Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL's Merlin Compromised?

Posted by CmdrTaco on from the that-would-suck dept.

Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though." Here's the original Wired story.

22 of 239 comments (clear)

  1. Welcome! by Anonymous Coward · · Score: 5, Funny


    You've got problems!

  2. Also in the news ... by BabyDave · · Score: 5, Funny

    Guinevere compromised. Faulty key mechanism in chastitybelt.dll blamed.

    1. Re:Also in the news ... by mickwd · · Score: 5, Funny

      Did someone find a backdoor ?

    2. Re:Also in the news ... by jaeson · · Score: 5, Funny

      No they used a Trojan.

  3. hmmm... by jeffy124 · · Score: 5, Interesting

    From the Wired article:

    The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library.

    Sounds like AOL needs to read Mitnick's book - The Art of Deception.

    --
    The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
  4. the specialized id code is is securid by Anonymous Coward · · Score: 5, Informative

    The securid makes it unlikely that anyone was
    able to hack it, at least without physically
    stealing one of AOL's securid cards and the
    pin for that card.

    For others that don't know how they work, the code
    changes every 60 seconds (and is different
    on every card made), and the old code
    is no longer good when the code changes, it
    makes it really hard to bypass without having
    an actual securid card that is valid for
    the system that is being broken into, and the
    proper username and pin for that card.

    1. Re:the specialized id code is is securid by PeteEMT · · Score: 5, Informative

      SecurID is a physical token. it's not something stored in the computer.

      http://www.rsasecurity.com/products/securid/tokens .html

      They come in two forms (at least the AOL ones did when I was a contractor there) A Key chain Fob and one that looks like a Credit Card Calculator.
      If I remember right, the system also automatically marks the login code invalid once a successful login is achieved. So someone can't use a Key Sniffer to steal your code. If you logged in and got disconnected for some reason, you needed to wait for your SecurID to rollover to the next code.

      --
      Pete
    2. Re:the specialized id code is is securid by Grax · · Score: 5, Insightful

      I understand how SecurID works. My point is that if you have remote control of a machine that is logged in and not disconnected then it doesn't matter how secure SecurID is. It is much the same principle as logging into a machine with your SecurID and then going for coffee.

      I am not claiming at all that the article is actually accurate as it offers no proof and no reliable sources. But, it is theoretically possible to take over a machine where the SecurID has already been entered and cause havoc.

      --
      Coding Blog
  5. Re:you won't see me crying by Anonymous Coward · · Score: 5, Interesting

    Nobody "DESERVES" to be defrauded when doing business with a legitament company. That 70-year-old couple who just gets on long enough to send email to their grandchildren, who got AOL simply because they got the installation CD in the mail, they deserve a few hundred dollars of fraudulent charges?

    AOL markets almost exclusively to the technophobes who either don't know or don't care enough about computing to spend significant time shopping for an ISP. To them, the computer is an appliance; AOL is effective at distributing their product for that appliance.

    Get off it. AOL sucks for us slashdot people because it's not a product designed for us. Until MSN or Earthlink or the myriad of other "simple/easy" ISPs start unloading millions of CDs on an ignorant population, it will continue to be the dominate choice.

  6. Re:wait a minute... by Anonymous Coward · · Score: 5, Funny

    Posting a loss does not mean that they did not make a profit. It just means that they have good accountants. ;)

  7. Social Engineering more than hacking by peterdaly · · Score: 5, Insightful

    While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone. These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user's password reset. Logging in with the new password gives the intruder full access to the account. In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling. A third hacker, using the name hakrobatik, confirmed the mumbling method.

    This article is more about social engineering than about the AOL break in. This is odd, if this were true, I would expect a much different type of artcle to be on the lead edge of the breaking news like this. I don't know if this is true or not, but the Wired article does not really have a whole lot of meat with it.

    -Pete

    --
    Soccer Goal Plans
  8. Re:wait a minute... by ceejayoz · · Score: 5, Informative

    A large number of those users are using the free trial periods, or are existing users getting free service (AOL offers that if you try to cancel - it's actually possible to get AOL for free indefinitely).

  9. Can I get that e-mail list? by Cyclone66 · · Score: 5, Funny

    I'll finally have a complete killfile for usenet!

    1. Re:Can I get that e-mail list? by russx2 · · Score: 5, Funny

      Yeah, it's *@aol.com

  10. this happens all the time by mix_master_mike · · Score: 5, Insightful

    Some of you may recall this interview from a while back - I used to be an AOL nerd back in the day and I know a few of the kids mentioned in the articles (and I think cam0 is 15 now?) - anyway.. from what I can recall alot of the 'hackers' (script kiddies, whatever) would simply use extreme social engineering tactics, as these articles explain, to get whatever they wanted. As the amount actual bugs of the systems would dry up (your basic token bugs, invokes, problems with the systems themselves) alot of the 'hackers' would have to figure out other ways to get in.

    Getting past sID - this is not that big of a deal, while it's not that easy to do as long as you con the right person and you get lucky with the timing your all set. Once you have complete access to their internal system you will have no problems getting them to toss you their current number..

    the only non-realistic part of the articles I read were regarding how many attackers utilize programming bugs - there are far fewer now then there used to be..

