Slashdot Mirror
Password Thief Ransacks AOL
NoWhere Man writes "Just surfed into Wired and read an article about a theif using email to get AOL passwords. Using OperaMail and a program similar to those used to hack ICQ, the sender can get the password to anyone's account on AOL; all the user has to do is open the email. " You've Got A Password! (Done in sing-song voice).
PORNO SPAM!!!! Once the average 14 year-old cracker gets a new ISP so that (s)he can gain some sort of status with funky ASCII characters instead of letters, they realize that real ISPs BLOCK Spam (or try thier darnedest). Unwilling to socially interact and find a real significant other, they need access to the latest greatest porno spam, fueled by a desire for more "creative" uses of the word cum instead of come. The solution? Gain access to the greatest repository for porno links in the world . . . AOL accounts!
;-) But certain things I've grown out of . . .
Not to sound bitter or anything. I rarely leave the house myself
Bad things often happen to good people,
It is up to them to see that they remain good.
I don't know what the brouhaha is all about. People have been doing this for *years* now, using hotmail and juno and the like. And everytime aol upgrades or patches to stop these "pass word stealers" someone vb programmer finds a way around it, and immediatly hundreds of people have access to it. By the very nature of it, you have to give people the file for it to work. Then anybody can simply hex their email address in place of the original. I guess someone finally noticed.
Why? It's just users opening attachments from people they don't know. Nothing spectacular...
I agree - this is not an issue. The same thing can happen with any other Windows user, regardless of whether he/she is using AOL or another ISP. Countless non-AOL users have accidentally installed Back Orifice on themselves, which leaves them open to anybody getting their ISP password.
I don't see why this is a Slashdot story - it's happened many times before and it's not anything particularly restricted to AOL.
On top of that, the slashdot story is just plain wrong. The user does not just have to open his email. He must open it, download the executable, and run the executable. Big difference.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Don't go by the movies and (fiction) books man. I mean, look, HAL never got invented (and no computer exists like it). 99% of futuristic stuff in movies/books never happens. Really. Of course, it's that 1% that scares me.
Anyways, tell me how a gui is easier than:
minty$ pine
i
to read mail?
or
c
to compose mail?
Everyone using computers usually keeps their hands in the upright and locked position (on the keyboard) when not in use. So.... i is closer than:
Move over to mouse.
Move mouse to position.
Click.
Wait 15 seconds for slow GUI to draw "You have mail!" window.
:-)
As soon as the Prison from Fortress exists, I'll take all of this back! I promise!
AOL password stealers in the past have been trojan horse programs that either spoofed the signon screen or read the password box using VB programs. Passwords get mailed to an address using the standard mail program. This sounds like the same AOL has faced for years. More disturbing is the story that floats around that passwords can be stolen through an instant message, simply by replying to it. Most likely the stuff of AOLegend but it's difficult to disprove something.
The password is typed at login. Logins can be spoofed on any system. Someone did that on the Sun stations at school, his/her .logout file spoofed the login screen, stored the user/pass, then exited. OOPS I must've typed my password wrong, gotta login again. Oddly enough storing your password can protect you against some of these trojans.
you can only do javascript if you use a lame mail reader that supports HTML mail!
*L* i suck ass
i dunno, i got marked down a whole buncha times by some facsist(s) and havent' been able to get a score of more than 0..oh fsckin WELL!
"There is no spoon" - Neo, The Matrix
I used to run the internal systems for one of their web sites. And while I was pretty suspicious then the tech support guys in Virginia said "If you get e-mail with an attachment from someone you don't know, don't open it -- delete it immediately," I've seen people get their passwords stolen just by reading AOL mail.
---
Consult, v. t. To seek another's approval of a course already decided on.
This thread is already a day old (slashdot effect #2: discussions die in 24 hours), but what the hell.
Trick wrote:
>Unfortunately, with AOL, this is not true (and >I'm not just talking out of my ass here --
Maybe not, but you're definitely wrong.
There is no scripting capability in AOL mail. It doesn't support VBScript, JavaScript, ActiveX, anything. It's pure text, with a small bit of pseudo-HTML mixed in for fonting.
There's no way to get a virus/trojan without actually downloading the attachment - and, as mentioned, we put up a big splash screen before you download telling you all about the nasty things people will try to send you.
As for passwords, as of 4.0 (July 1998), we don't store them in the clear, nor do we transmit them in the clear. The vast majority of users are now on 4.0. However, I believe most of the modern trojans will capture live keystrokes straight out of the keyboard driver.
And then there are the "click here for our new NetMail web page that requires you to enter your password" scams...
Jay Levitt
Chief Architect, Mail Systems
AOL
Well, Jay -- you might want to pass that on to the people answering the phones for support in Vienna. I've asked them, very directly, if such a thing could happen -- and I've received a very definite "yes."
---
Consult, v. t. To seek another's approval of a course already decided on.
Well, I never said government intervention either, did I? I think it is an error to assume that "Big Brother" like tactics are only applicable to government agencies. I believe that it is just as a horrible idea to have a community belief that results in Big Brother like monitoring by other community members, whether they are government officials or not.
