Slashdot Mirror
AOL's Merlin Compromised?
Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though."
Here's the
original Wired story.
You've got problems!
Gandalf wouldn't have gotten whooped so easily. Time to upgrade.
I've never heard of this Inquirer group before. Who are they? I take it from the penguin they are not the same as the national enquirer, you know, the one that reported angels were seen from the window of the space station. Are they reputable?
The inquirer's status does not throw the story into question, as it is being reported by other sources as well, but i am curous.
aol still sucks...
and this will raise the price of usage again im sure...
"an eye for an eye only makes the whole world blind"
Wow thats insane..i just closed merlin to go on break (free pizza weekend)..and i this popped on on slashdot. Insane!
"Comedy's a dead art form. Now tragedy, that's funny."
Guinevere compromised. Faulty key mechanism in chastitybelt.dll blamed.
I must admit... it's a pretty clever little piece of social engineering... however, the rest of the claims seemed rather... implausible.
From the Wired article:
The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library.
Sounds like AOL needs to read Mitnick's book - The Art of Deception.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
And they're giving away free pizza? Why not just give away free Mercedes, too.
35 million user's names
They have ~35 million users, and yet can't make a profit?
Let's see... ~35,000,000 * $22.99 = ~$804,650,000
They get that much money each month, and still posted a loss how?
Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
The securid makes it unlikely that anyone was
able to hack it, at least without physically
stealing one of AOL's securid cards and the
pin for that card.
For others that don't know how they work, the code
changes every 60 seconds (and is different
on every card made), and the old code
is no longer good when the code changes, it
makes it really hard to bypass without having
an actual securid card that is valid for
the system that is being broken into, and the
proper username and pin for that card.
Maybe these crackers were simply looking for D&D data files.
We have 'private' networks. Hackers etc. can't get into a network that isn't connected to the outside world. Yes, it's a little simplistic, but if you're going to have sensitive information used by internal processes (ie: billing), then why do these servers need to have any kind of exposure at all? Keep the web servers in the DMZ, everything else out.
And as always the really weak link is the human one...
:-)
But then again getting the password of a single user reset may be a big thing for that user, but in the overall scheme of things, it's not much.
As for Merlin; well, just downloading the 35mil Credit Card numbers, could take a while
TC - My Photos..
Nobody "DESERVES" to be defrauded when doing business with a legitament company. That 70-year-old couple who just gets on long enough to send email to their grandchildren, who got AOL simply because they got the installation CD in the mail, they deserve a few hundred dollars of fraudulent charges?
AOL markets almost exclusively to the technophobes who either don't know or don't care enough about computing to spend significant time shopping for an ISP. To them, the computer is an appliance; AOL is effective at distributing their product for that appliance.
Get off it. AOL sucks for us slashdot people because it's not a product designed for us. Until MSN or Earthlink or the myriad of other "simple/easy" ISPs start unloading millions of CDs on an ignorant population, it will continue to be the dominate choice.
While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone. These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user's password reset. Logging in with the new password gives the intruder full access to the account. In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling. A third hacker, using the name hakrobatik, confirmed the mumbling method.
This article is more about social engineering than about the AOL break in. This is odd, if this were true, I would expect a much different type of artcle to be on the lead edge of the breaking news like this. I don't know if this is true or not, but the Wired article does not really have a whole lot of meat with it.
-Pete
Soccer Goal Plans
It's a given that at some point, given the potentially *massive* financial benefits inherent in compromising CC databases, that CCs must go away. They're totally inappropriate for today's society.
The only question is how much money CC providers and companies are going to lose before moving to smartcards that authorize payments on a per-transaction basis.
May we never see th
When a customer's account has been compromised:
(AOL voice) "Hackers got your mail"
using System.Awesome;
Merlin is AOL's internal tool for keeping track of customer records. It only operates from the AOL LAN. However, this is defeated with a simple TCP/IP redirector. The security code is a SecurID code. It changes every 60 seconds, but its pretty useless if you social engineer someone into giving you the code. Same deal with passwords. The real hole here isn't any technical measures, but the complete fucking stupidity of AOL employees.
Oh yeah, this has been going on repeatedly since at least 2000. However it gets media attention very infrequently, but the problem was always there, and always exploited.
