Thursday January 29 12:45 PM EST America Online under attack from hackers By Michael Stutz SAN FRANCISCO (Wired) - America Online, the world's largest Internet service provider and home of a behemoth, proprietary system for unique content and services, has been -- surprise -- under constant deluge from hackers bent on finding ways to exploit the system and steal user information. The first records of AOL hacks go back to March 1995, when it was discovered that staff-only areas could be accessed just by knowing the secret links to them. That was only the beginning, as stories on the defacing of AOL content areas, password crackers, and other miscreants causing mayhem on the system became an AOL staple. David Cassell, mastermind behind the AOL Watch (http://www.aolwatch.org), confirmed 28 such hacks in the past few years, most recently with AOL's NetNoir area aimed at African Americans who use the Web -- where content was vandalized by crackers late last month for the second time. "We are concerned about security breaches, so we have taken extra measures in terms of password security and updated procedures," said NetNoir co-founder Malcolm Casselle. The majority of these security problems, said Tatiana Gau, the company's security czar, are caused by end users having their password compromised - usually because they were duped by a malicious user. "With the partners, we've been engaging in education, communicating with our partners through account executives and other things, just reminding them of the need to protect their passwords," Gau said. "In addition to that, there are also safety tips that are offered to them; different guidelines as to safe practices." Part of the plague are "phishers," hackers who use programs or social engineering techniques to get member's password and account information. In its simplest form, phishers use AOL's Instant Messenger feature -- which allows messages to be sent from the Web or from AOL to the screen of a currently online AOL user -- to trick users by posing as an AOL employee. While Gau said that incidents involving socially engineered password grabs have been reduced now that the feature contains a warning stating that AOL employees will never ask a user for this kind of information, this technique still works for some. "It is very easy for anyone on AOL to obtain a program that 'phishes' for member's account information," said Dr. Beetlejuice, an individual who has written about AOL security issues for e-pubs like Inside AOL, but claimed he isn't an AOL hacker himself. "It's not hard to phish, and being as how some members forget that the 'AOL will never ask you for your password' warning is there right on the screen, it makes it very easy for the phishers to obtain any members' passwords." And it doesn't help that so many passwords are easy to guess. R. M. Stratus, a one-time remote AOL operator for some of its content areas, said that the recent NetNoir hack was easy to accomplish - the password to the area was allegedly the same as its keyword. "That's actually pretty frequent," he said. Depending on the account type that is hacked, hackers may be able to vandalize areas, as in the case of Overhead accounts -- which are legitimately used for those who publish content on the system, said Dave Huddle, a software consultant who has worked extensively with AOL's publishing mechanisms. "It's basically a free account -- you are not charged and have unlimited use," he said. Internal accounts -- the crown jewel -- are for AOL employees, said Huddle. While these accounts do many of the same things as Overhead accounts, with some Internal accounts, you can also access restricted and internal AOL company areas -- such as, in some cases, its intranet -- as well as kick people off the service. Getting one of these accounts is the stuff of AOL cracker dreams. "With AOL's internal network, people toss around each other's passwords like they're balls," said Stratus. "So if you get one Internal, you read the mailbox and you have a ton of passwords. They trust each other - and they have every right to - but not when some else gets on their account." Internal also allows access to CRIS, AOL's member database search engine. "You can search for members by credit card number, phone number, name and address," said Stratus. --- But the most often mentioned term in the jargon of AOL cracker culture these days is RAINMAN -- the Remote Automated Information Manager -- which is the name for both the computer language and the publishing mechanism that allows remote change of content areas. It even gives the power to change the boxes, backgrounds, and usually the icons on the AOL screens. Its use requires a RAINMAN-flagged account, but this does not necessitate that it be an Overhead account. A 74-K zipped file containing the RAINMAN command set, a FAQ and tutorial, is widely circulated among AOL crackers. "RAINMAN is the heart and soul of the world's largest online service," said Huddle. "AOL's RAINMAN is an arcane publishing mechanism, to say the least. Anyone you would speak to would tell you that, upfront." "As far as security holes go," said Stratus, "the RAINMAN tools are pretty porous." With a system as large as AOL's network, devious crackers are not likely to run out of exploits - and most of them, being high-schoolers, have plenty of time on their hands. "A lot of the old AOL hackers have settled down - it comes to a point when the fun's over," Stratus confided. "When I turn 18, I'm probably going to go into software development." (Reuters/Wired)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:34 PDT