Slashdot Mirror
AOL's Merlin Compromised?
Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though."
Here's the
original Wired story.
You've got problems!
Guinevere compromised. Faulty key mechanism in chastitybelt.dll blamed.
From the Wired article:
The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library.
Sounds like AOL needs to read Mitnick's book - The Art of Deception.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
The securid makes it unlikely that anyone was
able to hack it, at least without physically
stealing one of AOL's securid cards and the
pin for that card.
For others that don't know how they work, the code
changes every 60 seconds (and is different
on every card made), and the old code
is no longer good when the code changes, it
makes it really hard to bypass without having
an actual securid card that is valid for
the system that is being broken into, and the
proper username and pin for that card.
Nobody "DESERVES" to be defrauded when doing business with a legitament company. That 70-year-old couple who just gets on long enough to send email to their grandchildren, who got AOL simply because they got the installation CD in the mail, they deserve a few hundred dollars of fraudulent charges?
AOL markets almost exclusively to the technophobes who either don't know or don't care enough about computing to spend significant time shopping for an ISP. To them, the computer is an appliance; AOL is effective at distributing their product for that appliance.
Get off it. AOL sucks for us slashdot people because it's not a product designed for us. Until MSN or Earthlink or the myriad of other "simple/easy" ISPs start unloading millions of CDs on an ignorant population, it will continue to be the dominate choice.
Posting a loss does not mean that they did not make a profit. It just means that they have good accountants. ;)
While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone. These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user's password reset. Logging in with the new password gives the intruder full access to the account. In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling. A third hacker, using the name hakrobatik, confirmed the mumbling method.
This article is more about social engineering than about the AOL break in. This is odd, if this were true, I would expect a much different type of artcle to be on the lead edge of the breaking news like this. I don't know if this is true or not, but the Wired article does not really have a whole lot of meat with it.
-Pete
Soccer Goal Plans
the way AOL counts users has always bugged me. if i'm not mistaken, the number includes everyone to *ever* sign up with aol. users who cancel and then re-signup are counted twice, etc.
i hope i'm wrong here, but i remember reading this a long, long time ago.
A large number of those users are using the free trial periods, or are existing users getting free service (AOL offers that if you try to cancel - it's actually possible to get AOL for free indefinitely).
It's a given that at some point, given the potentially *massive* financial benefits inherent in compromising CC databases, that CCs must go away. They're totally inappropriate for today's society.
The only question is how much money CC providers and companies are going to lose before moving to smartcards that authorize payments on a per-transaction basis.
May we never see th
If this is true. Well--that's bad. If it isn't then that's even worse. I read the register piece before I followed the link to wired. I know nothing about the possible security measures and exploits that could have been involved in this. And that is exactly the point. From what I read all information that wired really had, was the claims of some self-declared hackers and the statement of some security expert.
If that is enough to get an article like that one published--then why bother to actually try to hack/social engineer/whatever into the AOL database. Just claim something and watch the bad press hit AOL. I never used any of their products (well apart from iChat that kinda ties into their IM-network), but they are in enough trouble as it is. In this case there is such a thing as bad publicity. I am appalled by an article that consists of a whole lot of nothing and ends with "You see all those commercials saying AOL 8.0 is so secure," said Dan. "If people knew how insecure their data was they probably wouldn't use it."
Hank! White!
I'll finally have a complete killfile for usenet!
In the sanctimonious screed posing as reporting over at The Inquirer we find these completely unsubstantiated assertions:
...customers will vanish if they feel AOL can't protect their data...
...You won't find many AOL members running firewall software...
>>
Nah. Most will stay because the cost and hassle of leaving AOL outweigh the risk they perceive from this alleged breach.
No, and people who use computers ought not to have to fuss about with building their own firewalls in order to have a modicum of security. Firewalls and other security-related code ought to be buried deep inside any consumer OS marketed for use on the Internet and their configuration ought to be done at a level of abstraction that requires no techncal knowledge.
-- Slashdot: When Public Access TV Says "No"
Some of you may recall this interview from a while back - I used to be an AOL nerd back in the day and I know a few of the kids mentioned in the articles (and I think cam0 is 15 now?) - anyway.. from what I can recall alot of the 'hackers' (script kiddies, whatever) would simply use extreme social engineering tactics, as these articles explain, to get whatever they wanted. As the amount actual bugs of the systems would dry up (your basic token bugs, invokes, problems with the systems themselves) alot of the 'hackers' would have to figure out other ways to get in.
Getting past sID - this is not that big of a deal, while it's not that easy to do as long as you con the right person and you get lucky with the timing your all set. Once you have complete access to their internal system you will have no problems getting them to toss you their current number..
the only non-realistic part of the articles I read were regarding how many attackers utilize programming bugs - there are far fewer now then there used to be..
mix_master_mike
vafrous
Neither the Inquirer article nor the Wired article shows any evidence that an actual break-in occurred. Of course an occasional account may have been compromised... big hairy deal. But nobody provided any proof that even a noticeable percentage of the 35 million (active or inactive, whatever) accounts has been touched.