If this is true. Well--that's bad. If it isn't then that's even worse. I read the register piece before I followed the link to wired. I know nothing about the possible security measures and exploits that could have been involved in this. And that is exactly the point. From what I read all information that wired really had, was the claims of some self-declared hackers and the statement of some security expert.
If that is enough to get an article like that one published--then why bother to actually try to hack/social engineer/whatever into the AOL database. Just claim something and watch the bad press hit AOL. I never used any of their products (well apart from iChat that kinda ties into their IM-network), but they are in enough trouble as it is. In this case there is such a thing as bad publicity. I am appalled by an article that consists of a whole lot of nothing and ends with "You see all those commercials saying AOL 8.0 is so secure," said Dan. "If people knew how insecure their data was they probably wouldn't use it."
Hank! White!
This doesn't suprise me at all. For years I have not been suprised at all the many ways AOL (and even AOL Canada yet) have been screwing up. Everything from AIM security flaws to the ill fated AOL/Tim Warner deal, all the horror stories you hear about AOL over the years regarding accounts, etc, and now this.
:)
I think "Merlin" better get some more potent magic potion at MagicMart.
You must master your joystick like a fisherman masters bait! - Gimpy
I'll finally have a complete killfile for usenet!
These boys need to get laid.
If AOL would subsidize this, they would see their security problems disappear overnight.
also - I think Dick Tracy foreshadowed the cracking method used by these kids years ago with its "Mumbles" character.
So by using that as an indicator, we should next look for people wearing bright colors and having odd facial features to be part of the next crack.
There are some odd things afoot now, in the Villa Straylight.
In the sanctimonious screed posing as reporting over at The Inquirer we find these completely unsubstantiated assertions:
...customers will vanish if they feel AOL can't protect their data...
...You won't find many AOL members running firewall software...
>>
Nah. Most will stay because the cost and hassle of leaving AOL outweigh the risk they perceive from this alleged breach.
No, and people who use computers ought not to have to fuss about with building their own firewalls in order to have a modicum of security. Firewalls and other security-related code ought to be buried deep inside any consumer OS marketed for use on the Internet and their configuration ought to be done at a level of abstraction that requires no techncal knowledge.
-- Slashdot: When Public Access TV Says "No"
I weren't using AOL myself... (Flame retardent defence: Not of my own free will)
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
This was posted 4 DAYS ago on Wired. This is OLD news!
frankly, i don't think vetoing the treaty will help much. politics is far too slow, they won't be in time.
he should just violate whatever terms the treaty stipulated and attack unilaterally. if they survive, he'll be a hero, if they die, nobody will take him to court.
with the majority of the population killed off, the "treaty" (with whom? or is it a bill?) probably doesn't matter much. congress isn't around anymore. more than likely communications will have broken down, and each troop division would probably be acting independently to stop the invasion/attack/whatever.
your story sucks.
Some of you may recall this interview from a while back - I used to be an AOL nerd back in the day and I know a few of the kids mentioned in the articles (and I think cam0 is 15 now?) - anyway.. from what I can recall alot of the 'hackers' (script kiddies, whatever) would simply use extreme social engineering tactics, as these articles explain, to get whatever they wanted. As the amount actual bugs of the systems would dry up (your basic token bugs, invokes, problems with the systems themselves) alot of the 'hackers' would have to figure out other ways to get in.
Getting past sID - this is not that big of a deal, while it's not that easy to do as long as you con the right person and you get lucky with the timing your all set. Once you have complete access to their internal system you will have no problems getting them to toss you their current number..
the only non-realistic part of the articles I read were regarding how many attackers utilize programming bugs - there are far fewer now then there used to be..
mix_master_mike
vafrous
how cute- the script kiddies are angry at each other while some steal all the glory.. awwww
mix_master_mike
vafrous
Neither the Inquirer article nor the Wired article shows any evidence that an actual break-in occurred. Of course an occasional account may have been compromised... big hairy deal. But nobody provided any proof that even a noticeable percentage of the 35 million (active or inactive, whatever) accounts has been touched.
The Wired article quotes sounded like a bunch of script kiddies, probably with their own AOL accounts, were making things up to sound important. (What? Online sources telling lies to seem cool? No way!) No evidence was provided in either article, and given the obvious safeguards (of which SecurID is a good one) it sounded like so much bull.
This all sounds like a standard "AOL sux!!!" kind of posting, elevated to seeming respectability by badly-researched articles in the almost-mainstream media.
