[ISN] AOL Stops One Security Breach, Fails To Stop Another

From: InfoSec News (isnat_private)
Date: Wed Oct 10 2001 - 00:39:54 PDT

  • Next message: InfoSec News: "[ISN] Survey: Hackers Thrive on Sloppy Employees"

    http://www.newsbytes.com/news/01/170924.html
    
    By Brian Krebs, Newsbytes
    WASHINGTON, D.C., U.S.A.,
    08 Oct 2001, 4:11 PM CST
     
    America Online has fixed a security hole that for years allowed a
    cadre of cognoscenti hackers to create bogus AOL accounts and hack
    away in relative obscurity, but has yet to patch a little-known
    vulnerability that allows anyone with an AOL account to switch many
    phone customers' long-distance providers.
    
    According to information obtained by Newsbytes, the exploit allows the
    switcher to view the victim's calling and billing records all without
    ever notifying the victim or asking his or her permission.
    
    The method for creating a ghost AOL account has become something of an
    open secret among the subculture of more sophisticated AOL-hacker
    types, but the process for doing so is fairly straightforward.
    
    When new users signed up for an AOL account online, they could opt to
    pay via check or credit card, but because it is extremely difficult to
    verify checking information online, the signup process transparently
    stored the information in a buffer and flagged the account as
    "OK-to-create," leaving the user with a message to contact AOL support
    in order to verify the checking account information.
    
    But if the new users then returned to the billing page and changed the
    billing method to "credit" and entered a random credit card number
    created by any one of several credit card number-generating tools
    available on hacker sites, the users effectively evaded the next step
    in the account creation process the address verification system (AVS).
    
    The exploit worked because by the time AOL's AVS system learned that
    the supplied credit card number did not match any current billing
    records, the account had already been activated.
    
    "Previously, AOL accounts would be shut down after 72 hours if they
    didn't have valid billing," said Adrian Lamo, a freelance security
    consultant and founder of Inside-AOL.com, a site dedicated to keeping
    tabs on security lapses at AOL.
    
    "But in an effort to increase the total number of registered members,
    AOL stopped shutting down accounts with bogus billing and just let
    them live and receive daily pop-up reminders that the billing
    information was invalid," Lamo told Newsbytes in a recent interview.
    
    Roughly two months ago, Lamo became aware of another buffer problem in
    AOL's network that allows any user to exploit the company's
    relationship with online local and long-distance provider Talk America
    Holdings Inc., (http://www.talk.com).
    
    By simply entering their phone number in an online application, AOL
    users can switch their long-distance provider to Talk.com, and receive
    all of their billing and calling statements by entering keyword "LD
    Member" via the AOL dial-up home page.
    
    The problem, Lamo said, is that during signup the system automatically
    assumes the phone number entered corresponds to the user's AOL account
    billing information, when in fact neither may be accurate. In effect,
    the system never verifies whether the phone number being switched to
    Talk.com actually belongs to the subscriber.
    
    Normally when someone switches their long-distance carrier, the
    carrier assuming the service sends a letter within 30 days notifying
    the subscriber of the service change.
    
    "But with Talk.com, it's never actually seen by the subscriber - they
    never get anything in the mail," Lamo said. "So once you've switched
    over the person's carrier, you have access to all the information
    about calls they made, and they would never notice a thing. Except for
    the maybe fact that they would stop getting phone bills."
    
    Working with other subscribers who agreed to test the Talk.com hack,
    Lamo was able to verify that accounts belonging to several other AOL
    subscribers had been switched.
    
    "In fact, you could sign up phone number in multiple different cities
    and it would sail right through," Lamo said. "If someone were
    profit-minded, they could definitely take a year or two off from work
    just by selling this information out to private investigators."
    
    Both activities raise interesting questions about the effectiveness of
    federal law enforcements recent interest in gaining easier access to
    Internet service provider records in the wake of the Sept. 11 attacks.
    
    Accounts with arbitrary, made-up information totally break the purpose
    of (the FBIs e-mail snooping device) Carnivore, and render the
    subpoena process useless, Lamo said. AOLs negligence in this regard
    may have single-handedly frustrated more investigations of its
    subscribers than deliberate obstruction could in twice the time.
    
    AOL spokesman Nicholas Graham said the company was unaware of member
    reports related to either issue and "that there are no indications of
    widespread use of the techniques."
    
    "These activities are not 'hacks' - they are serious crimes. Any of
    the described scenarios, if attempted, are clear violations of federal
    and state laws governing credit card fraud, privacy and slamming
    practices," Graham said. "As has been our policy, AOL consistently
    reaches out and cooperates with efforts by law enforcement to
    prosecute individuals using the AOL service to violate such laws."
    
    Lamo said he was skeptical of AOL's non-denial denial.
    
    "If I become aware of something like this, it means that it's been
    used in the wild. AOL spends more time than it used to on internal
    security, and it's doing a better job at it, but it still seems to
    think that security and public relations are somehow interchangeable,"
    he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 10 2001 - 02:41:55 PDT