I don't believe it is in the best interest of society to hold ISP's responsible for the actions of their customers. Sure, if the Internet self-regulating community makes an ISP aware of abuse by one of it's customers then it should take immediate action, although allowing for a rebuttal to prevent against actions against innocent victims of falsely reported misconduct. I think almost everyone agrees with this. I don't think that anyone expects ISP's to have a "hands off" policy even when they are notified and shown "evidence" from the community that someone is using their service unethically and in contradiction to their policies. I believe that ISP's should even cooperate with investigators if it is shown that the acts of one of their customers is or could be illegal. Certainly they should comply with any court orders demanding the turnover of any logs or records of the customer's actions.
This, however, is MUCH different than saying that ISP's should monitor each and every transaction that it's members have on-line, and that failure to do so is unethical. That would mean that ISP's would have to install monitoring equipment to check each and every email, web post, and usenet message sent by all of their customers for specific things. Someone would have to review the flagged messages and make a decision whether to turn over the "evidence" to authorities, terminate the users contract, or let it pass. How else are ISP's supposed to be "ethical" by making sure their customers are not using their free services for unethical and immoral things (such as child pornagraphy), which according to you is their moral and ethical obligation. Yes, ISP's can install software or design their system so that use of "free" services is easily trackable to someone who actually pays the phone bills -- much like HotMail records the IP address of users who send mail, which should be trackable by the ISP as to who was assigned that IP address at a particular date and time. Having these tracking mechanisms in place is not the same as saying that ISP's are ethically responsible to ensure that their customers are acting in an ethical and moral manner. I support, and I would guess that most others support, the "tracking" of messages like this. Unfortunately, I may differ in that I don't support the "release" of this information unless sufficient evidence is provided to indicate that the person being tracked has committed an illegal act or an act that is against the use policy for the ISP.
So, may be our views are more similar thay you think. I disagree in your terminology, however, that ISP's are acting "unethical" or "immoral" if they provide for free services that they don't monitor to assure compliance with the law, their fair use policy, or common decency. I think it is enough to "cover their but" legally, morally, and ethically, to ensure that proper tracking mechanisms are in place so that people who break the law, their fair use contract, or common decency can be tracked.
I don't want to live in a police state whether enforced by actual government authorities or by my fellow citizens. I sincerely doubt that you do either, so there has to be some misunderstanding...
GUI users get what they deserve I guess.
If I read the article right, the problem is that AOL users are opening an executable attachment to an e-mail. Sorry, but there is no way in the world to protect against this. People often say it doesn't matter on a Linux system since only user files can be affected, but this is little comfort to me. I can easily re-install a broken system. Protecting the user data I've created since last backup is far more important to me.
Users seem to be requesting that AOL identify all possible malicious attachments and install virus checking software that will identify them. AOL is quite right in saying this is hopeless. The only solution presently is for AOL users to grow a brain (after the appropriate education) and refuse to open attachments they did not solicit.
It would be nice if attachments could run/open on a VMWare virtual machine or something like it created specifically for the purpose, with monitors for suspicious activity. If the virtual machine gets destroyed, no biggee. Delete it and create it again. I doubt this is practical at the consumer level now however.
No, I have to agree with AOL that this problem is between keyboard and chair.
There have been far more serious security problems in the Microsoft world of late that would destroy a system on merely opening a mail or viewing a web page. These are real holes that need fixing, or better, making impossible.
I have never used HTML mail, and I wish no one would. Almost all of it I get is spam anyway. The internet was designed around text for a good reason, and even though HTML is text, any language that can embed executables is still dangerous. Limiting mail HTML to a formatting subset like Slashdot's would be an acceptable compromise.
Wouldn't it be good if people made things like this but when the email was opened the program actually done some good for you, like point out that you were a bit silly opening this without knowing who it were from, or suggesting some tips to make your system run a bit better.
Of course, some people would argue that deleting people's windows installation is a good thing..
Agreed! The article is vague on how the attachment gets executed. Info, anyone?
/. rips AOL, they're the #1 ISP, and the place for computer illiterate people. I can't stand using it, but I realize that AOL has it's place online. How many of your relatives or friends of your family use AOL? I know mine do, and to be honest it's easier to support than the typical Win9x dialup/IE/Outlook combo.
While a lot of
We use Outlook 97 here at work, and the default email "reader" was Word97, instead of the internal reader of Outlook. I would imagine it would be possible in this instance to embed one of those silly macro viruses. Of course, it would only affect those using Word as their mail reader, but still, I think that would be quite a lot of people. The previous posts also mentioned embedded Javascript, which could affect lots more.
But, yes, the email itself cannot contain viruses. If you were to, say, read your email using pine or elm or something, then simply reading the message won't hurt. But all these fancy new mail clients that use Word or process HTML could be damaging.
If you came back to your car and some kind soul had left a free bottle of "engine performance enhancer" on your bonnet, with a note saying "Just pour into your fuel tank for an incredible performance boost," would you:
My point being, you don't have to know much about engines to treat such things with due caution. You just need a little sense.
There's some witty paraphrase of the "million monkeys with typewriters" line I could make here, but what's the point?
"I ache therefore I am. Or in my case, I am, therefore I ache." -- Marvin
From the article:
... One user reported that the attached program bore the name "buddylist.exe."
Email that may be using a trojan horse-like virus
I hope not! One of my favorite kitchen physics experiments involves putting a CD in the microwave for, or say 3 or 4 seconds. Just until the current in the foil reached the point where the entire foil disc pops! It makes a really cool fractal-like pattern! They make great suncatchers, too.