So the question is, if it is an insider, do they have the sophistication to detect where it came from an prosecute the guilty parties to the full extent of the law
I have mod points and I am not afraid to use them
alright we all had our fun back in the day messing with the weak minds of the AOL employees - is this all really that much fun anymore? go read some book on the TCP/ip stack and learn something
You got to teach employees to check the screen more carefully when it says "You've got MAL!"
disclaimer: I worked at AOL for 5 years... i'm pretty familiar with the system under discussion.
One thing that hasn't beem mentioned is that the SecurID system also requires a pin number to log in, and employees are strongly trained not to give that to anyone.
Also, Merlin requires a special client, that would be a bit hard for someone using a man-in-the-middle attack to enter information into and/or see the results of.
As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called journalists.
Please note that all the sources in the article are "hackers." Yet Wired reports it as _fact_ when they have no official confirmation or hard evidence. I guess a publication like Wired doesn't have very strict journalistic standards about news, but still... this is an instance where you use words like "alleged" and "claim."
Karma: T-rexcellent.
I agree that it sounds implausible. I'd think first, as the register states, that getting the hardware generated key would not be possible by the means outlined and second, that AOL would have a firewall on their internal network capable of blocking most trojan's. Also, you'd think that AOl would monitor port use by programs so as to know if someone was having a little too much fun online.
I do security
no, cam0 just needs to put on his party dress. Do you want to know why people hack AOL? Simple. You can sell AOL instant messenger names on EBAY. Who wouldnt pay 30$ to have the name 'Chris' or 'Mark'? Another reason is spamming. You can get thousands of AOL accounts by sending in a simple form such as this. To replicate webmail.aol.com Fool me not. That little website will get you 1000+ screen names and passwords in under an hour if you send it to about 10 thousand people. Thats how dumb AOLers are. Need credit cards? You can trade them on irc for just about anything. Not only that you can wire the money through western union, paypal or ebays system. Full information credit cards are valueable, Any AOLer will fall for it. Get anything down from Social security #, maiden name, and the 3 digi number on the back and you can do whatever you want. And like he said in the article, its not like AOL prosecutes anybody. Most of us have been doing this since 91. Its nothing new.
You, sir, are a scholar and a gentleman, and I salute you.
"AOL's central customer database, Merlin, may have been been compromised"
What a stupid comment. In other news...
"Aliens MAY have invaded Italy..."
"Saddam Hussein MAY have a gay lover..."
"I MAY have sex with Liv Tyler tonight..."
"You cannot find out which view is the right one by science in the ordinary sense." - C.S. Lewis on Intelligent Design
Here, i copied this html for a friend a few days ago. Merlin @ opsec
Sure I'm losing money on every customer, but I'm making it up on volume.
As I understand it that's the actual business plan of Amazon.
KFG
Hi,
You all wanted proof that the hack was done. We're carrying that proof on Observers.net. Check out the first story and that will give you all the proof you need that the hack was done.
The other news places (The Register, The Inquirer, and Wired) were not able to provide the proof that we have.
Jacob
Observers.net
A reminder about security in general. No matter how many precautions you take, there's always a chance that somebody is going to get into a system. By taking advantage of human weaknesses or lapses in judgement, for instance.
:)
So it's always prudent to diversify and isolate systems to minimize disaster upon intrusion into one system. And always invest in a good damage control plan
# This is an important part of every .procmailrc
# file
:0:
* ^From.*aol\.com
/dev/null
Do you really see no possible way around this?
I'll leave it as an exercise.
How small a thought it takes to fill a whole life
See Food Lion vs. ABC
KFG
Let's say I am a salesman, and I want to give you X amount of product in return for your money, or a dinner date with you, or to take you golfing, etc. Then I give you the information you requested, and you turn around and kill my fellow customers or steal from them- that is a crime.
If you crack my system and steal credit cards and the like, that's illegal too, but now you are talking about two different crimes.
I suggest you read Slashdot
I saw a communications company do something similar. They were in the middle of merger talks and part of the merger agreement was that the company needed to have at least 800,000 subscribers for it to be worth the investors effort. It was close but to make sure that it was there a special "cancellation group" was created.
For a period of about 30 days people calling to close their accounts were transferred to cancellation specialists who then zeroed out the billing for the account to be cancelled out in 30 days (after the merger). The only problem was - noone kept track of these accounts and because of the nature of the reporting tools it was almost impossible to report zero pay customers. Add to that the fact that local salesman had been adding zero pay accounts for years (customer satisfaction, friends, family, etc.)