The Wired article quotes sounded like a bunch of script kiddies, probably with their own AOL accounts, were making things up to sound important. (What? Online sources telling lies to seem cool? No way!) No evidence was provided in either article, and given the obvious safeguards (of which SecurID is a good one) it sounded like so much bull.
This all sounds like a standard "AOL sux!!!" kind of posting, elevated to seeming respectability by badly-researched articles in the almost-mainstream media.
disclaimer: I worked at AOL for 5 years... i'm pretty familiar with the system under discussion.
One thing that hasn't beem mentioned is that the SecurID system also requires a pin number to log in, and employees are strongly trained not to give that to anyone.
Also, Merlin requires a special client, that would be a bit hard for someone using a man-in-the-middle attack to enter information into and/or see the results of.
As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called journalists.
Please note that all the sources in the article are "hackers." Yet Wired reports it as _fact_ when they have no official confirmation or hard evidence. I guess a publication like Wired doesn't have very strict journalistic standards about news, but still... this is an instance where you use words like "alleged" and "claim."
Karma: T-rexcellent.
"AOL's central customer database, Merlin, may have been been compromised"
What a stupid comment. In other news...
"Aliens MAY have invaded Italy..."
"Saddam Hussein MAY have a gay lover..."
"I MAY have sex with Liv Tyler tonight..."
"You cannot find out which view is the right one by science in the ordinary sense." - C.S. Lewis on Intelligent Design
Here, i copied this html for a friend a few days ago. Merlin @ opsec
Hi,
You all wanted proof that the hack was done. We're carrying that proof on Observers.net. Check out the first story and that will give you all the proof you need that the hack was done.
The other news places (The Register, The Inquirer, and Wired) were not able to provide the proof that we have.
Jacob
Observers.net
Divide by 7 because you can get 7 usernames for one account. Also keep in mind that many people just coast on the '3 months free' service and then at the end, call to cancel it, and then take another free month when it's offered (so that they don't cancel.) The phone reps get a cash bonus for getting a person to stay with AOL like this.
Lather, rinse, repeat. Free AOL access for life.
I'm glad this story is getting picked up in so many places, but I do want to clarify a few things for those who either don't believe this attack is possible, who think I simply wrote it based on a few script kiddies' comments, or who simply don't understand how journalism works.
Yes, I was given substantial proof of the attacks. But my job as a journalist is not necessarily to PROVE that anything happened (that is what lawyers do) -- you'll note perhaps that Woodward & Bernstein's takedown of Nixon was initially based entirely on one man's tip in a Beltway parking garage. It all has to start somewhere.
So I merely collect evidence and present what I have. It was completely credible in this case. In fact, I called AOL five times to get their side of the story. They refused to call me back. But YES, the proof does exist. In fact, observers.net posted some of it here. You can dig around to find their full story on the subject, which goes into greater depth than I had the luxury for at Wired -- which is a general tech news site, not a how-to site for hackers and wannabes. In any event, you will notice that AOL has not refuted the claims in any forum. I honestly have no doubt about the authenticity of these claims after seeing the information provided to me. It's now AOL's turn to either come clean about the attacks or say they didn't happen. Since AOL is afraid of negative publicity, they are trying to keep things quiet. This is not apparently working...
Originally I had hoped to interview the unnamed 14-year-old hacker for my story (which was intended to be mostly about the Merlin break-in) but he balked out of fear of prosecution (he was later interviewed for Observers.net and privately apologized to me for not doing the interview). Hence I focused on the myriad other recent hacks (Japan Webmail, the mumble method, screen name thefts) that AOL has been hit with as well.
Regarding the breaking of SecurID -- if a hacker can call up a rep on the phone and get him to reveal his name and password, it seems pretty plausible that you could get the SecurID code as well. Disgruntled insiders also provide this information readily to their pals on the outside. Of course that's all in the story...
Anyway, if any AOL users are convinced their data is secure I'll be happy to pass along your screen name to the people in question...
Cheers.
filmcritic.com - Movie reviews on Internet time
According to the last AOL support rep I talked to on the phone. According to them, AOL has never had an exploit resulting in compromising member information. Incidently, I was calling to report an open exploit that resulted in my information being compromised. They told me it was impossible. I explained to them, in detail, how the exploit worked. Nope, apparently it was still impossible. So I asked to be put through to operations security (opssec). I was told it didn't exist. I even pointed out a page on their website that mentioned it. Nope, doesn't exist. Quite fed up with this robotic imbecile, I asked to speak to a supervisor. The supervisor (this is in the fraud department, by the way) explained that they were trained to deny that AOL had any flaws. Interesting. After realizing the supervisor also had no idea what they were talking about, I requested to be put through to opssec. Well, the supervisor at least acknowledged its existence, but refused to put me through, despite the fact that I had very important network security information. In so many words, I was told they didn't care that my information was compromised.
Soon after this, I cancelled my account. Not only did they charge me for 2 more months, but they charged me the dialup rate (I was BYOA). So I called them up, quite pissed off, and asked for the charges to be reversed. I was then told my account was still active. At this point, I explained to the incompetent billing employee how to use Merlin to pull the fraud record of the account termination. The charges were subsequently reversed.
My experience gives new meaning to the phrase "AOL sucks"