--
The problem with this 'hack,' as with most of the popular worms & trojans of late, is right between the keyboard and the chair. Part of the blame should be placed on user stupidity. AOL repeatedly warns not to open attachments from people you don't know or trust. They also tell you not to go and give out your password to anyone. While AOL and ICQ do have a responsibility to keep their systems secure, the users also have a responsibility to protect their own account information. If a user opens a file that extracts their password, despite the fact that AOL (and that little voice in the back of their head called common sense) tells them not to open strange files, then it's partly their problem. Although on the other hand, it seems now that the way AOL stores user passwords on their hard disks is somewhat insecure, and AOL has a responsibility to modify their software and distribute a patch so that this doesn't happen again.
Yeah, I found it downright spooky that they painted it that way. What exactly is Opera supposed to do differently? Clue in the AOL users for AOL?
Another scary thing is that they seem to be ignoring the fact that people are continuing to open attachments without considering the ramifications.
"Malicious" E-mailer: Open the enclosed attachment. Trust me.
AOL User: OK.
"Malicious" RL Criminal: Open the front door to your house and look the other way for awhile. Trust me.
AOL User: OK.
I also found the following phrase interesting: "...the company repeatedly educates AOL users to beware the techniques of the wily password-stealer." It seems more apparent than ever that AOL's greatest enemy is an educated user.
Unfortunately, I don't think it's possible. When the Luser sees something flashy, they want it, period. If they get a mail entitled "Check this thing out, it's Soooooo cool'" then guess what happens. It doesn't matter the mail client either-they see something that sounds like the next 'frog-in-a-blender' and they'll open it. Yes, and hopefully they'll learn that they had better pay attention to the warnings that most (all?) ISP's provide about opening email. Then comes the formatting of hard-disks, and gnashing of teeth.
---- Windows Emulator for Linux: kill -9 $RANDOM
that's hanging their head over these incidents nowadays. This is really getting disturbing.
"Security? We dont need no steenking security!"
You are the same decaying organic matter as the rest of us.
They are big and bloated enough =) >All the user would have to do is to open the email. Gee..I don't know if many people subscribed to AOL use their email services..hehe I'd like to see how quickly AOL replies with a patch. The media would keep a close eye on this - about as close as Hotmail has received in recent months.
---- Windows Emulator for Linux: kill -9 $RANDOM
Now if they'd just open source some of their stuff, we could actually HELP them patch the holes. OH well.
Werd.
And is AOL really to blame. I mean is AOL's problem have anything to do with their methods, or is just there sheer size? Most ISP's have holes I am sure, but if there isn't enough exposure for them then they wouldn't have to worry, and their certainly wouldn't be any news articles posted. Keeping this in mind is there really any reason for users to be unhappy with their service from AOL? And I am sure AOL has the proper disclaimers in place......Besides getting free hours on AOL isn't real hard, and who wants to read my email anyways??
Funny and I thought Perl == Paid employment recently located
Just think.. If all these people are so worried about and getting easily screwed over by crackers and script kiddies , just imagine if more actual hackers were lame enough to devote most of their time cracking .. Of course, knowing the media, upon the arrival of people with actual intelligence on the 'hacking' scene, the 'lesser' 'hackers' would still be called hackers, and the 'elite' 'hackers' would probably finally be called crackers.. and thus, completely reverse the meanings of the two words in their own minds. =P
~ Kish
Its been said a million times before but i'm going to say it again. Security is 90% common sense. Don't be an idiot and open exe's from people you don't know. Although... what should we expect from aol users.
nah.. that's just an email-addy the pwd gets sent to. On a sidenote.. check out myownemail for a really insecure system. it runs on cold fusion under windows. 'Nuff said
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
Seems to me the real problem is the AOL password is stored in the clear on every client's machine. (That's the only way a trojan horse could e-mail it out, right?)
Stupid job ads, weird spam, occasional insight at
I've seen a lot of comments about "AOL should beef up their security", "People shouldn't open attachments", etc,etc...
Yes, these are all valid points. AOL should stay on top of things, and there HAS to be some way to get it through to end users that opening attachments, especially from unknown origins, could be potentally damaging. (I'm speaking from a general perspective, not just this latest exploit).
However, remember that AOL is one of the largest ISP's in the country. New users are constantly joining, and seasoned users leave to find a more "streamlined" provider. To stay with the up and up, AOL has to continue to provide new services and features to attract more users. AOL admins probably have a heck of a time keeping up, I would imagine. Also, when you have such a large user base, mostly of "newbies", that represents a pretty nice target for crackers. And really, no matter how much you try to secure a system, no system will EVER be 100% foolproof. Yes, most of the attacks we hear about are actually pretty basic, social engineering methods. But when you look at it, those kinds of exploits are often times the most effective.
Basically what I'm saying is, because of AOL's very large user base, it presents itself as a very big target with lots of opportunity for crackers. The best thing to do is to continue to patch holes as they are found (being a little bit proactive wouldn't hurt, either) and continue to educate users.
The cite is wrong... The AOL member needs to do a lot more than just open the email. He has to open it, download the executable, either attached, or often to a remote link on some free website like fortunecity or angelfire. Then he has to run the executable. It's not quite as easy as it's implied to be. Not only that, but we toss up a warning window on suspiciously suffixed files telling the member what it might be, and asking a yes/no if they really want to download it.
