Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL's Merlin Compromised?

Posted by CmdrTaco on from the that-would-suck dept.

Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though." Here's the original Wired story.

21 of 239 comments (clear)

  1. still... by pixitha · · Score: 0, Insightful

    aol still sucks...

    and this will raise the price of usage again im sure...

    --
    "an eye for an eye only makes the whole world blind"
  2. wait a minute... by trmj · · Score: 3, Insightful

    35 million user's names

    They have ~35 million users, and yet can't make a profit?

    Let's see... ~35,000,000 * $22.99 = ~$804,650,000
    They get that much money each month, and still posted a loss how?

    --
    Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
  3. This is why.... by marshac · · Score: 2, Insightful

    We have 'private' networks. Hackers etc. can't get into a network that isn't connected to the outside world. Yes, it's a little simplistic, but if you're going to have sensitive information used by internal processes (ie: billing), then why do these servers need to have any kind of exposure at all? Keep the web servers in the DMZ, everything else out.

  4. Social Engineering more than hacking by peterdaly · · Score: 5, Insightful

    While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone. These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user's password reset. Logging in with the new password gives the intruder full access to the account. In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling. A third hacker, using the name hakrobatik, confirmed the mumbling method.

    This article is more about social engineering than about the AOL break in. This is odd, if this were true, I would expect a much different type of artcle to be on the lead edge of the breaking news like this. I don't know if this is true or not, but the Wired article does not really have a whole lot of meat with it.

    -Pete

    --
    Soccer Goal Plans
  5. Lose-Lose by sebi · · Score: 4, Insightful

    If this is true. Well--that's bad. If it isn't then that's even worse. I read the register piece before I followed the link to wired. I know nothing about the possible security measures and exploits that could have been involved in this. And that is exactly the point. From what I read all information that wired really had, was the claims of some self-declared hackers and the statement of some security expert.


    If that is enough to get an article like that one published--then why bother to actually try to hack/social engineer/whatever into the AOL database. Just claim something and watch the bad press hit AOL. I never used any of their products (well apart from iChat that kinda ties into their IM-network), but they are in enough trouble as it is. In this case there is such a thing as bad publicity. I am appalled by an article that consists of a whole lot of nothing and ends with "You see all those commercials saying AOL 8.0 is so secure," said Dan. "If people knew how insecure their data was they probably wouldn't use it."

    --
    Hank! White!
  6. Re:the specialized id code is is securid by Grax · · Score: 2, Insightful
    That much is true but if
    • they were able to trick the AOL rep into installing some type of remote control software
    • and AOL allows the rep's computers to make random outgoing connection
    then they might be able to remotely control a machine that already had all the necessary passwords entered.
    --
    Coding Blog
  7. Sanctimonious Tech Bigotry at Inquirer by reallocate · · Score: 4, Insightful

    In the sanctimonious screed posing as reporting over at The Inquirer we find these completely unsubstantiated assertions:

    >> ...customers will vanish if they feel AOL can't protect their data...

    Nah. Most will stay because the cost and hassle of leaving AOL outweigh the risk they perceive from this alleged breach. ...You won't find many AOL members running firewall software...

    No, and people who use computers ought not to have to fuss about with building their own firewalls in order to have a modicum of security. Firewalls and other security-related code ought to be buried deep inside any consumer OS marketed for use on the Internet and their configuration ought to be done at a level of abstraction that requires no techncal knowledge.

    --
    -- Slashdot: When Public Access TV Says "No"
  8. This would be *SO* much funnier if... by shish · · Score: 1, Insightful

    I weren't using AOL myself... (Flame retardent defence: Not of my own free will)

    --
    I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
  9. this happens all the time by mix_master_mike · · Score: 5, Insightful

    Some of you may recall this interview from a while back - I used to be an AOL nerd back in the day and I know a few of the kids mentioned in the articles (and I think cam0 is 15 now?) - anyway.. from what I can recall alot of the 'hackers' (script kiddies, whatever) would simply use extreme social engineering tactics, as these articles explain, to get whatever they wanted. As the amount actual bugs of the systems would dry up (your basic token bugs, invokes, problems with the systems themselves) alot of the 'hackers' would have to figure out other ways to get in.

    Getting past sID - this is not that big of a deal, while it's not that easy to do as long as you con the right person and you get lucky with the timing your all set. Once you have complete access to their internal system you will have no problems getting them to toss you their current number..

    the only non-realistic part of the articles I read were regarding how many attackers utilize programming bugs - there are far fewer now then there used to be..