    --

    mix_master_mike
    vafrous

  11. Not too likely by island_earth · · Score: 5, Insightful

    Neither the Inquirer article nor the Wired article shows any evidence that an actual break-in occurred. Of course an occasional account may have been compromised... big hairy deal. But nobody provided any proof that even a noticeable percentage of the 35 million (active or inactive, whatever) accounts has been touched.

    The Wired article quotes sounded like a bunch of script kiddies, probably with their own AOL accounts, were making things up to sound important. (What? Online sources telling lies to seem cool? No way!) No evidence was provided in either article, and given the obvious safeguards (of which SecurID is a good one) it sounded like so much bull.

    This all sounds like a standard "AOL sux!!!" kind of posting, elevated to seeming respectability by badly-researched articles in the almost-mainstream media.

  12. I'm doubting they got into Merlin with this method by scrain · · Score: 5, Informative

    disclaimer: I worked at AOL for 5 years... i'm pretty familiar with the system under discussion.

    One thing that hasn't beem mentioned is that the SecurID system also requires a pin number to log in, and employees are strongly trained not to give that to anyone.

    Also, Merlin requires a special client, that would be a bit hard for someone using a man-in-the-middle attack to enter information into and/or see the results of.

    As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called journalists.

  13. Oh, wired... by Ravagin · · Score: 5, Insightful

    Please note that all the sources in the article are "hackers." Yet Wired reports it as _fact_ when they have no official confirmation or hard evidence. I guess a publication like Wired doesn't have very strict journalistic standards about news, but still... this is an instance where you use words like "alleged" and "claim."

    --

    Karma: T-rexcellent.

  14. What merlin looks like by seeksoft · · Score: 5, Interesting

    Here, i copied this html for a friend a few days ago. Merlin @ opsec

  15. You Asked for proof by JacobD · · Score: 5, Informative

    Hi,

    You all wanted proof that the hack was done. We're carrying that proof on Observers.net. Check out the first story and that will give you all the proof you need that the hack was done.

    The other news places (The Register, The Inquirer, and Wired) were not able to provide the proof that we have.

    Jacob
    Observers.net

  16. I wrote the Wired story and, yes, I've seen proof by ccnull · · Score: 5, Interesting

    I'm glad this story is getting picked up in so many places, but I do want to clarify a few things for those who either don't believe this attack is possible, who think I simply wrote it based on a few script kiddies' comments, or who simply don't understand how journalism works.

    Yes, I was given substantial proof of the attacks. But my job as a journalist is not necessarily to PROVE that anything happened (that is what lawyers do) -- you'll note perhaps that Woodward & Bernstein's takedown of Nixon was initially based entirely on one man's tip in a Beltway parking garage. It all has to start somewhere.

    So I merely collect evidence and present what I have. It was completely credible in this case. In fact, I called AOL five times to get their side of the story. They refused to call me back. But YES, the proof does exist. In fact, observers.net posted some of it here. You can dig around to find their full story on the subject, which goes into greater depth than I had the luxury for at Wired -- which is a general tech news site, not a how-to site for hackers and wannabes. In any event, you will notice that AOL has not refuted the claims in any forum. I honestly have no doubt about the authenticity of these claims after seeing the information provided to me. It's now AOL's turn to either come clean about the attacks or say they didn't happen. Since AOL is afraid of negative publicity, they are trying to keep things quiet. This is not apparently working...

    Originally I had hoped to interview the unnamed 14-year-old hacker for my story (which was intended to be mostly about the Merlin break-in) but he balked out of fear of prosecution (he was later interviewed for Observers.net and privately apologized to me for not doing the interview). Hence I focused on the myriad other recent hacks (Japan Webmail, the mumble method, screen name thefts) that AOL has been hit with as well.

    Regarding the breaking of SecurID -- if a hacker can call up a rep on the phone and get him to reveal his name and password, it seems pretty plausible that you could get the SecurID code as well. Disgruntled insiders also provide this information readily to their pals on the outside. Of course that's all in the story...

    Anyway, if any AOL users are convinced their data is secure I'll be happy to pass along your screen name to the people in question...

    Cheers.

    --
    filmcritic.com - Movie reviews on Internet time
  17. Merlin doesn't exist by fafalone · · Score: 5, Interesting

    According to the last AOL support rep I talked to on the phone. According to them, AOL has never had an exploit resulting in compromising member information. Incidently, I was calling to report an open exploit that resulted in my information being compromised. They told me it was impossible. I explained to them, in detail, how the exploit worked. Nope, apparently it was still impossible. So I asked to be put through to operations security (opssec). I was told it didn't exist. I even pointed out a page on their website that mentioned it. Nope, doesn't exist. Quite fed up with this robotic imbecile, I asked to speak to a supervisor. The supervisor (this is in the fraud department, by the way) explained that they were trained to deny that AOL had any flaws. Interesting. After realizing the supervisor also had no idea what they were talking about, I requested to be put through to opssec. Well, the supervisor at least acknowledged its existence, but refused to put me through, despite the fact that I had very important network security information. In so many words, I was told they didn't care that my information was compromised.
    Soon after this, I cancelled my account. Not only did they charge me for 2 more months, but they charged me the dialup rate (I was BYOA). So I called them up, quite pissed off, and asked for the charges to be reversed. I was then told my account was still active. At this point, I explained to the incompetent billing employee how to use Merlin to pull the fraud record of the account termination. The charges were subsequently reversed.
    My experience gives new meaning to the phrase "AOL sucks"