(Darn... now I can't moderate this topic =)
This is just further proof of a magazine trying to sell it self by putting alot of hype behind a story, if anyone has ever used aol (not to mentioned worked for them as I have) you might note that these trojans have been around for -years- it just simply helps reinforce the fact; I f you don't know what it is, don't download it, how hard is that?
Buffer overflows in early versions of Sendmail allowed people to break into the root account, again without any action on the part of users.
Buffer overflows in e-mail readers are a potential source of chaos, too. It may be possible to exploit such bugs to inject code into a system without the user needing to actively execute an attachment.
The general advice "you can't get a virus from e-mail" is ONLY true in general, across all systems and across all e-mail software. Special cases and exceptions DO exist for significant subsets of cases. Within those subsets, you would be advised to be aware of what exploits exist.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
You mean a painless experience using the computer?
GUI users can also click off the checkbox next to
"JavaScript in mail/newsgroups," and WALA, no more
problems.
It's amazing how someone who obviously feels
incredibly smart is pinning his hopes on the PAST.
In case you hadn't noticed, text-based UI's are
not exactly the stuff of futuristic books and
movies -- FOR A REASON.
-WW
The program probably just reads a registry key. Easy as pie. Obviously, this is being done to educate AOL and get their users riled about the fact that their passwords are so easily comprimised. I woldn't be surprised if a Microsoft employee is responsible for this.
Redundant? I beg your pardon ?
:-)
Not that i feel sad or anything...
You are the same decaying organic matter as the rest of us.
I miss the days when AOL would mail out the floppy disks. All you had to do was reformat them and you had another spare blank disk handy.
I those days the company I was working for stop providing them and required that I work such hours that there were no stores open when I was not working. I appreciated AOL maling to me blank disks for free.
I agree 110%. I was blown away when I saw what they did. And, for the longest time, we were unable to alter the Outlook settings (well, we could, but as soon as you closed Outlook, your changes were wacked). So, every morning I had turn off the "Use Word as your Email Editor" option (fortunately, M$ did make this pretty easy). Only after a macro virus spread throughout the company did they FINALLY come to their senses and change the default to use the internal editor (which, is almost every bit as bad as Word).
Yet, this company lives and dies by M$ apps. You know the worst part about it? I get friggn ripped' whenever a NT server crashes or whatever, and I casually say "Heh, that's NT for ya. Guess you don't always get what you pay for.". Everyone's like "Oh PLEASE. Your Linux and FreeBSD stuff wouldn't be any better..yada..yada..yada.."
It sucks, I tell ya.
Ooooh the irony.
Grammar errors by this AC:
Leading capitals missed on all sentences.
"moderator's" used instead of plural form "moderator"
Third sentence is not correctly formed.
free experimental electronic music netlabel at www.viablehybrid.com
What "hole" are you referring to? If you mean their target audience of inexperienced users, you're right. If you mean some particular flaw in AOL, I think not. Any ISP connection tool that saves your password to a file in a known location can be compromised. The user open an executable from a stranger, the trojan finds the file and emails it back, done.
Someone with way too much free time could send me an AppleScript that would find the FreePPP prefs file on my home computer, pass it to Eudora, and send it -- if I was dumb enough to open their attachment. The same would hold true for any known combination of an OS and an internet service with a saved password.
Even an encrypted password wouldn't help. Since all copies of AOL would use the same key, it would eventually be solved.
While it is shocking to see that AOL has these security holes, and while it is shocking to see how dumb some of AOL's users are for opening unknown attachments (even when AOL warns them not to), it is comforting to know that the people who are doing this are not using the accounts maliciously. While, idealy people should not be able to get passwords so easily in the first place, isn't abusing (as much as they could), and yet is prompting AOL to fix such a leak. It is like that one hacker group who shows that they can hack into corporations running Microsoft products to show MS how shotty their products are. Anyway, that's just an opinion of an Anonymous Coward.
Damn, there go my skeet targets. Back to spending $$ for clay pigeons.
"How many light bulbs does it take to change a person?" --BMcC-->
Woo woo. Look at me! I can fight a meaningless little battle so mommy doesn't dare call anyone less elite than me a "hacker." After all, who would want to be deprived of their deity-given right to have a REALLY ph3ersome moniker with which to label themselves?
Those with real knowledge don't concern themselves with labels. They know they're good, so they go and do what they need to do, media be damned.
" Ooooh the irony. Grammar errors by this AC: Leading capitals missed on all sentences. "moderator's" used instead of plural form "moderator" Third sentence is not correctly formed. " Sentence fragments abound here Not that I care much Just thought I would point that out
Q. WHY THE HELL do you want AOL passwords?
:D
A. They were pissed off 'cause their hundred free hours cd arrived with a scratch in it.
While a lot of /. rips AOL,....
I've noticed from time to time that this extends to AOLers on /. as well. Back when we had the flap over "ni**er.com" and the NAACP, I got into a side discussion with a software engineer of African ancestry who pointed out that I could now understand how other's perceptions of oneself could be predjudiced by some relatively shallow cues.
Pls excuse the off-topic "waaaah."