    --

    mix_master_mike
    vafrous

  10. Not too likely by island_earth · · Score: 5, Insightful

    Neither the Inquirer article nor the Wired article shows any evidence that an actual break-in occurred. Of course an occasional account may have been compromised... big hairy deal. But nobody provided any proof that even a noticeable percentage of the 35 million (active or inactive, whatever) accounts has been touched.

    The Wired article quotes sounded like a bunch of script kiddies, probably with their own AOL accounts, were making things up to sound important. (What? Online sources telling lies to seem cool? No way!) No evidence was provided in either article, and given the obvious safeguards (of which SecurID is a good one) it sounded like so much bull.

    This all sounds like a standard "AOL sux!!!" kind of posting, elevated to seeming respectability by badly-researched articles in the almost-mainstream media.

  11. Oh, wired... by Ravagin · · Score: 5, Insightful

    Please note that all the sources in the article are "hackers." Yet Wired reports it as _fact_ when they have no official confirmation or hard evidence. I guess a publication like Wired doesn't have very strict journalistic standards about news, but still... this is an instance where you use words like "alleged" and "claim."

    --

    Karma: T-rexcellent.

  12. Implausible by Gyorg_Lavode · · Score: 3, Insightful

    I agree that it sounds implausible. I'd think first, as the register states, that getting the hardware generated key would not be possible by the means outlined and second, that AOL would have a firewall on their internal network capable of blocking most trojan's. Also, you'd think that AOl would monitor port use by programs so as to know if someone was having a little too much fun online.

    --
    I do security
  13. Re:the specialized id code is is securid by Anonymous Coward · · Score: 1, Insightful

    It doesn't matter that it's not stored by the computer; once an employee logs in, the trojan need only keep the activity going so that the network doesn't log them off...

  14. Re:the specialized id code is is securid by Grax · · Score: 5, Insightful

    I understand how SecurID works. My point is that if you have remote control of a machine that is logged in and not disconnected then it doesn't matter how secure SecurID is. It is much the same principle as logging into a machine with your SecurID and then going for coffee.

    I am not claiming at all that the article is actually accurate as it offers no proof and no reliable sources. But, it is theoretically possible to take over a machine where the SecurID has already been entered and cause havoc.

    --
    Coding Blog
  15. Expect the worst, have damage control ready by bigberk · · Score: 2, Insightful

    A reminder about security in general. No matter how many precautions you take, there's always a chance that somebody is going to get into a system. By taking advantage of human weaknesses or lapses in judgement, for instance.

    So it's always prudent to diversify and isolate systems to minimize disaster upon intrusion into one system. And always invest in a good damage control plan :)

  16. Don't confuse fraud with cracking by Hao+Wu · · Score: 2, Insightful

    Let's say I am a salesman, and I want to give you X amount of product in return for your money, or a dinner date with you, or to take you golfing, etc. Then I give you the information you requested, and you turn around and kill my fellow customers or steal from them- that is a crime.

    If you crack my system and steal credit cards and the like, that's illegal too, but now you are talking about two different crimes.

    --
    I suggest you read Slashdot
  17. Re:the specialized id code is is securid by MikeFM · · Score: 2, Insightful

    The social engineering portion of this I can easily believe. I've worked at a lot of different places as an employee or contractor and none of them were very good about security. They might have balls to the wall security devices in place but you could bypass them just by holding up a toolcase or some cables and saying your from support and someone would let you in. You can get into practically any place that way.

    As for dongles and keys they are pretty easy to lay hands on. A little skill as a social engineer and a pick pocket and you can have one. You do have to be physically there though. You can't pick a pocket remotely.

    --
    At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
  18. Re:why is this even accessasble by Anonymous Coward · · Score: 1, Insightful

    it didn't need to be exploitable from the outside. They instigated the attack from the "inside" of their LAN by comprimizing a machine on the LAN from the inside.

    This really makes me sick... with all these excellent security tools and appliances out there, that people just don't know how to set them up or use them. They just spend $45,000 for some type of PIX Firewall, then leave it turned off or disabled when it tries to react to an attack.

  19. Why don't you provide proof then? by Anonymous Coward · · Score: 3, Insightful

    And screenshots are definitive proof of... having screenshots? Perhaps an ex-AOL employee took a couple screen captures before leaving and later posted them online. And as for the further "proof", all I see is a bunch of HTML pages which someone could have done in Notepad.

    If you really want to show proof, how about listing Steve Case's information? Or why not ask someone to supply an AOL ID and you can post the complete account details the next day? Chances are, you're not able to do that because this is just stupid script kiddie posturing with no substance.

