[ISN] AOL security lapse opens accounts

From: mea culpa (jerichoat_private)
Date: Fri May 29 1998 - 21:25:57 PDT

  • Next message: mea culpa: "[ISN] Firms Pass on Security"

    Forwarded From: Aleph One <aleph1at_private>
    
    http://www.news.com/News/Item/0,4,22512,00.html?st.ne.ni.lh
    
       AOL security lapse opens accounts
       By Jim Hu
       Staff Writer, CNET NEWS.COM
       May 28, 1998, 4:00 a.m. PT
       
       Hackers have discovered an apparent security lapse in America
       Online that has on some occasions yielded them access to subscriber
       and AOL staff accounts, giving them free reign to alter or deface
       company pages or subscriber profiles.
       
       The lapse may explain a series of vandalized company and organization
       pages featured on the proprietary online service, including last
       week's attack on the American Civil Liberties Union AOL site.
       
       And it comes just
         months after AOL
       said it would redouble its efforts to protect private information. An
       AOL spokeswoman said that the lapse was an exception and the firm is
       investigating the matter. A spokesman for the ACLU said he does not
       blame AOL for the problem.
       
       But others worry that the incident may not have been exceptional.
       
       An AOL insider who asked to remain anonymous said that more than one
       would-be vandal has been able to call up AOL support lines armed with
       user information such as screen name, real name, and address and
       convince some customer service representatives to reset the
       unsuspecting user's password. The hackers, then armed with a new
       password, are given exclusive access to the account.
       
       The process is a "social engineering" hack, so called because it
       involves a hacker convincing or tricking someone into willingly
       handing over information.
       
       In this type of case, the culprit apparently convinces a customer
       service representative that he or she is the account owner without
       disclosing billing information. Hackers can obtain other member
       information by looking at member profiles, which are self-descriptions
       in the AOL community.
       
       Sometimes members include their home addresses and telephone numbers
       in their profiles, which hackers then can use to take over accounts.
       Hackers also can use more obvious means of getting information such as
       addresses--by looking in public phone directories, for instance.
       
       AOL has emphasized that company policy prohibits service
       representatives from disclosing information without asking for proper
       proof, which usually comes in the form of a credit card or checking
       account number.
       
       But in these instances, the source said the hacker, who he said goes
       by the screen name "PhatEndo," convinced an AOL representative that he
       was the remote staff member who had publishing privileges in the
       ACLU's AOL site.
       
       "[Endo] got the account by calling AOL, pretending to be the account
       owner, and having the password reset," said the source, who has been
       in communication with the ACLU hacker for a few months. "He didn't
       even give the account owner's name."
       
       Someone using the screen name PhatEndo claimed credit for the hack in
       online interviews using AOL's Instant Messenger client. But he would
       not comment on how he did it. He did ask, however, that his cohort be
       credited.
       
       The customer service representative who compromised the ACLU password
       has since been identified and terminated, AOL said.
       
       "We are appalled by these acts of deliberate vandalism," said AOL
       spokeswoman Ann Brackbill. "If this is the same person who compromised
       the ACLU site as he claims, he apparently has violated federal and
       state computer fraud and trespassing laws. We are investigating
       further, working with law enforcement, and will take every action
       possible to stop this activity."
       
       But it is unclear how often these hacks occur. The source suggested
       testing out the lapse.
       
       "Got any friends on AOL?" the source asked. "Try it (with permission
       of course): Call AOL, pretend to be your friend, give them their
       screen name, say you forgot your password. The rep might ask for your
       name and address, or they might not."
       
       A CNET NEWS.COM reporter decided to call AOL support and see if he
       could reset his own password without giving credit card information.
       Six of seven requests for the data without credit card information
       failed. But in one call, the AOL representative reset the password
       after the reporter provided his screen name, full name, street
       address, and city of residence--but not his credit card information.
       
       In addition, both the AOL insider and the person who claimed to be the
       hacker PhatEndo have claimed that AOL technical support volunteer
       accounts had also been taken over in previous instances. In an online
       interview with PhatEndo, he said he had been on "Members Helping
       Members Services" (MHMS) staff accounts. MHMS volunteers are remote
       AOL members who volunteer to help users with general questions about
       the service.
       
       Anyone with access to MHMS could pose as a volunteer and lead users
       astray.
       
       "It would be fun to be able to be the staff that helps you...and
       [mess] with people," PhatEndo wrote in an AOL instant message.
       
       The presence of an apparent security breach follows just months after
       the online giant came under fire for revealing the real identity
       of an AOL member who typed "gay" under "Marital Status" in his profile
       to Navy investigators. The Navy ordered the discharge of officer
       Timothy McVeigh of Hawaii (no relation to the Timothy McVeigh
       convicted of bombing the federal building in Oklahoma) after an AOL
       employee disclosed his real identity without asking the naval
       investigator to identify himself. McVeigh has since been reinstated.
       
       "In the wake of that, AOL gave all its subscribers strong assurances
       that they would redouble their training for people answering phones,"
       said David Sobel, legal counsel for the Electronic Privacy
       Information Center, referring to the McVeigh incident. "I guess this
       raises questions about how effective those initiatives are after the
       McVeigh incident was disclosed."
       
       After the incident gained considerable attention, AOL admitted to
       the privacy lapse and blamed the incident on "human error under very
       unusual circumstances."
       
       Nonetheless, the ACLU remains confident of AOL's commitment to
       increasing security. Although the ACLU considered last week's break-in
       an inconvenience, the organization maintains that a company the size
       of AOL is bound to have a weak link.
       
       "I don't blame AOL in any way for having lax security or lax
       procedures," said ACLU spokesman Phil Gutis. "I know they consider
       [security] one of their highest priorities and are working to improve
       this all the time. I'm sure anybody else that has had this situation
       happen doesn't blame AOL."
       
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:34 PDT