"How many light bulbs does it take to change a person?" --BMcC-->
>Unfortunately, with AOL, this is not true (and >I'm not just talking out of my ass here -- >another unfortunate thing is that I worked for >AOL as a systems administrator for a few years). >They've got some built-in scripting
No, they have no built in scripting. Load up a copy of aol and try it. They have limited html, but that's all. Aol mail cannot give you a virus from opening an email. Read the article, it's stated there.
Eric
The louder he talked of his honour, the faster we counted our spoons. -- Ralph Waldo Emerson
seriously, the problem is with the user, not with the software. you can't blame the sw for making things easy; you could blame it for not warning enough, but people will ignore warnings (esp. after seeing the same warning when their friend last sent them a new screensaver, clicking on 'yes', and nothing wrong happening).
no matter whether it's linux, windows or openbsd, people need to learn the difference between data (safe to view) and executables (unsafe to run). and the fact is that they won't.
I don't see what the big deal is? Back in my AOL days (3 years ago) I use to do this all the time from other webmail accounts. Sometimes you didn't even have to attach a PWS and could just talk eloquently from a Juno account and they'd hand it right over.
..what in the hell are you babbling about?
~ Kish
Becouse you can BUY things and have the products automagically charged to your AOL users account..
-- I'm the root of all that's evil, but you can call me cookie..
I can't help but feel that the point of your post is that free services are "bad" and that they are somehow unethical because some people use them for unethical purposes. What else is one to assume from your post? Why do we need "methods of verification?" Do we really want Big Brother watching over our every move to ensure we don't hurt ourselves? The answer is not to restrict free or "anonymous" access to the net. Rather, it is for grown adults to take responsibility for their actions and not try to push the responsibility onto another entity. For children and other minors, it's the parents responsability to protect them and nurture them. Handing off the sresponsibility to another person or entity is as neglectful and act as any.
When people learn to take responsibility for their actions our current "problems" will cease to exist, or at least be reduced to a level that our law enforcement authorities can deal with effectively.
Does anyone remember the cracks done by Hex with AOMaster? Those always made life more interesting until there was no challenge in it anymore. AOL is almost to the point where I would sign back up just to give me something to fuck around with on the other end of the phone line... :)
OK, AOL, is K-Rad ph0r d4 SkrIpt KiDDi3z and all. For anything even remotely more serious you will be forced to sign up with an ISP. I still remember when AOL would scare people away from ISPs by saying [when you tried to leave the service] "Do you have a working knowledge of how to setup IP addresses, POP accounts, IMAP, FTP, HTTPD, Gopher, and Newgroups?" and would go on in this manner until you either hung up ( and didn't get your service cancelled ) said "Yes." ( and didn't get your service cancelled ) or cursed at them ( and didn't get your service cancelled). AOL, go figure.
aÍÍ©ÍÌÍ£Ì'̽ͩÌÍzÍYÌÍÌY
Have you ever written or used a word macro? I don't think you have or you'd know how stupid your post is. When you use word as your mail editor, it just shoves the raw text into word. You'd have to be stupid enough to open the word document attached to the original e-mail to activate a macro. .exes and i took it upon myself to disable macros.
Sorry for that, just ingorant posts annoy the shit out of me. If you've made it this far, the blame sits on your IT departments shoulders as well as the users. My organization had no ill effects from melissa, because i've trained my users enough not to open strange
MS makes a handy dandy patch for 97 that lets you password protect the normal.dot file & office 2000 comes with macros disabled by default.
BTW i do agree that an MCSE is way too easy to get. The paper puppys scare me shitless, i had one that was a full msce and couldn't set up TCP/IP for a DHCP server.
You cannot get a virus simply by reading email. It's a saying that's been repeated to newbies since who-knows-when, and I'm surprised that /. missed it.
This was true when e-mail was ASCII only, but now that Web-based e-mail sites, Outlook Express and other mail software support HTML, ActiveX controls, and even scripting languages like JavaScript, it's possible to get a virus simply by reading e-mail. All it takes is an Internet Explorer security hole -- lord knows there are plenty of those -- and a malicious programmer with a little free time.
Your statement should be amended: If you only read mail as plain text, you cannot get an email virus simply by reading e-mail.
Rogers Cadenhead (Web: http://www.cadenhead.org/workbench)
How exactly is this any safer than using a POP mail reader? When I get a message with a malicious attachment in MS Outlook, I too laugh my ass off. Or at least ignore it. Outlook doesn't run attachments automatically when you read a message; I can't imagine that any mail reader does.
/. readers can think of a bunch of security holes that would let you bypass the security in Outlook, at least older versions of it... but those are bugs. We're talking about design flaws here.)
If you're thinking about Javascript, rather than executable attachments like the example that you gave, then that's a slightly different story... Javascript should be safe, but like any software, the interpreters can have bugs. However, a lot of webmail services support Javascript now anyway, and I'm sure eventually they all will.
(I know most
MSK
For most of my online discourse, etc, I use my deja-news email address, check it about once a wekk to delete all the spam and answer the occasional real letter, etc. If I were a windows/AOl user it would have saved my ass on at least one occassion. Like when I opened a message and saw text looking roughly like;
Begin Happy99.exe---------------
oiuDHFlisdhfoi(&#*OHQI#RFIfnlkH*@
#YR*OWHFNKJSF83ulleoirjeoirjerpte
3-2uirposd;foksd;gotj;osgpd[sepdj
Needless to say I about laughed my ass off, then emailed the sender back to run a virus checker on his system. The Deja account also does not render HTML, so there is no chance of a java bomb waiting in my inbox.