There were huge problems resulting from this behavior. First and foremost was the fact that we paid Skytel 400,000 per month on equipment that we had no idea where it was who was using it. Add to that the fact that the AR department only check certain bills on certain months. For example Skytel might bill us in January and we'd pay sight unseen, then February we do the same, then March someone actually looks over the bill. Not really an audit just reads the bill.
My department and managers just above me attempted to correct these problems but got no buy in from the corporate types (CEO,CFO etc.). Eventually they lost all of their good employees shortly after getting bought out. Later the company that purchased them ran into financial problems (who would've thought), went bankrupt, and sold most assets to another communications company.
Credit Cards in their current incarnation should have gone away in the seventies.
Where I live, almost nobody have credit cards like this anyway. All outlets are online (even cabs and other mobile stuff) and the amount is directly charged your account.
The only use you have for something like Visa or Mastercard is if you are going to order something in the mail, or from abroad. When you order something to your door, the courier comes with an online terminal.
Oh, and using the credit part of the cards, like using money you don't have, are reserved for trailer trash or yuppies. All stores have better credit offerings than Visa and Mastercard anyway.
How small a thought it takes to fill a whole life
Good Evening AOL Tech Support How may I help you?
mumbling screen name is Fogey
Can you confirm your first and last name please.
mubmling and more mumbling.
Sorry Sir we have nobody by the name of Mumbling Mumbles. Call back when you have a few new tricks you skr1p7 k1dd13!
I work for a _large_ games and betting company, somewhere in Europe. Apart from having firewalls in front and behind the Internet-servers, we also have firewalls that separate the employers network from the databases. I.e. we have three layers of security, and the only way to get through to the databases (where we have even more protection, just like AOL) would be to get access to a internet server and then try to get through three layers of passwords just to be able to _read specific_ user accounts.
More or less impossible. And I can't imagine that AOL (stupid as their users may be) don't have something like this aswell... WHY ON EARTH would the internal network go staight to their extremely valuable databases?
Most companies keep "mock up" systems for development, the actual production systems aren't accessible to anyone, basically...
Civilization is the process of setting man free from men.
Here's how to hack any AOL account, for educational purposes only.
Ha! I found the fatal flaw in Merlin... It's not Y2K compliant! look at the parents gif CC EXP. DATE: 1004 ;)
The Register is also running a story explaining why this is not particularly likly, though
Of course not, it's not Microsoft.
I work at AOL also, no major "atttacks" and this is article is typical small media "Gloom and Doom."
AOL really needs to be ported to Linux. Then all y'all can see how easy and fun it is to use the Internet.
- Security problems at Micro$oft...what else is new?
- Security problems at AOL...what the...?
What's going on these days? Aren't the morons that work at these high-profile corporations better educated in social engineering avoidance techniques and the old-fashion trojan horse? Sheesh! (Apologies to the people who work for M$ and AOL who post on$DEITY bless $NATION
Shouldn't that be "Welcome, we've got problems."?
Let's see... AOL has a reported security breach in the news... those are a dime a dozen thanks to Microsoft (and them not using MySQL) so everyone will forget about that in a week. In the meantime, somebody has your email and name at least. I think you've got the bigger problems.
"Linux is for geeks, beos is for nobody, Mac OS is for actors, XP is for people" - Anonymous Coward
FBA agents recovering evidence from the 15 year old cracker's "apartment" in his parents' basement, found a copy of The Art of Deception by Kevin Mitnick, who was prompty returned to solitary confinement while authorities make up a reason for his arrest.
I wonder if AOL or Wired received any communication like so...
To AOLz, | h4v3 0wn3d y0u. uR 53cUr17y 5y573ms 4r3 5h17! 1 0wNz0r 73h w0r1dz.
1337pHr34K |30y Yep sounds like a good source for a Wired story...
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
One thing that hasn't beem mentioned is that the SecurID system also requires a pin number to log in, and employees are strongly trained not to give that to anyone.
The SID system requires that you enter a 6 digit code that changes every 60 seconds. Employees might be trained, but when you pay peanuts, you get monkeys. They give out their SIDs and passwords for the dumbest scams.
