Forwarded From: Aleph One <aleph1at_private> http://www.news.com/News/Item/0,4,22512,00.html?st.ne.ni.lh AOL security lapse opens accounts By Jim Hu Staff Writer, CNET NEWS.COM May 28, 1998, 4:00 a.m. PT Hackers have discovered an apparent security lapse in America Online that has on some occasions yielded them access to subscriber and AOL staff accounts, giving them free reign to alter or deface company pages or subscriber profiles. The lapse may explain a series of vandalized company and organization pages featured on the proprietary online service, including last week's attack on the American Civil Liberties Union AOL site. And it comes just months after AOL said it would redouble its efforts to protect private information. An AOL spokeswoman said that the lapse was an exception and the firm is investigating the matter. A spokesman for the ACLU said he does not blame AOL for the problem. But others worry that the incident may not have been exceptional. An AOL insider who asked to remain anonymous said that more than one would-be vandal has been able to call up AOL support lines armed with user information such as screen name, real name, and address and convince some customer service representatives to reset the unsuspecting user's password. The hackers, then armed with a new password, are given exclusive access to the account. The process is a "social engineering" hack, so called because it involves a hacker convincing or tricking someone into willingly handing over information. In this type of case, the culprit apparently convinces a customer service representative that he or she is the account owner without disclosing billing information. Hackers can obtain other member information by looking at member profiles, which are self-descriptions in the AOL community. Sometimes members include their home addresses and telephone numbers in their profiles, which hackers then can use to take over accounts. Hackers also can use more obvious means of getting information such as addresses--by looking in public phone directories, for instance. AOL has emphasized that company policy prohibits service representatives from disclosing information without asking for proper proof, which usually comes in the form of a credit card or checking account number. But in these instances, the source said the hacker, who he said goes by the screen name "PhatEndo," convinced an AOL representative that he was the remote staff member who had publishing privileges in the ACLU's AOL site. "[Endo] got the account by calling AOL, pretending to be the account owner, and having the password reset," said the source, who has been in communication with the ACLU hacker for a few months. "He didn't even give the account owner's name." Someone using the screen name PhatEndo claimed credit for the hack in online interviews using AOL's Instant Messenger client. But he would not comment on how he did it. He did ask, however, that his cohort be credited. The customer service representative who compromised the ACLU password has since been identified and terminated, AOL said. "We are appalled by these acts of deliberate vandalism," said AOL spokeswoman Ann Brackbill. "If this is the same person who compromised the ACLU site as he claims, he apparently has violated federal and state computer fraud and trespassing laws. We are investigating further, working with law enforcement, and will take every action possible to stop this activity." But it is unclear how often these hacks occur. The source suggested testing out the lapse. "Got any friends on AOL?" the source asked. "Try it (with permission of course): Call AOL, pretend to be your friend, give them their screen name, say you forgot your password. The rep might ask for your name and address, or they might not." A CNET NEWS.COM reporter decided to call AOL support and see if he could reset his own password without giving credit card information. Six of seven requests for the data without credit card information failed. But in one call, the AOL representative reset the password after the reporter provided his screen name, full name, street address, and city of residence--but not his credit card information. In addition, both the AOL insider and the person who claimed to be the hacker PhatEndo have claimed that AOL technical support volunteer accounts had also been taken over in previous instances. In an online interview with PhatEndo, he said he had been on "Members Helping Members Services" (MHMS) staff accounts. MHMS volunteers are remote AOL members who volunteer to help users with general questions about the service. Anyone with access to MHMS could pose as a volunteer and lead users astray. "It would be fun to be able to be the staff that helps you...and [mess] with people," PhatEndo wrote in an AOL instant message. The presence of an apparent security breach follows just months after the online giant came under fire for revealing the real identity of an AOL member who typed "gay" under "Marital Status" in his profile to Navy investigators. The Navy ordered the discharge of officer Timothy McVeigh of Hawaii (no relation to the Timothy McVeigh convicted of bombing the federal building in Oklahoma) after an AOL employee disclosed his real identity without asking the naval investigator to identify himself. McVeigh has since been reinstated. "In the wake of that, AOL gave all its subscribers strong assurances that they would redouble their training for people answering phones," said David Sobel, legal counsel for the Electronic Privacy Information Center, referring to the McVeigh incident. "I guess this raises questions about how effective those initiatives are after the McVeigh incident was disclosed." After the incident gained considerable attention, AOL admitted to the privacy lapse and blamed the incident on "human error under very unusual circumstances." Nonetheless, the ACLU remains confident of AOL's commitment to increasing security. Although the ACLU considered last week's break-in an inconvenience, the organization maintains that a company the size of AOL is bound to have a weak link. "I don't blame AOL in any way for having lax security or lax procedures," said ACLU spokesman Phil Gutis. "I know they consider [security] one of their highest priorities and are working to improve this all the time. I'm sure anybody else that has had this situation happen doesn't blame AOL." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:34 PDT