Perhaps AOL and a few other of the big boy ISPs could get a clue here and strongly push this option to new users. Maybe they could even offer two email addresses, one for pop retreival on the client's machine and one web-based one that the world gets to see whenever they post somewhere or chat or do whatever they do on AOL. May cost a little up front, but would definately minimize the effect of this sort of thing...
Anyone too stupid to open the attatchment and use aol in the first place deserves it.
I want an AOL shell so i cna be leet' =]
But WHO THE HELL WOULD WANT AOL ACCOUNTS? (other than to go into sex chat's under the persons name hehe)
This sounds lame, but I've decompiled a couple of those out of curriosity. It seems they just send a wm_gettext() type of WinAPI command to the "AOL_EDIT" control, or something along those lines. (It's been a while).
Also, I looked at a log of all system messages trapped by Spy++ (comes with ms visual c++ 5) and aol & that free isp both send the password as plain text.
And, as has been pointed out, they have to download and execute the trojan to get it. Not just from reading the mail.
E
The louder he talked of his honour, the faster we counted our spoons. -- Ralph Waldo Emerson
Yep -- And the guy doing it doesent sound like a genius, so after any experience whatsoever with AOL, you would probably find that the passwords are stored in the registry, or a lightly or non encrypted file.
i would like to see the message received at the operamail end of it. I dont know if maybe the program sends the data to the operamail account and the 'hacker' further decrypts it from there or if its actually parsed at the client side..
somehow, just based on the nature of the 'attack', the guy in charge aint the biggest genius the world has ever seen. (something about wanting mad aol passwords just dont make me think 'genius'), so i would assume its something relatively simple. i am thinking he programmed it in Visual Basic 6.0 Pro he stole off a Top50 whoreboy warez site =]
he went out and bought a vb book for dummies and it took him 40 days and 40 nights to finish his program. all at the same time being quiet about it because his mom is in the next room!!!!
What I saw it as was a "license to spam". For $5 you get unfiltered access to the ISP's mail gateway. You slam your message traffic through, then punch out. What? Your account gets shut down? No problem. Run the the Quickimart, slap down a $5 bill, and you've got another license.
Of course, I don't think this ever became an issue. At least, my friends at the ISP never mentioned it. Either spammers don't know about it... or there's much cheaper ways to pull off the same thing. Right now, I'd put my money on "cheaper ways".
The article doesn't go into how the hack works, but I would guess that it just finds where the password is stored on the computer (as 90% of people save their pass instead of typing it in each time) and then sends it back to the reader. AOL probably scrambled the pass with a feerful XOR encryption routine. While some people are saying this isn't an AOL problem because the user has to execute the program, I have to disagree. AOL markets to stupid users, and it shoudl do its best to prevent exploits. I think this could be easily circumvented through a public key system. That is, when the user wants to store the pass on his system, the pass is encyrpted with AOL's public key and then only the holder of the private key (e.g. AOL) can decrypt it. I don't see why this would not be feasible, especially considering AOL makes their OWN proprietary software, adding this in would be no problem.
To get a trojan horse you have to download an attachment. Then you have to execute the attachment; just like getting a virus. This isn't like outlook where attachments automatically download, and macros automatically execute. You have to do this to yourself, despite warnings.
Wired really misrepresents the situation, probably because none of them have every used aol, just HOTMAIL where it really is insecure. Everytime you get a letter with an attachment in aol it pops up a window that fills the screen that says, "WARNING YOU PUNK - DOWNLOADING SHIT CAN FSCK YOUR SYSTEM" - only in kinder red letters. After that, you have to click, "Yes, i still want to download this". Next ... after choosing a name and location like in all SaveAs dialog's, you have to then EXECUTE the file!
No versin of aol has the ability or CODE to execute ATTACHMENTS.
This really disturbs me. :-) and yes i posted this on a different thread.
Read Heinlein's 1953 Revolt in 2100, now more than ever.
People sending out PWS on aol has been going on for easily 3 years now. Seems to me that some editor was lacking subject material and decided to post this after he caught his kid mass mailing in the porn rooms.
The ingrediants required are as follow:
A Hotmail or a yahoo account, a hex editor, and an aol client mass mailer. Every ereet 13 yr old and their mother has access to this stuff.
I'm surprised they didn't mention the fact that most PWS nowadays are in .shs file format bundled with 4 porn jpgs in a zip attached to a mail saying "HEY LETS GET A PIC LIST GOIN REPLY TO THIS!!!". AOLers think they are high and mighty because it's so easy that they have to be #1 and know everything there is to know about the "internet".
But ohh yes mr viper77648, your mastery of chat rooms is fearable. You know everything there is to know about the internet. Just next time don't go into private room pics. Love is a really dumb password.
I distinctly believe I said 'exploit'..not virus. They are two very different things.
Plus, like everyone else has been mentioning, you can use javascript to do the same thing, which automatically get launched in some cases.
True that wasn't the case here, but the line also caught your eye and forced you to read the article. It may have been a bit deceptive, but it peaked your interest
"Imagination is the only weapon in the war against reality." -Jules de Gautier
Dear Slashdot User:
Thank you for using Slashdot.org! We care about our users and are committed to providing as high-quality a service as possible.
