Slashdot Mirror
AOL's Merlin Compromised?
Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though."
Here's the
original Wired story.
You've got problems!
Wow thats insane..i just closed merlin to go on break (free pizza weekend)..and i this popped on on slashdot. Insane!
"Comedy's a dead art form. Now tragedy, that's funny."
Guinevere compromised. Faulty key mechanism in chastitybelt.dll blamed.
From the Wired article:
The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library.
Sounds like AOL needs to read Mitnick's book - The Art of Deception.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
35 million user's names
They have ~35 million users, and yet can't make a profit?
Let's see... ~35,000,000 * $22.99 = ~$804,650,000
They get that much money each month, and still posted a loss how?
Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
The securid makes it unlikely that anyone was
able to hack it, at least without physically
stealing one of AOL's securid cards and the
pin for that card.
For others that don't know how they work, the code
changes every 60 seconds (and is different
on every card made), and the old code
is no longer good when the code changes, it
makes it really hard to bypass without having
an actual securid card that is valid for
the system that is being broken into, and the
proper username and pin for that card.
We have 'private' networks. Hackers etc. can't get into a network that isn't connected to the outside world. Yes, it's a little simplistic, but if you're going to have sensitive information used by internal processes (ie: billing), then why do these servers need to have any kind of exposure at all? Keep the web servers in the DMZ, everything else out.
Nobody "DESERVES" to be defrauded when doing business with a legitament company. That 70-year-old couple who just gets on long enough to send email to their grandchildren, who got AOL simply because they got the installation CD in the mail, they deserve a few hundred dollars of fraudulent charges?
AOL markets almost exclusively to the technophobes who either don't know or don't care enough about computing to spend significant time shopping for an ISP. To them, the computer is an appliance; AOL is effective at distributing their product for that appliance.
Get off it. AOL sucks for us slashdot people because it's not a product designed for us. Until MSN or Earthlink or the myriad of other "simple/easy" ISPs start unloading millions of CDs on an ignorant population, it will continue to be the dominate choice.
While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone. These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user's password reset. Logging in with the new password gives the intruder full access to the account. In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling. A third hacker, using the name hakrobatik, confirmed the mumbling method.
This article is more about social engineering than about the AOL break in. This is odd, if this were true, I would expect a much different type of artcle to be on the lead edge of the breaking news like this. I don't know if this is true or not, but the Wired article does not really have a whole lot of meat with it.
-Pete
Soccer Goal Plans
It's a given that at some point, given the potentially *massive* financial benefits inherent in compromising CC databases, that CCs must go away. They're totally inappropriate for today's society.
The only question is how much money CC providers and companies are going to lose before moving to smartcards that authorize payments on a per-transaction basis.
May we never see th
Merlin is AOL's internal tool for keeping track of customer records. It only operates from the AOL LAN. However, this is defeated with a simple TCP/IP redirector. The security code is a SecurID code. It changes every 60 seconds, but its pretty useless if you social engineer someone into giving you the code. Same deal with passwords. The real hole here isn't any technical measures, but the complete fucking stupidity of AOL employees.
Oh yeah, this has been going on repeatedly since at least 2000. However it gets media attention very infrequently, but the problem was always there, and always exploited.
If this is true. Well--that's bad. If it isn't then that's even worse. I read the register piece before I followed the link to wired. I know nothing about the possible security measures and exploits that could have been involved in this. And that is exactly the point. From what I read all information that wired really had, was the claims of some self-declared hackers and the statement of some security expert.
If that is enough to get an article like that one published--then why bother to actually try to hack/social engineer/whatever into the AOL database. Just claim something and watch the bad press hit AOL. I never used any of their products (well apart from iChat that kinda ties into their IM-network), but they are in enough trouble as it is. In this case there is such a thing as bad publicity. I am appalled by an article that consists of a whole lot of nothing and ends with "You see all those commercials saying AOL 8.0 is so secure," said Dan. "If people knew how insecure their data was they probably wouldn't use it."
Hank! White!
I'll finally have a complete killfile for usenet!
These boys need to get laid.
If AOL would subsidize this, they would see their security problems disappear overnight.
also - I think Dick Tracy foreshadowed the cracking method used by these kids years ago with its "Mumbles" character.
So by using that as an indicator, we should next look for people wearing bright colors and having odd facial features to be part of the next crack.
There are some odd things afoot now, in the Villa Straylight.
In the sanctimonious screed posing as reporting over at The Inquirer we find these completely unsubstantiated assertions:
...customers will vanish if they feel AOL can't protect their data...
...You won't find many AOL members running firewall software...
>>
Nah. Most will stay because the cost and hassle of leaving AOL outweigh the risk they perceive from this alleged breach.
No, and people who use computers ought not to have to fuss about with building their own firewalls in order to have a modicum of security. Firewalls and other security-related code ought to be buried deep inside any consumer OS marketed for use on the Internet and their configuration ought to be done at a level of abstraction that requires no techncal knowledge.
