[IWAR] INTERNET AOL under attack by hackers

From: 7Pillars Partners (partnersat_private)
Date: Thu Jan 29 1998 - 12:24:51 PST

  • Next message: 7Pillars Partners: "[IWAR] OPEN SOURCE articles of interest"

    Thursday January 29 12:45 PM EST 
       
    America Online under attack from hackers
    
       By Michael Stutz
       
       SAN FRANCISCO (Wired) - America Online, the world's largest Internet
       service provider and home of a behemoth, proprietary system for unique
       content and services, has been -- surprise -- under constant deluge from
       hackers bent on finding ways to exploit the system and steal user
       information.
       
       The first records of AOL hacks go back to March 1995, when it was
       discovered that staff-only areas could be accessed just by knowing the
       secret links to them.
       
       That was only the beginning, as stories on the defacing of AOL content
       areas, password crackers, and other miscreants causing mayhem on the
       system became an AOL staple. David Cassell, mastermind behind the AOL
       Watch (http://www.aolwatch.org), confirmed 28 such hacks in the past few
       years, most recently with AOL's NetNoir area aimed at African Americans
       who use the Web -- where content was vandalized by crackers late last
       month for the second time.
       
       "We are concerned about security breaches, so we have taken extra
       measures in terms of password security and updated procedures," said
       NetNoir co-founder Malcolm Casselle.
       
       The majority of these security problems, said Tatiana Gau, the company's
       security czar, are caused by end users having their password compromised
       - usually because they were duped by a malicious user.
       
       "With the partners, we've been engaging in education, communicating with
       our partners through account executives and other things, just reminding
       them of the need to protect their passwords," Gau said. "In addition to
       that, there are also safety tips that are offered to them; different
       guidelines as to safe practices."
       
       Part of the plague are "phishers," hackers who use programs or social
       engineering techniques to get member's password and account information.
       
       In its simplest form, phishers use AOL's Instant Messenger feature --
       which allows messages to be sent from the Web or from AOL to the screen
       of a currently online AOL user -- to trick users by posing as an AOL
       employee.
       
       While Gau said that incidents involving socially engineered password
       grabs have been reduced now that the feature contains a warning stating
       that AOL employees will never ask a user for this kind of information,
       this technique still works for some.
       
       "It is very easy for anyone on AOL to obtain a program that 'phishes'
       for member's account information," said Dr. Beetlejuice, an individual
       who has written about AOL security issues for e-pubs like Inside AOL,
       but claimed he isn't an AOL hacker himself.
       
       "It's not hard to phish, and being as how some members forget that the
       'AOL will never ask you for your password' warning is there right on the
       screen, it makes it very easy for the phishers to obtain any members'
       passwords."
       
       And it doesn't help that so many passwords are easy to guess. R. M.
       Stratus, a one-time remote AOL operator for some of its content areas,
       said that the recent NetNoir hack was easy to accomplish - the password
       to the area was allegedly the same as its keyword.
       
       "That's actually pretty frequent," he said.
       
       Depending on the account type that is hacked, hackers may be able to
       vandalize areas, as in the case of Overhead accounts -- which are
       legitimately used for those who publish content on the system, said Dave
       Huddle, a software consultant who has worked extensively with AOL's
       publishing mechanisms.
       
       "It's basically a free account -- you are not charged and have unlimited
       use," he said.
       
       Internal accounts -- the crown jewel -- are for AOL employees, said
       Huddle. While these accounts do many of the same things as Overhead
       accounts, with some Internal accounts, you can also access restricted
       and internal AOL company areas -- such as, in some cases, its intranet
       -- as well as kick people off the service. Getting one of these accounts
       is the stuff of AOL cracker dreams.
       
       "With AOL's internal network, people toss around each other's passwords
       like they're balls," said Stratus. "So if you get one Internal, you read
       the mailbox and you have a ton of passwords. They trust each other - and
       they have every right to - but not when some else gets on their
       account."
       
       Internal also allows access to CRIS, AOL's member database search
       engine. "You can search for members by credit card number, phone number,
       name and address," said Stratus.
       
       ---
       
       But the most often mentioned term in the jargon of AOL cracker culture
       these days is RAINMAN -- the Remote Automated Information Manager --
       which is the name for both the computer language and the publishing
       mechanism that allows remote change of content areas.
       
       It even gives the power to change the boxes, backgrounds, and usually
       the icons on the AOL screens.
       
       Its use requires a RAINMAN-flagged account, but this does not
       necessitate that it be an Overhead account. A 74-K zipped file
       containing the RAINMAN command set, a FAQ and tutorial, is widely
       circulated among AOL crackers.
       
       "RAINMAN is the heart and soul of the world's largest online service,"
       said Huddle. "AOL's RAINMAN is an arcane publishing mechanism, to say
       the least. Anyone you would speak to would tell you that, upfront."
       
       "As far as security holes go," said Stratus, "the RAINMAN tools are
       pretty porous."
       
       With a system as large as AOL's network, devious crackers are not likely
       to run out of exploits - and most of them, being high-schoolers, have
       plenty of time on their hands.
       
       "A lot of the old AOL hackers have settled down - it comes to a point
       when the fun's over," Stratus confided. "When I turn 18, I'm probably
       going to go into software development."
       
       (Reuters/Wired)
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:34 PDT