This e-mail is to inform you that a recent power outage has wiped out sector 8335 of our SQL database, the sector containing YOUR username/password data. You are required to reply to this message with your Slashdot username and password within one our, or your Slashdot account will be deleted. This is neccessary to validate your login information and restore our password database.
Please respond with your username/password immediately! IF you have any questions, please mail me at 31337h4xx0r@aol.com
Thank you for using Slashdot.org!
Regards,
31337h4xx04@aol.com
Head Password Guy, Slashdot.org
p.s. This is a parody. Do not respond with your username or password.
Yes folks, it true!
Reading email is just the sport for nosy company system admin (Bastard Opertor from Hell), You
too can take please in reading random email from people all over the world.
Just sign up for a free email service and watch for exploits.
BTW anyone have a webpage with archived bastard operator from hell episodes-storys?
Geesh! That's the lowest karma I've ever seen.
I'm going to keep my post anonymous, but suffice it to say that I'm the Chief of Network, Host, and Data security for a company that owns multiple high-traffic websites. (No, not Andover.net.)
We've got a disproportionately frightening legal staff for a company of our size, and we regularly subpoena the hell out of Microsoft and all the other free (read: anonymous) e-mail providers. We get the content of mailboxes, weblogs of activity related to the mailboxes, etc. We've caught many people attempting to do many "bad things" (tm) to our Internet presences by forcing web-based e-mail providers to turn over their information to us.
Point being, these companies have all of the information they need to track down the guilty parties. I would guess that this 31337 kiddie thinks that since he signed up for his operamail accounts with a fake name, that somehow the weblogs showing where he's actually viewing the mailboxes from won't matter. He's very wrong, and anyone who's sufficiently pissed off and well-heeled enough to get a good lawyer will be able to teach him that lesson.
How many trojans are there for webtv? Go ahead and try to format my cablebox. I'm willing to bet that 80% of computers sold today are entertainmnt boxes running only some form of internet client and videogames for the kids. It's a lot like buying a Ferrari to drive to church once a week. Too much power and too much specialized knowledge. Yeah I said specialized knowledge, to the lowest common denominator having a decent understanding of windows requires more time than they're trying to put in. Most of the internet revolution is people wandering out of their trailer homes and buying the Compaq AOL machine, but thats an argument for another day.
I don't see the 'they will learn in time' argument going anywhere. Its like expecting a car-owner to magically become a mechanic after a few years, heh, there are people out there who have no idea how to change a tire and this is OLD technology. So instead of knocking webtv, we should be encouraging them to purchase no-brainers like WebTV or the new Dreamcast, for their own good and for the sanity of tech support.
sorry if that sounded like i was trolling, but i wanted to be short and consise in stating that AOL has very poor security and most of the people that use it (not all of course, that would be a generalization :P) have no clue that their passwords are being taken, nor do they really know anything about system security (well most DO use windoze hehe)
But like it said in the Wired article, the user has to actually RUN the program that was contained in the mail message, not just open the mail...so it's really their own fault if they do something like that...people have to be better educated
word up!
"There is no spoon" - Neo, The Matrix
I realise this has all sorts of privacy and security issues related to it, and i am sure the moderators will probably consider it as Flame but it has to be said
WHY THE HELL do you want AOL passwords?
come on guys [and girls], why dont you use your energy for something usefull
Someday, we'll look back on this, laugh nervously and change the subject.
As an AOL user (not for much longer, though, for varying reasons), I panicked when i read that line. Then logic took over.
You cannot get a virus simply by reading email. It's a saying that's been repeated to newbies since who-knows-when, and I'm surprised that /. missed it.
It even says in the article, and I quote:
AOL does repeatedly warn it's users about opening attachments from people you don't know... doesn't mean that people always heed these warnings.
Just by opening the email, eh Hemos?
--
"I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett
My question is -- how is this caused? The article from Wired is skimpy on the issue. Which is it?
If it's any of these, it's bad design and needs to be corrected and rolled out ASAP. If AOL does anything less, they're negligent.
Could this possibly prompt more people to be seriously concerned about their security?
There are security holes in every software product shipped. Well, not every one, but you know what I mean. That a company as big as AOL can succumb to such a huge exploit boogles the mind. Don't they have their own security people?
On the other hand, what would you do with someones AOL password? Go chat with another user's ID?
Computers can only simulate determinism. ~Hermetic.
:"I'm closing down these accounts everyday.
:I can't stop them," said Opera sales manager
:Christian Dysthe.
Is it just me, or is this nothing new, something that every new 'free' service runs into? If it's not a security exploit, it's a dropbox for stolen passwords, or a website to peddle porn... I can't think offhand of a site offering 'free' services that hasn't been used in such a way.
It's the hurry-up syndrome; Ventures are in such a hurry to get on the web that they offer free services to boost membership, methods of verification simply don't exist; They'd rather grow, at the cost of other users of the net.
Of course, commenting about net-ethos anymore is a rather moot point
From what I got from the article, you have to execute a file attached to the email for it to work. Now you can't put the blame totally on the person sending the email, aol warns people all the time about that shit.
.. for the media in a case like this; "Hacker", "Cracker", and "Malicious".
01101100 01101001 01101110 01110101 01111000 01110010 01110101 01101100 01100101 01110011
Why is AOL storing the password on the user's hard drive? It seems like this is asking for trouble, since there are so many published ways of getting files and such off of people's Windows computers. There must be a better way of maintaining a session without repeatedly sending the password.