Also, Merlin requires a special client, that would be a bit hard for someone using a man-in-the-middle attack to enter information into and/or see the results of.
Yes, Merlin does require a special client. However, this client has been leaked long ago. Check out http://www.fdo-files.com. Also, Merlin would not be absolutely required. The CRIS system, which was used prior to merlin is still active, and does not require a special client.
However, to use CRIS and Merlin, you need to be on the AOL intranet. Once again, as the article mentions, employees more that willingly download TCP redirector trojans with the proper excuse.
As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called journalists.
Agreed.
Kevin's only been online ONE FRIGGING MONTH. Jeez man, lay off already. We know yer good.
Blearf. Blearf, I say.
Historically, only few database applications have been flawless. I don't know how old Merlin is, but according to your comment it's older than 5 years. That's exetremely old in the world of computing, and the protocol couldn't have changed much, I guess.
I'm glad this story is getting picked up in so many places, but I do want to clarify a few things for those who either don't believe this attack is possible, who think I simply wrote it based on a few script kiddies' comments, or who simply don't understand how journalism works.
Yes, I was given substantial proof of the attacks. But my job as a journalist is not necessarily to PROVE that anything happened (that is what lawyers do) -- you'll note perhaps that Woodward & Bernstein's takedown of Nixon was initially based entirely on one man's tip in a Beltway parking garage. It all has to start somewhere.
So I merely collect evidence and present what I have. It was completely credible in this case. In fact, I called AOL five times to get their side of the story. They refused to call me back. But YES, the proof does exist. In fact, observers.net posted some of it here. You can dig around to find their full story on the subject, which goes into greater depth than I had the luxury for at Wired -- which is a general tech news site, not a how-to site for hackers and wannabes. In any event, you will notice that AOL has not refuted the claims in any forum. I honestly have no doubt about the authenticity of these claims after seeing the information provided to me. It's now AOL's turn to either come clean about the attacks or say they didn't happen. Since AOL is afraid of negative publicity, they are trying to keep things quiet. This is not apparently working...
Originally I had hoped to interview the unnamed 14-year-old hacker for my story (which was intended to be mostly about the Merlin break-in) but he balked out of fear of prosecution (he was later interviewed for Observers.net and privately apologized to me for not doing the interview). Hence I focused on the myriad other recent hacks (Japan Webmail, the mumble method, screen name thefts) that AOL has been hit with as well.
Regarding the breaking of SecurID -- if a hacker can call up a rep on the phone and get him to reveal his name and password, it seems pretty plausible that you could get the SecurID code as well. Disgruntled insiders also provide this information readily to their pals on the outside. Of course that's all in the story...
Anyway, if any AOL users are convinced their data is secure I'll be happy to pass along your screen name to the people in question...
Cheers.
filmcritic.com - Movie reviews on Internet time
A user id/Specialised ID code/Lame couple of passwords?!!?!
"you'll note perhaps that Woodward & Bernstein's takedown of Nixon was initially based entirely on one man's tip in a Beltway parking garage. "
INCORRECT. They used Deep throat as confirmation of others' information.
You'd be surprised at how much a kid can get away with. It's gotten less since the golden days of the 80's/early 90's when I was pulling shit like this (at least I hope it's less), but it's still surprising what a child can pry out of an adult.
Even assuming they did not actually get a secureID algorithm/pin and a start point(or card/pin), remember secureID primarily protects against brute force attacks (and does this insanely well).
Custom software means about nothing. If you're running any system and have read access to that custom program it can be reverse engineered. Screen cap/PC anywhere esque backdoors also usurp this. Run a windows system and there are enough escalation of privaledges bugs in SOMETHING that's enabled (or that some security tech forgot to disable) that all you really need to do is pop a trojan on them and chances are you can run stuff at a higher level then they are.
3DES encryption can be decrypted in real time, chances are it's not a plain text connection, but chances are as well that it's not using modern encryption either (it's impregnable, remember?).
Lot's of possibilities on how the system COULD be cracked... I still doubt it was though. Anyway, just remember that any piece of security is only as strong as it's weakest point, and I guarantee you that with the wealth of stupidity in this world, the weakest point is AOL's employees.
Cause these weren't taken by an AOL employee
He said initially. Geez people, get some basic reading comprehension.
Ummm, that was Cowboy Neal who posted that, not the buck toothed beard.
