[ISN] Are Crackers Behind AOL Spree?

From: InfoSec News (isnat_private)
Date: Wed Feb 27 2002 - 23:23:50 PST

  • Next message: InfoSec News: "[ISN] Software "time bomber" goes to prison"

    By Michelle Delio  
    2:00 a.m. Feb. 27, 2002 PST 
    America Online users, you have unwanted packages -- due either to the
    activities of malicious hackers, aggressive pop-up ads or a sudden
    widespread epidemic of shopping amnesia.
    AOL has billed thousands of its users for products presented in pop-up
    ads after users clicked a "no thanks" button to refuse the offer,
    according to a lawsuit filed last week in U.S. District Court in San
    Francisco. The charges were made public late Monday.
    AOL steadfastly maintains there are no glitches in its shopping system
    that could have resulted in the erroneous charges and shipments. Users
    insist that they did not mistakenly click "Yes" when they meant to
    click "No." So who made the purchases?
    A group of hackers who focus on finding security holes in AOL's
    systems contend the most likely culprits are a bunch of bored kids who
    hacked into AOL accounts, perhaps with the assistance of disgruntled
    AOL employees.
    Members of this group recently reported two major security holes in
    AOL's Instant Messenger program.
    Although it's far from certain that kid-crackers are to blame for the
    shopping sprees cited in the lawsuit, it's possible that once a
    cracker has a user's screen name and password, he can log on as the
    account user and order merchandise through AOL's shopping service.  
    Products ordered through the service are automatically charged to the
    account holder's credit or debit card.
    These hackers say AOL passwords are remarkably easy to come by,
    claiming that they sometimes gain access to accounts with the aid of
    AOL employees who provide information in exchange for a share of the
    "One guy in AOL's Operations Security told me if I used a hacked
    account to get his girlfriend a $700 necklace from Barneys Online he
    would get me access to six more accounts," a hacker known as Flyman
    said. "What it comes down to is that AOL's biggest security risk is
    corrupt employees who will straight up give away info for a price."
    But the easiest way to crack an account is by using a password
    generator that matches a password to an AOL screen name, hackers say.
    "If a password is an actual word, not a healthy mixture of upper and
    lower case characters with numbers and even some symbols, it's trivial
    to figure out the password using one of the hundreds of AOL password
    crackers and password stealers lurking around on the Internet," said a
    white-hat hacker known as Mancow.
    "AOL doesn't want to burden their users by making their password
    system too complicated for John Q. Public, but by refusing to force
    users to use strong passwords they have left an important aspect of
    security solely in the hands of a possibly clueless consumer," Mancow
    added. "If AOL wants to allow users to use simple passwords, the
    service should then find some way to verify a users' identity before
    allowing products to be charged to the credit card associated with the
    AOL spokesman Nicholas Graham declined to comment on any specific
    allegations, but agreed it was possible that unauthorized charges for
    merchandise could be the work of malicious hackers. AOL will
    investigate the possibility, Graham said.
    Meanwhile, Graham suggested that AOL users visit the service's
    Neighborhood Watch section for security tips.
    "Our members have the responsibility to make sure that their passwords
    and accounts are secure," Graham said.
    "It certainly seems logical that the problem is more likely to have
    been caused by hackers, or confused AOL users who perhaps pushed 'Yes,
    please' instead of 'No, thanks,' than by a glitch in AOL's shopping
    system," said Nathan Cohen, an attorney who specializes in Internet
    law. "AOL has about 30 million users now. If there was a glitch, it
    should have affected more than the 'thousands' of users that the court
    case cites. A glitch should have affected millions of people."
    "I can't help but think this is the 2002 version of the old stunt of
    sending a dozen pizzas to someone who pissed you off," Cohen added.
    AOL hackers admit their more malicious brethren crack accounts because
    they are angry at the owner of the account. Once they have access to
    the account they typically change the password, "muck around with
    e-mail and order stuff," Flyman said.
    Sometimes the cracks are random: People with short or "cool" screen
    names are also prime targets, according to the hackers.
    "Ninety percent of the account hacks that some people do is because
    they see a cool screen name and they want to use it," said Solitude,
    another hacker.
    The warning signs of account intrusion include e-mail that has been
    marked as read or deleted that users know they haven't seen, as well
    as a sudden spike in account activity, say the hackers.
    They also advise users to disable any unused sub-accounts. AOL members
    can have six screen names per account, and hackers say seldom-used
    screen names are ripe for exploitation.
    Cohen said AOL would not likely be held responsible for the types of
    security breaches outlined by the hackers.
    "AOL is following the practices that are standard in the industry,"  
    Cohen said. "I don't know of any commercial service that forces users
    to use secure passwords. While you could rightfully argue that the
    policies should be changed, I don't see any evidence of negligence."
    But should the court find AOL responsible for the fraudulent billing,
    the company would be "in a world of trouble," criminal attorney Frank
    Anderson said.
    "I expect that they'd much rather find out that hackers are rampaging
    through their system than to face charges that a bug in their software
    is spontaneously billing customers for things they did not order,"  
    Anderson said. "But the best outcome of all for AOL would be to
    discover that they have a bunch of amnesiac shopaholic users."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 02:05:21 PST