-- Slashdot: When Public Access TV Says "No"
Some of you may recall this interview from a while back - I used to be an AOL nerd back in the day and I know a few of the kids mentioned in the articles (and I think cam0 is 15 now?) - anyway.. from what I can recall alot of the 'hackers' (script kiddies, whatever) would simply use extreme social engineering tactics, as these articles explain, to get whatever they wanted. As the amount actual bugs of the systems would dry up (your basic token bugs, invokes, problems with the systems themselves) alot of the 'hackers' would have to figure out other ways to get in.
Getting past sID - this is not that big of a deal, while it's not that easy to do as long as you con the right person and you get lucky with the timing your all set. Once you have complete access to their internal system you will have no problems getting them to toss you their current number..
the only non-realistic part of the articles I read were regarding how many attackers utilize programming bugs - there are far fewer now then there used to be..
mix_master_mike
vafrous
Neither the Inquirer article nor the Wired article shows any evidence that an actual break-in occurred. Of course an occasional account may have been compromised... big hairy deal. But nobody provided any proof that even a noticeable percentage of the 35 million (active or inactive, whatever) accounts has been touched.
The Wired article quotes sounded like a bunch of script kiddies, probably with their own AOL accounts, were making things up to sound important. (What? Online sources telling lies to seem cool? No way!) No evidence was provided in either article, and given the obvious safeguards (of which SecurID is a good one) it sounded like so much bull.
This all sounds like a standard "AOL sux!!!" kind of posting, elevated to seeming respectability by badly-researched articles in the almost-mainstream media.
disclaimer: I worked at AOL for 5 years... i'm pretty familiar with the system under discussion.
One thing that hasn't beem mentioned is that the SecurID system also requires a pin number to log in, and employees are strongly trained not to give that to anyone.
Also, Merlin requires a special client, that would be a bit hard for someone using a man-in-the-middle attack to enter information into and/or see the results of.
As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called journalists.
Please note that all the sources in the article are "hackers." Yet Wired reports it as _fact_ when they have no official confirmation or hard evidence. I guess a publication like Wired doesn't have very strict journalistic standards about news, but still... this is an instance where you use words like "alleged" and "claim."
Karma: T-rexcellent.
I agree that it sounds implausible. I'd think first, as the register states, that getting the hardware generated key would not be possible by the means outlined and second, that AOL would have a firewall on their internal network capable of blocking most trojan's. Also, you'd think that AOl would monitor port use by programs so as to know if someone was having a little too much fun online.
I do security
"AOL's central customer database, Merlin, may have been been compromised"
What a stupid comment. In other news...
"Aliens MAY have invaded Italy..."
"Saddam Hussein MAY have a gay lover..."
"I MAY have sex with Liv Tyler tonight..."
"You cannot find out which view is the right one by science in the ordinary sense." - C.S. Lewis on Intelligent Design
Here, i copied this html for a friend a few days ago. Merlin @ opsec
Sure I'm losing money on every customer, but I'm making it up on volume.
As I understand it that's the actual business plan of Amazon.
KFG
Hi,
You all wanted proof that the hack was done. We're carrying that proof on Observers.net. Check out the first story and that will give you all the proof you need that the hack was done.
The other news places (The Register, The Inquirer, and Wired) were not able to provide the proof that we have.
Jacob
Observers.net
A reminder about security in general. No matter how many precautions you take, there's always a chance that somebody is going to get into a system. By taking advantage of human weaknesses or lapses in judgement, for instance.
:)
So it's always prudent to diversify and isolate systems to minimize disaster upon intrusion into one system. And always invest in a good damage control plan
It's an IT site run by a former editor from The Register. Neither is particularly reliable, but they both make entertaining reading, and one can often get an idea of what might really be going on after filtering out all the bullshit rumors.
Let's say I am a salesman, and I want to give you X amount of product in return for your money, or a dinner date with you, or to take you golfing, etc. Then I give you the information you requested, and you turn around and kill my fellow customers or steal from them- that is a crime.
If you crack my system and steal credit cards and the like, that's illegal too, but now you are talking about two different crimes.
I suggest you read Slashdot
I work for a _large_ games and betting company, somewhere in Europe. Apart from having firewalls in front and behind the Internet-servers, we also have firewalls that separate the employers network from the databases. I.e. we have three layers of security, and the only way to get through to the databases (where we have even more protection, just like AOL) would be to get access to a internet server and then try to get through three layers of passwords just to be able to _read specific_ user accounts.
More or less impossible. And I can't imagine that AOL (stupid as their users may be) don't have something like this aswell... WHY ON EARTH would the internal network go staight to their extremely valuable databases?
Most companies keep "mock up" systems for development, the actual production systems aren't accessible to anyone, basically...
Civilization is the process of setting man free from men.
Here's how to hack any AOL account, for educational purposes only.
FBA agents recovering evidence from the 15 year old cracker's "apartment" in his parents' basement, found a copy of The Art of Deception by Kevin Mitnick, who was prompty returned to solitary confinement while authorities make up a reason for his arrest.