According to the last AOL support rep I talked to on the phone. According to them, AOL has never had an exploit resulting in compromising member information. Incidently, I was calling to report an open exploit that resulted in my information being compromised. They told me it was impossible. I explained to them, in detail, how the exploit worked. Nope, apparently it was still impossible. So I asked to be put through to operations security (opssec). I was told it didn't exist. I even pointed out a page on their website that mentioned it. Nope, doesn't exist. Quite fed up with this robotic imbecile, I asked to speak to a supervisor. The supervisor (this is in the fraud department, by the way) explained that they were trained to deny that AOL had any flaws. Interesting. After realizing the supervisor also had no idea what they were talking about, I requested to be put through to opssec. Well, the supervisor at least acknowledged its existence, but refused to put me through, despite the fact that I had very important network security information. In so many words, I was told they didn't care that my information was compromised.
Soon after this, I cancelled my account. Not only did they charge me for 2 more months, but they charged me the dialup rate (I was BYOA). So I called them up, quite pissed off, and asked for the charges to be reversed. I was then told my account was still active. At this point, I explained to the incompetent billing employee how to use Merlin to pull the fraud record of the account termination. The charges were subsequently reversed.
My experience gives new meaning to the phrase "AOL sucks"
He said "initially"...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called con-men and common thieves...
speaking of reading comprehension: he did say, "initially," along with, "entirely," and he was wrong when he said it; but it was awfully nice of him to give us a further lesson in journalism.
their interest/lead in the story may have started from the single tip. that's neither the story nor the "takedown." those needed evidence.
Thank you. As much as I hate and despise end users, they do not deserve to be defrauded. I don't know much about cars, does that mean that people have the right to break into my car and steal my stereo? To me the car is just a tool to get me where I need to go.
boy's only been on the internet, what a week or two at the most, and already up to no good! :) j/k
For christ's sake
It's spelt LIKELY
OK, as a slashdot member who admits to using aol, I realize that I have no credibility whatsoever. But for what it's worth... About a month ago ALL of my 7 aol screen names were compromised, including several that were never used. Suddenly I was getting spam sent to all my addresses at aol, where previously I had been getting almost no spam (I guard my addresses well). The unused accounts have never had so much as a single email from anyone, up until now. The spammers used information that could only have come from aol, since I never used those addresses, never sent anything or receieved anything, just created the account. And yes, I am confident that my computer has never been compromised. So how did spammers get my unused addresses? Easy, someone hacked into the merlin database just like the article said, milking aol for all the addresses they could find and then selling some or all of them to spammers.
I had suspected something like this must have happened, and the article confirms it. I am now VERY dissatisfied with aol.
Yeah I know, I know... I got what I deserved for using AOhell... But for almost 2 years up until this point I had no problems and was actually satisfied. Guess that was just luck...
Yup, that's the way my company's VPN works. So not only do I need my SecurID token of the minute, but I also have to enter a password. This, combined with my login id authenticates me to the system. Before this, you also need the password that protects your key file. Then you need to log in again, once on the network, to access any resources. I imagine the AOL scheme is similar, or even better.
They count AIM and ICQ users as users. Let's see them put out a number of subscribers for once. Thats the whole purpose behind making AIM and ICQ free.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
A SecurID number is only good for 180 seconds at most. Yes, you could get in, but every time you want to get in again, you need a new number.
The hackers have to socially engineer every time they want in?
Yes, the hackers could keep a session open, but once AOL found out, all they have to do is terminate all connections and make everyone log in again. Everyone with a legit SecurID card will be able to log in again not problem, but the hackers will have to make a phone call again.
All of this doesn't mean they were or weren't hacked, but it means their exploits are limited.
And screenshots are definitive proof of... having screenshots? Perhaps an ex-AOL employee took a couple screen captures before leaving and later posted them online. And as for the further "proof", all I see is a bunch of HTML pages which someone could have done in Notepad.
If you really want to show proof, how about listing Steve Case's information? Or why not ask someone to supply an AOL ID and you can post the complete account details the next day? Chances are, you're not able to do that because this is just stupid script kiddie posturing with no substance.
It charges you twice as much as an average local ISP (bullshit; ever since I tried to quit I've gotten it for FREE), only to give you such "added value" as spamming you with 5000 ad banners every time you log on (bullshit; a couple of ads when I log on), forcing you to use a horrendously bloated application just to use the internet (bullshit; I can use any browser I want), selling your information to spammers (bullshit; I don't use my AOL mail for anything so any mail is due to AOL and I get one mail per week on my AOL MAIL), and a long track record of security issues, just to name a few.