  20. Re:I wrote the Wired story and, yes, I've seen pro by hetairoi · · Score: 2, Insightful

    Over the weekend there was an exploit posted to bugtraq about being able to access files on an xp machine with a win2k recorvery disk. But you had to have physical access. Most people replied that if you had physical access to the machine then all bets are off. There is no security at that point.

    Now, it seems to me that these people you are talking about essentially had physical access. They had someone logged into a machine on the inside and fed them information and did whatever they were asked. You say a friend, a disgruntled employee, gave them a code. Well at that point its simply a case of an individual with a lack of morals doing something wrong. Just because you are upset at your employer doesn't give you the right to screw over 35+million people.

    This is not a hack, it's simply an individual making a poor decision. I would like to think that aol had all sorts of firewall/proxy/logging going on and could easily identify where a problem was coming from, but I have no knowledge of the system other than what I've read. So I'm not going to argue that it couldn't be done. I'm just going to say it's not AOL's fault. AOL should be diligent in there security measure's, but what can you do when someone in the NOC is out to get you?

    An analogy for you. You go to a resturaunt and order food. You pay with a credit card that you give to the waiter. The waiter copies the card#, the exp date and even your sig from the receipt. That waiter runs up a bill on your card. Now, do you immediately blame the resuraunt? I don't think so, at a certain point, you have to trust people to be honest. Unfortunetely a certain few of them will chose to screw you over.

    AOL may have problems and should probably pay more attention to personel in critical positions, however, I'm not sure how much anyone can do if the door is unlocked from the inside.

    --
    you're all figments of my deranged imagination
  21. Re:Merlin doesn't exist by Reziac · · Score: 3, Insightful

    This is from a usenet post of just last week, so take that for what it's worth, but the poster is normally a reliable enough sort ... anyway, this is a complete quote of his post:

    ************
    I used to work for AOL tech support as one of their trained monkeys for a while. There are a few things to keep in mind when dealing with them:

    Most of them (the techs) are NOT idiots. However, most of them think that the AOL customer base ARE idiots.

    The mission statement for AOL tech support is : Free AOL tech support - You get what you pay for - Call us, we will give you a fish... (you have to understand the old saying about giving a man a fish/teaching a man how to fish story)

    They use a case based software called Sherlock which is notoriously lacking in options. Most questions that they handle are so well known that the tech can handle it without sherlock, however, this sabotages the Sherlock program. The whole setup is designed to fail spectacularly while being held together by a few knowledgable floating expert individuals.

    These same floating experts double as whip wielding task masters, along with the supervisors, and other narcs, who wander around the phone floor enforcing the use of sherlock and the 3 minute time limit.

    AOL tech support, does not have solving the customers problem as it's goal. Pleaseunderstand, that solving your problem when you call has absolutely NO VALUE.

    The IDEAL revenue call is a call that is handled in exactly 3 minutes, which results in a positive step in sherlock giving ONE of many options - then results in a negative experience for the customer - prompting a return call in about 10 minutes - to another tech, who then gives the NEXT solution via sherlock - which ideally will fail - on and on until either sherlock runs out of options, (prompting for one of the floating experts to
    actually solve a problem, or shifting blame onto either a virus, the manufacturer of the hardware, drivers, etc...) or a final solution (usually a reinstall) and a grateful customer being transferred to another revenue partner, like a rent a car agency, or a cable modem installer...

    The ONLY value that any call has is that it is handled in an average of 3 minutes. This is known on the floor as Dumping... You give them one possible solution, then ask them to try it and call back if it doesn't work - you then cross your fingers and hope that YOU don't get them back. All while attempting to sell the illusion that you are an expert and are not merely reading a dialog off a computer screen. As I said above, it's trained monkey work.

    With that in mind, you can see why AOL tech support likes people with a minimum of knowledge working on the phones. People with actual extensive computer experience suffer from the "fix it" syndrome. Especially when sherlock cannot give you another option to Dump the customer with.

    The very worst thing that a tech can do, is attempt, with his own knowledge and experience, to actually explain why and how and fix your problem, especially because usually the problem is directly related to the stupidity of the customer. It is not unusual for the customer to reveal that they have 30 - 50 tray icons running!!

    People with a minimum of knowledge can accept the illusion that sherlock is actually giving good advice and can sell it convincingly as tech support. An actual trained computer tech/software repairman/programmer - usually cannot if he is honest.
    ***********
    [end quote]

    The sad thing is, it's not just AOL ... this is the future of tech support everywhere. :(

    --
    ~REZ~ #43301. Who'd fake being me anyway?