AOL Security Compromised by Teenager

Freaky_Friday wrote with a link to an InfoWorld article about a teenage kid accessing customer information at AOL. The alleged criminal trespass began late last year, and extended up through early April. According to the article, the guy used some 'off-the-shelf' hacking software he downloaded online to gain access to, and then transmit information from, AOL's systems. "The complaint states that Nieves admitted to investigators that he committed the alleged acts because AOL took away his accounts. 'I accessed their internal accounts and their network and used it to try to get my accounts back,' the defendant is quoted as saying in the complaint. He also admitted to posting photos of his exploits in a photo Web site, according to the complaint ... If the defendant was honest about his motivation in his reported confession, it's safe to assume that he wasn't interested in stealing data for financial gain, [Managing director of technology at FTI Consulting Mark] Rasch said. Still, it'll be interesting to find out what steps AOL is taking if customer data was in fact compromised, he said."

Re:Hmmm

Well there have always been tools out there to hack AOL, some of the more notorious were AOHell and WAAS (We are all sinners), LOFT even had a whole series of tools for AOL. Most of them just contained a lot of script kiddy stuff but there were some others that gave you shell access to the network about 10 years ago or so AOL was really like a pretty face over a custom IRC type network. If you could drop down out of the pretty face and get to the raw shell which was only really only protected by the fact that the pretty face was there and most AOL users were too dumb to realize that there was something going on under the AOL screen. You could peek around, but then once you got yourself an overhead account you really could run through the system at will. While I imagine it has improved over the years I am guessing a lot of the base code and concepts of the network are there still.

Re:Suuurrree

[ShaunC]

You'd think employees of an ISP, who routinely warns its customers about it, would be wise to rudimentary "attacks" like phishing scams.

You'd be surprised. Back in the late '90s, when phishing first became a problem on AOL, they went so far as to modify the Instant Message window so that it contained a disclaimer, in very obvious red text, saying that no one from AOL will ever ask for your password. Believe me, very few people paid attention to that warning.

I recall sitting in the nerve center chat with the likes of VARST, UTRST, JXRST, etc. and having the occasional moron walk in trying to phish in the chat. They didn't generally last long, but I also have seen a VARST operator type his password into the chat. It's sad how easily some (high-level) employees can be socially engineered. That's what you get when you hire Joe Regular into an enterprise position and you don't give him adequate training.

Re:Same old same old

[fafalone]

First we documented all of the tokens with just invokes yes; but from there we went on to writing our own windows and modifying the behavior of existing windows, working with every part of the FDO stream, not just the token invokes. If I remember correctly, the invoke menu command was only for invoking mF tokens anyway. That's all people could do before my time, where learning how to use all the other FDO commands was made possible by a internal documentation of the entire FDO language, a large manual covered in "CONFIDENTIAL" and "INTERNAL USE ONLY" stamps. Just invoking an mF token for a form would display the graphics and such, but if you really wanted to do something worthwhile, invoking that token was only the start of a stream. FDO has hundreds of commands besides invoke; we figured out how to do entire streams using all the commands, atoms, etc. Too bad I'm traveling with my laptop right now, I have hundreds of custom FDO scripts and documentations in my storage archives back at home. But anyway, FDO was an entire language, invoke was just one command, once one knew the entire language a whole new world of possibilities opened up that you could never accomplish with a simple invoke. I'll share another OpsSec story. My account got terminated for no good reason, so I called up the support line (CAT i think) and asked to be transferred to OpsSec. I was told no such department exists. I asked to speak to a supervisor, since granted a low level support peon might not know about it. The supervisor also told me it didn't exist. I explained in great detail why I knew it existed, and was then told 'well, you're not speaking to them' and got hung up on. So I started digging around all the internal documents we had, and in a couple hours came up with a phone number for OpsSec. I called them up, and right after I said hello, they called me by my handle, told me my account was killed for hacking, and told me knock off the token scanning and stop harassing tech support. First time I ever talked to someone who worked for AOL that actually seemed like an intelligent person who knew what was going on, and how I found out the highest levels of the company were actually worried about what we could now do with FDO.

Re:Hmmm

[ehrichweiss]

How dare you misspell the name of one of the greatest organizations ever. It's L0pht.