Oh, and I still resent it for having lead the legions of fucking morons onto the internet. There was once a day when chances were decent that any random netizen would have an IQ larger than his/her shoe size (yeah, now its full of bullshit artists like you).
I welcome this news - anyone that can keep AOL users busy calling credit card companies, phone companies and AOL themselves is a hero in my book.
This from MSNBC: 'The database admin gave out his passwords when "asked by a supposed AOL Admin" over Instant Messanger for the information, after repeatedly being told that AOL employees will not ever ask for your password information.'
Over the weekend there was an exploit posted to bugtraq about being able to access files on an xp machine with a win2k recorvery disk. But you had to have physical access. Most people replied that if you had physical access to the machine then all bets are off. There is no security at that point.
Now, it seems to me that these people you are talking about essentially had physical access. They had someone logged into a machine on the inside and fed them information and did whatever they were asked. You say a friend, a disgruntled employee, gave them a code. Well at that point its simply a case of an individual with a lack of morals doing something wrong. Just because you are upset at your employer doesn't give you the right to screw over 35+million people.
This is not a hack, it's simply an individual making a poor decision. I would like to think that aol had all sorts of firewall/proxy/logging going on and could easily identify where a problem was coming from, but I have no knowledge of the system other than what I've read. So I'm not going to argue that it couldn't be done. I'm just going to say it's not AOL's fault. AOL should be diligent in there security measure's, but what can you do when someone in the NOC is out to get you?
An analogy for you. You go to a resturaunt and order food. You pay with a credit card that you give to the waiter. The waiter copies the card#, the exp date and even your sig from the receipt. That waiter runs up a bill on your card. Now, do you immediately blame the resuraunt? I don't think so, at a certain point, you have to trust people to be honest. Unfortunetely a certain few of them will chose to screw you over.
AOL may have problems and should probably pay more attention to personel in critical positions, however, I'm not sure how much anyone can do if the door is unlocked from the inside.
you're all figments of my deranged imagination
One of the reasons the current model--storing credit card numbers and charging them every month--is so popular is that it makes it more likely for people to remain customers. When a customer has to authorize a payment every month, she's more likely to cancel because she has to think about the expense every time. That's why we'll continue to see merchants storing credit card numbers for a long time.
Gates' Law: Every 18 months, the speed of software halves.
One of the biggest sensations in internet related journalism is to get the scoop on some break-down of security (and therefore break-in and theft) regarding personal material. It's a backlash against Orwellian fears, and is cried out much louder than warranted to carry the kind of attention the *journalist* wants to give it.
I highly doubt this came from one of Wired's top staff, probably someone who wanted to scoop the next CC theft by the million. Nothing to see here, move along!
Any spoon would be too big.
I am sorry, but I cannot get too upset with the thought of thousands of AOL subscribers being bombarded with spam. At least 50% of mine originates from AOL addresses... ;-)
DIF
So they can change your password, they didnt steal credit card #'s, only the last four digits, which are easy to get. Which is why most companies started using the three digit validator on the back of the card now, whic is near impossible to get unless you have the card.
Or a very dumb person, heh.
Brakes are on/off, and within my experience most people have a pretty good handle on the concept. Perhaps a better analogy would be building a car where the user doesn't have to be concerned with the timing and slippage thesholds of his ABS system--oh, wait--they already do that!
This might be the appropriate moment for a rant about the generally crappy state of software design (complete with quotes of developers whining about how it'd be too hard to make something that works), but I have actual work to do....
Every security system is as strong as its weak link. When the hacker placed a trojan in an insider machine he has the machine for him. Maybe once the user on the machine typed his password, plus the onother pass and the token, it gave the access rights to the hacker. It could be a luck shot he conviced the right guy, maybe even unknowing, to run the trojan. Once the access is open from that machine, the system will probabl not request any more authorization, so that hacker had it for the day.
[]'s Victor Bogado da Silva Lins
^[:wq
Man, I wish I had mod points now instead of last week. I'd give them all to this post. Right on the money!
IMHO, this is a better joke than the Gandalf one.:)
Is this a sigs-optional kind of place? 'Cause I am totally down with that if you know what I mean.