[IWAR] INTERNET AOL insecurity

From: 7Pillars Partners (partnersat_private)
Date: Fri Feb 06 1998 - 09:53:50 PST

  • Next message: 7Pillars Partners: "[IWAR] SECURITY Serious flaw--airports, financial, etc."

    I hesitate to even lump AOL into the net. --MW
    AOL's insecurity complex 
     BY DAVID CASSEL | You've probably heard about the
     "other" Timothy McVeigh -- the sailor who found
     himself the target of Navy discharge proceedings for
     violating its "don't ask, don't tell" policy, after America
     Online divulged the real-life name behind his online
     At this point, only a district judge has prevented the
     Navy from completing the discharge. After a firestorm
     of press coverage, AOL CEO Steve Case issued a
     special "Community Update" to try to mollify anger.
     "We have always recognized that privacy was an
     absolutely central building block for this medium," Case
     argued, "so from day one we've taken steps to build a
     secure environment that our members can trust." 
     But Case's words rang hollow. The McVeigh affair
     wasn't an isolated incident. In the ensuing coverage,
     other subscribers also came forward with stories about
     AOL's loose lips. And only days after that controversy
     arose came the latest in a long sequence of disturbing
     AOL security breaches, undermining AOL's claim that it
     provides a "secure environment." 
     Around midnight Jan. 26, I received a mysterious e-mail
     message: "Before you miss the whole thing, you should
     really try and check out keyword: TA." 
     Since I edit a mailing list about AOL, I sometimes
     receive tips about hacked content. So I dutifully visited
     AOL's "Traveler's Advantage" area, which normally
     promotes innocuous travel-related services. ("Win a
     romantic Getaway for Two OR $5,000 CASH!") 
     It was different that Monday. As with many previous
     acts of high-tech vandalism, the title of the window had
     been changed in the middle of the night. Instead of
     "Welcome to AOL Travelers Advantage!" the page
     read, "Lithium Node was here." (This wasn't the first
     time AOL had heard from "Lithium Node": Last June,
     the same group converted AOL's "Academic Assistance
     Center" into a kind of hacker resource center, complete
     with manifesto.) 
     But this attack offered a new twist: Below the substitute
     title lay a menu linked to dozens of AOL staff bulletin
     boards. Following the links led to private boards
     reserved for conversations among AOL's online staff --
     including staffers of "The Rosie O'Donnell Show" and
     AOL's own army of volunteers. Ironically, one area
     included an essay on the word "confidentiality," saying
     users should observe confidentiality policies, and "we
     should take pride in our ability to do so, and set an
     example for other staffs." 
     Though the material was apparently meant to be
     off-limits to the public, it wasn't. A week later, one of
     the boards sported an announcement outlining a pending
     policy change. Staffers were told that "Beginning
     February 4, 1998, Keyword TCB will be viewruled." In
     other words, AOL was going to restrict access to "The
     Community Building," a gathering place for AOL's
     online staff. This tactic was "becoming increasingly
     important," the memo stated, to assure that an area "is
     limited to its intended audience, and not available for
     viewing by others." 
     The bulletin boards linked from the giant index that had
     appeared the week before were soon to be roped off.
     But the obvious question -- why this no-brainer
     protection wasn't already in place -- went unaddressed.
     The announcement stated hopes that the board "remains
     a safe and secure area." 
     I can't say I was surprised by any of this; AOL has a
     long history of security and privacy problems. In 1995
     hackers accessed the e-mail of CEO Case and other
     executives. One message -- describing AOL's meeting
     with the FBI to crack down on hackers -- was even
     posted to Usenet newsgroups. The hacks continued
     over the years, and grew more sophisticated. Last April
     my mailing list uncovered a trick that allowed access to
     any subscriber's credit card number if they'd revealed
     their password. AOL had stated this wasn't possible. 
     While there's no information on how many subscribers
     were affected, an omnipresent population of ill-wishers
     compounds any AOL security breach. In September
     1996 the Washington Post reported that AOL canceled
     370,000 accounts in one three-month period for "credit
     card fraud, hacking, etc." I once counted over 300
     troublemakers massing in chat rooms for an en masse
     demonstration of dissatisfaction.
    What's making users uneasy is the realization that
     hackers aren't the only threat to privacy. Last August a
     parody of AOL's CEO appeared in Mad magazine,
     addressing concerns about high-tech burglar Kevin
     Mitnick: "My subscribers' card numbers are accessible
     to someone far more dangerous than him!" Case's
     parody doppelgnger commented. "ME!!" 
     In a scramble for profits, AOL itself has resorted to
     varying degrees of invasiveness. In July, for instance,
     AOL faced controversy over plans to sell subscribers'
     home phone numbers to telemarketers. AOL's
     compromise solution wasn't as well publicized: Users
     will still receive unsolicited calls, but only from AOL's
     own stable of telemarketers. In addition, when
     customers now phone for technical support, staffers try
     to transfer them to outside telemarketing firms at the
     end of the call. 
     AOL has faced questions about its privacy policies since
     1994, when Rep. Ed Markey, D-Mass., expressed
     concerns about AOL's plan to sell information about
     customers to marketers. Three years later, privacy
     advocates at the Electronic Privacy Information Center
     remain concerned. AOL recently acknowledged that its
     current marketing plan includes gathering aggregate
     information about customers' movement through the
     service, and then using the information to sell more
     targeted advertisements. The existence of such a
     database troubles privacy advocates, whether or not the
     information is attached to a user's identity. And since a
     recent industry report calculates that nearly 60 percent
     of the time Americans spend online is spent on AOL,
     the company is in a unique position to compile records
     on how that time is spent. 
     In the McVeigh incident, AOL originally stated it was
     confident that its policies had been followed. Later,
     Case's "Community Update" conceded that "this should
     not have happened, and we deeply regret it." He closed
     by telling members that "AOL's commitment to
     protecting the privacy of our members is stronger than
     ever." Ironically, Case's apology appeared above an icon
     reading "Click Here to Keep Your Resolutions." It often
     seems that AOL is more interested in appearing to honor
     privacy and security than in actually providing it. 
     In the last 10 months, at least 28 areas of AOL have
     been altered by hackers. Most fell to human error --
     someone with "publishing rights" divulged their
     password. But AOL's performance in the face of these
     problems hasn't inspired confidence. Content partners
     say a memo distributed in October acknowledged that
     one of AOL's own employees had lost control of a
     privileged account. Seven areas were modified that
     night, including Reebok, AOL's Jewish Community
     Area and even Case's Community Update. (Its second
     page was retitled "Hey there, Sexy.") 
     The attacks are getting more sophisticated. After
     vandals left a manifesto criticizing AOL's NetNoir area,
     its producer dispensed a carefully crafted response to
     reporters. But the graffiti artists got a second chance --
     weeks later they returned on another purloined account
     and posted a rebuttal. 
     AOL has a ways to go before it regains my trust. By the
     morning after I received that mysterious e-mail message,
     keyword "TA" had been restored to its original travel
     pitches. But for nine days afterward, most of the staff
     areas remained accessible to anyone who'd added them
     to their bookmark file. 
     Case needs to work a little harder on his resolutions.
     SALON | Feb. 6, 1998 
     David Cassel edits the AOL List. He has also written for the Wall
     Street Journal Interactive Edition, MSNBC and Wired News.

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:37 PDT