's Instant Messenger client. But he would
    not comment on how he did it. He did ask, however, that his cohort be
    The customer service representative who compromised the ACLU password
    has since been identified and terminated, AOL said.
    "We are appalled by these acts of deliberate vandalism," said AOL
    spokeswoman Ann Brackbill. "If this is the same person who compromised
    the ACLU site as he claims, he apparently has violated federal and
    state computer fraud and trespassing laws. We are investigating
    further, working with law enforcement, and will take every action
    possible to stop this activity."
    But it is unclear how often these hacks occur. The source suggested
    testing out the lapse.
    "Got any friends on AOL?" the source asked. "Try it (with permission
    of course): Call AOL, pretend to be your friend, give them their
    screen name, say you forgot your password. The rep might ask for your
    name and address, or they might not."
    A CNET NEWS.COM reporter decided to call AOL support and see if he
    could reset his own password without giving credit card information.
    Six of seven requests for the data without credit card information
    failed. But in one call, the AOL representative reset the password
    after the reporter provided his screen name, full name, street
    address, and city of residence--but not his credit card information.
    In addition, both the AOL insider and the person who claimed to be the
    hacker PhatEndo have claimed that AOL technical support volunteer
    accounts had also been taken over in previous instances. In an online
    interview with PhatEndo, he said he had been on "Members Helping
    Members Services" (MHMS) staff accounts. MHMS volunteers are remote
    AOL members who volunteer to help users with general questions about
    the service.
    Anyone with access to MHMS could pose as a volunteer and lead users
    "It would be fun to be able to be the staff that helps you...and
    [mess] with people," PhatEndo wrote in an AOL instant message.
    The presence of an apparent security breach follows just months after
    the online giant came under fire for revealing the real identity of an
    AOL member who typed "gay" under "Marital Status" in his profile to
    Navy investigators. The Navy ordered the discharge of officer Timothy
    McVeigh of Hawaii (no relation to the Timothy McVeigh convicted of
    bombing the federal building in Oklahoma) after an AOL employee
    disclosed his real identity without asking the naval investigator to
    identify himself. McVeigh has since been reinstated.
    "In the wake of that, AOL gave all its subscribers strong assurances
    that they would redouble their training for people answering phones,"
    said David Sobel, legal counsel for the Electronic Privacy Information
    Center, referring to the McVeigh incident. "I guess this raises
    questions about how effective those initiatives are after the McVeigh
    incident was disclosed."
    After the incident gained considerable attention, AOL admitted to the
    privacy lapse and blamed the incident on "human error under very
    unusual circumstances."
    Nonetheless, the ACLU remains confident of AOL's commitment to
    increasing security. Although the ACLU considered last week's break-in
    an inconvenience, the organization maintains that a company the size
    of AOL is bound to have a weak link.
    "I don't blame AOL in any way for having lax security or lax
    procedures," said ACLU spokesman Phil Gutis. "I know they consider
    [security] one of their highest priorities and are working to improve
    this all the time. I'm sure anybody else that has had this situation
    happen doesn't blame AOL."
    There's a compelling reason to master information & news.
    Clearly there will be better job and financial opportunites.
    Other high stakes will be missed by people if they don't
    master and connect information.  --  Everette Dennis
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:19 PDT