I'm glad this story is getting picked up in so many places, but I do want to clarify a few things for those who either don't believe this attack is possible, who think I simply wrote it based on a few script kiddies' comments, or who simply don't understand how journalism works.
Yes, I was given substantial proof of the attacks. But my job as a journalist is not necessarily to PROVE that anything happened (that is what lawyers do) -- you'll note perhaps that Woodward & Bernstein's takedown of Nixon was initially based entirely on one man's tip in a Beltway parking garage. It all has to start somewhere.
So I merely collect evidence and present what I have. It was completely credible in this case. In fact, I called AOL five times to get their side of the story. They refused to call me back. But YES, the proof does exist. In fact, observers.net posted some of it here. You can dig around to find their full story on the subject, which goes into greater depth than I had the luxury for at Wired -- which is a general tech news site, not a how-to site for hackers and wannabes. In any event, you will notice that AOL has not refuted the claims in any forum. I honestly have no doubt about the authenticity of these claims after seeing the information provided to me. It's now AOL's turn to either come clean about the attacks or say they didn't happen. Since AOL is afraid of negative publicity, they are trying to keep things quiet. This is not apparently working...
Originally I had hoped to interview the unnamed 14-year-old hacker for my story (which was intended to be mostly about the Merlin break-in) but he balked out of fear of prosecution (he was later interviewed for Observers.net and privately apologized to me for not doing the interview). Hence I focused on the myriad other recent hacks (Japan Webmail, the mumble method, screen name thefts) that AOL has been hit with as well.
Regarding the breaking of SecurID -- if a hacker can call up a rep on the phone and get him to reveal his name and password, it seems pretty plausible that you could get the SecurID code as well. Disgruntled insiders also provide this information readily to their pals on the outside. Of course that's all in the story...
Anyway, if any AOL users are convinced their data is secure I'll be happy to pass along your screen name to the people in question...
Cheers.
filmcritic.com - Movie reviews on Internet time
A user id/Specialised ID code/Lame couple of passwords?!!?!
According to the last AOL support rep I talked to on the phone. According to them, AOL has never had an exploit resulting in compromising member information. Incidently, I was calling to report an open exploit that resulted in my information being compromised. They told me it was impossible. I explained to them, in detail, how the exploit worked. Nope, apparently it was still impossible. So I asked to be put through to operations security (opssec). I was told it didn't exist. I even pointed out a page on their website that mentioned it. Nope, doesn't exist. Quite fed up with this robotic imbecile, I asked to speak to a supervisor. The supervisor (this is in the fraud department, by the way) explained that they were trained to deny that AOL had any flaws. Interesting. After realizing the supervisor also had no idea what they were talking about, I requested to be put through to opssec. Well, the supervisor at least acknowledged its existence, but refused to put me through, despite the fact that I had very important network security information. In so many words, I was told they didn't care that my information was compromised.
Soon after this, I cancelled my account. Not only did they charge me for 2 more months, but they charged me the dialup rate (I was BYOA). So I called them up, quite pissed off, and asked for the charges to be reversed. I was then told my account was still active. At this point, I explained to the incompetent billing employee how to use Merlin to pull the fraud record of the account termination. The charges were subsequently reversed.
My experience gives new meaning to the phrase "AOL sucks"
And screenshots are definitive proof of... having screenshots? Perhaps an ex-AOL employee took a couple screen captures before leaving and later posted them online. And as for the further "proof", all I see is a bunch of HTML pages which someone could have done in Notepad.
If you really want to show proof, how about listing Steve Case's information? Or why not ask someone to supply an AOL ID and you can post the complete account details the next day? Chances are, you're not able to do that because this is just stupid script kiddie posturing with no substance.
Over the weekend there was an exploit posted to bugtraq about being able to access files on an xp machine with a win2k recorvery disk. But you had to have physical access. Most people replied that if you had physical access to the machine then all bets are off. There is no security at that point.
Now, it seems to me that these people you are talking about essentially had physical access. They had someone logged into a machine on the inside and fed them information and did whatever they were asked. You say a friend, a disgruntled employee, gave them a code. Well at that point its simply a case of an individual with a lack of morals doing something wrong. Just because you are upset at your employer doesn't give you the right to screw over 35+million people.
This is not a hack, it's simply an individual making a poor decision. I would like to think that aol had all sorts of firewall/proxy/logging going on and could easily identify where a problem was coming from, but I have no knowledge of the system other than what I've read. So I'm not going to argue that it couldn't be done. I'm just going to say it's not AOL's fault. AOL should be diligent in there security measure's, but what can you do when someone in the NOC is out to get you?
An analogy for you. You go to a resturaunt and order food. You pay with a credit card that you give to the waiter. The waiter copies the card#, the exp date and even your sig from the receipt. That waiter runs up a bill on your card. Now, do you immediately blame the resuraunt? I don't think so, at a certain point, you have to trust people to be honest. Unfortunetely a certain few of them will chose to screw you over.
AOL may have problems and should probably pay more attention to personel in critical positions, however, I'm not sure how much anyone can do if the door is unlocked from the inside.
you're all figments of my deranged imagination