Slashdot Mirror
AOL's Merlin Compromised?
Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though."
Here's the
original Wired story.
From the Wired article:
The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library.
Sounds like AOL needs to read Mitnick's book - The Art of Deception.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Nobody "DESERVES" to be defrauded when doing business with a legitament company. That 70-year-old couple who just gets on long enough to send email to their grandchildren, who got AOL simply because they got the installation CD in the mail, they deserve a few hundred dollars of fraudulent charges?
AOL markets almost exclusively to the technophobes who either don't know or don't care enough about computing to spend significant time shopping for an ISP. To them, the computer is an appliance; AOL is effective at distributing their product for that appliance.
Get off it. AOL sucks for us slashdot people because it's not a product designed for us. Until MSN or Earthlink or the myriad of other "simple/easy" ISPs start unloading millions of CDs on an ignorant population, it will continue to be the dominate choice.
the way AOL counts users has always bugged me. if i'm not mistaken, the number includes everyone to *ever* sign up with aol. users who cancel and then re-signup are counted twice, etc.
i hope i'm wrong here, but i remember reading this a long, long time ago.
It's a given that at some point, given the potentially *massive* financial benefits inherent in compromising CC databases, that CCs must go away. They're totally inappropriate for today's society.
The only question is how much money CC providers and companies are going to lose before moving to smartcards that authorize payments on a per-transaction basis.
May we never see th
As it turns out, the crackers used social engineering. Among their many exploits was sending trogan'ed files to support workers.
Lets hope you don't let that happen.
You should also read the above link so you don't get duped.
Get Firefox!
It is currentlly still like this, secureid is used for everything, from my AIM logon (and to debunk other peoples theories, AIM file transfers, and direct connects only work internally to corp machines, no external networks machines can use the file transfer service, so no trojan could have been installed... email is another story though)... To email.
I came, I conquered, I coredumped
Here, i copied this html for a friend a few days ago. Merlin @ opsec
I work for a _large_ games and betting company, somewhere in Europe. Apart from having firewalls in front and behind the Internet-servers, we also have firewalls that separate the employers network from the databases. I.e. we have three layers of security, and the only way to get through to the databases (where we have even more protection, just like AOL) would be to get access to a internet server and then try to get through three layers of passwords just to be able to _read specific_ user accounts.
More or less impossible. And I can't imagine that AOL (stupid as their users may be) don't have something like this aswell... WHY ON EARTH would the internal network go staight to their extremely valuable databases?
Most companies keep "mock up" systems for development, the actual production systems aren't accessible to anyone, basically...
Civilization is the process of setting man free from men.
One thing that hasn't beem mentioned is that the SecurID system also requires a pin number to log in, and employees are strongly trained not to give that to anyone.
The SID system requires that you enter a 6 digit code that changes every 60 seconds. Employees might be trained, but when you pay peanuts, you get monkeys. They give out their SIDs and passwords for the dumbest scams.
Also, Merlin requires a special client, that would be a bit hard for someone using a man-in-the-middle attack to enter information into and/or see the results of.
Yes, Merlin does require a special client. However, this client has been leaked long ago. Check out http://www.fdo-files.com. Also, Merlin would not be absolutely required. The CRIS system, which was used prior to merlin is still active, and does not require a special client.
However, to use CRIS and Merlin, you need to be on the AOL intranet. Once again, as the article mentions, employees more that willingly download TCP redirector trojans with the proper excuse.
As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called journalists.
Agreed.
I'm glad this story is getting picked up in so many places, but I do want to clarify a few things for those who either don't believe this attack is possible, who think I simply wrote it based on a few script kiddies' comments, or who simply don't understand how journalism works.
Yes, I was given substantial proof of the attacks. But my job as a journalist is not necessarily to PROVE that anything happened (that is what lawyers do) -- you'll note perhaps that Woodward & Bernstein's takedown of Nixon was initially based entirely on one man's tip in a Beltway parking garage. It all has to start somewhere.
So I merely collect evidence and present what I have. It was completely credible in this case. In fact, I called AOL five times to get their side of the story. They refused to call me back. But YES, the proof does exist. In fact, observers.net posted some of it here. You can dig around to find their full story on the subject, which goes into greater depth than I had the luxury for at Wired -- which is a general tech news site, not a how-to site for hackers and wannabes. In any event, you will notice that AOL has not refuted the claims in any forum. I honestly have no doubt about the authenticity of these claims after seeing the information provided to me. It's now AOL's turn to either come clean about the attacks or say they didn't happen. Since AOL is afraid of negative publicity, they are trying to keep things quiet. This is not apparently working...
Originally I had hoped to interview the unnamed 14-year-old hacker for my story (which was intended to be mostly about the Merlin break-in) but he balked out of fear of prosecution (he was later interviewed for Observers.net and privately apologized to me for not doing the interview). Hence I focused on the myriad other recent hacks (Japan Webmail, the mumble method, screen name thefts) that AOL has been hit with as well.
Regarding the breaking of SecurID -- if a hacker can call up a rep on the phone and get him to reveal his name and password, it seems pretty plausible that you could get the SecurID code as well. Disgruntled insiders also provide this information readily to their pals on the outside. Of course that's all in the story...
Anyway, if any AOL users are convinced their data is secure I'll be happy to pass along your screen name to the people in question...
Cheers.
filmcritic.com - Movie reviews on Internet time
If you can get about 10 of the sequence you can crack a secureID. I did it with my dad's secureID a bout 4-5 years ago, just watched it change and wrote it down. Could figure out the algorithm in about 10 pops. I was motivated, oddly enough by the desire to MUD over his corp inet connection...
Once you have the mostly universal changing sequence (based off the previous) you just need to know which one it started with and the approx time and you can nail a secureID system. A glimpse of the card over 10 minutes is enough to break that system if you're smart about it.
It's still pretty tough to do tho, so I agree with you on it being unlikely.
SecureID is notorious for its clock getting out of synch with the cheap clock in its Secureid cards. To make sure the server clock and clock in the Secureid card stay in-synch, they sometimes set up the server so that the same Secureid number can be used for several minutes, whatever the sysadmin requests, to allow for the drift of the clocks. The SecureID number is in plain text so that someone with a sniffer-type device could sniff a SecureID number and use it for access. To demonstrate how the SecureID card's clock can drift, just place one within the vacinity of a microwave oven (2-3 feet will do) and watch the clock accelerate.
According to the last AOL support rep I talked to on the phone. According to them, AOL has never had an exploit resulting in compromising member information. Incidently, I was calling to report an open exploit that resulted in my information being compromised. They told me it was impossible. I explained to them, in detail, how the exploit worked. Nope, apparently it was still impossible. So I asked to be put through to operations security (opssec). I was told it didn't exist. I even pointed out a page on their website that mentioned it. Nope, doesn't exist. Quite fed up with this robotic imbecile, I asked to speak to a supervisor. The supervisor (this is in the fraud department, by the way) explained that they were trained to deny that AOL had any flaws. Interesting. After realizing the supervisor also had no idea what they were talking about, I requested to be put through to opssec. Well, the supervisor at least acknowledged its existence, but refused to put me through, despite the fact that I had very important network security information. In so many words, I was told they didn't care that my information was compromised.
Soon after this, I cancelled my account. Not only did they charge me for 2 more months, but they charged me the dialup rate (I was BYOA). So I called them up, quite pissed off, and asked for the charges to be reversed. I was then told my account was still active. At this point, I explained to the incompetent billing employee how to use Merlin to pull the fraud record of the account termination. The charges were subsequently reversed.
My experience gives new meaning to the phrase "AOL sucks"