Which of course means that you will once again be unable to escape the cavalcade of disks with your name on it.
Muhuhahaha
"all the user has to do is open the email. "
Well it could be worse. Instead of stealing passwords it could be initiating Nth degree binary loops.
I wouldn't doubt that the trojan has a sniffing capability too -- for those who don't store their passwords.
Hypothetically, anything hypothetical is possible.
If AOL worked some kind of encryption into their software, this wouldn't happen. My conclusion: AOL just doesn't care. They're a marketing company, not a technology company.
By the way, the Wired article mentions that AOL has been hacked 34 times. Here's screenshots of all 34 attacks.
numb, you didn't tell the nice people about shs.. ;x
I've seen a few comments from people who read the thing about being able to have this thing infect your system simply by opening mail. I've seen some of those same people decide this must be misinformation, that surely the executable needs to be run after opening the mail for it to do damage.
Unfortunately, with AOL, this is not true (and I'm not just talking out of my ass here -- another unfortunate thing is that I worked for AOL as a systems administrator for a few years). They've got some built-in scripting (a la VBScript in MS Outlook) that *can* be executed if a user does not open the attachment. The attachment is just there so the script has a file to install when it gets triggered.
If you're an AOL user, don't be too sure you're safe just because you don't actually *open* the attachments. All you have to do is read the mail, and someone might get your password.
---
Consult, v. t. To seek another's approval of a course already decided on.
From the "Tools" menu select "Internet Options". Click to the "Security" Tab. With "Internet" selected, click on "Custom Level". Scroll down to "Scripting" and disable everything. You may want to dsable a lot of other stuff (like ActiveX) while you are in there.
SO, how the fsck does one go about turning off javascript in IE?
One doesn't...one comes to their senses and gets Netscape. Then kicks themselves for using anything else.
"Imagination is the only weapon in the war against reality." -Jules de Gautier
so people can read other peoples spam and look at at all their porno... after all, this IS aol we are talking about...
icq:=22921393;
//Wegge
I don't think open source is the solution. Who would be interested in maintaining and supporting an AOL client? What self-respecting hacker would devote time and resources to plugging a script-kiddie hole this lame?
.aol extension to really throw off those bad hackers!
From what I understand, the Trojan gets the password from the user's hard drive. It does not require them to type it in again. What kind of security model is this? Is the passwrod stored in a plain text file called password.txt, or maybe they give it a
Exam the business model carefully. If AOL were to open up their software, it would simply invite a competitor to offer the service in a more focused way. That is, an AOL for women only or musicians only, or whatever. Who would devote time to fixing bugs and providing improvements? Not geeks.
While I agree that the software the AOL uses should be a secure about private information like passwords, ultimately OperaMail has to be able to decrypt the password so it can authenticate with the server. If OperaMail can do this, then a trojan can do it. There was nothing in the item that indictated to me that OperaMail is really at fault here.
Email that may be using a trojan horse-like virus -- the effects of which aren't immediately detected -- arrives at the inbox of an unsuspecting AOL user. One user reported that the attached program bore the name "buddylist.exe." If the user opens the attached file -- an action AOL claims to repeatedly warn users against -- it launches a small program that obtains the user's password off the hard disk and sends it back to the hacker's OperaMail address.
It is really not a good idea to run files that are sent to you, even if those files are sent by what you think is a friend. There have been a few viruses/trojan horses that use the method of looking through the address book of its host and sending itself out as it its from the host user. Because of thise, you just cannot rust executable content that you get in your mailbox/ICQ. In ICQ, you should at least ask the person who is sending it "What is this?". The interactive conversation about the software that is being sent will help verify if it is a real program. Similar verification can be done by mail, although it is more of a pain.
The real solution to all of this, I suppose, is to type your password in everytime you start your emailer, and not use any "remember my password" features. If a program you run remembers your password, then another program run by you can find that password.
This article would have been better if, instead of trying to cut down AOL/OperaMail for something that isn't really its fault, it educated users on the dangers of running foreign programs whether or not they are named "buddylist.exe"
-no broken link
This 'blurb' incorrectly states that all you have to do is open the email. Untrue.
In fact, all this kiddie is doing is mass-mailing an AOL grabbing trojan to AOL users. If they open the attached executable file (bypassing the warnings that AOL gives), then it gets the users stored AOL password and sends it back to a specific email address.
While I'm not an AOL fan or user, I have to say that this no more cracks AOL than BO2K cracks my windoze machine. As long as I don't run any unknown exe, its fine. However, If I'm dumb enough to do so, then the OS won't help me out with security. Same with AOL, don't be stupid, but if you are, then be aware that AOL stores your password on your machine in an easily accessable way.
This is not new. There've been lots of AOL password grabber trojans. Shouldn't AOL take the hint and possibly NOT store the password in this way? Not that I care too much about AOL.
Free account, commit alot of abuse, start getting AOL banned from many servers. The banning's already started.
---
Another non-functioning site was "uncertainty.microsoft.com." The purpose of that site was not known. -- MSNBC 10-26-1999 on MS crack
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
The original article says: "If the user opens the attached file -- an action AOL claims to repeatedly warn users against -- it launches a small program that obtains the user's password off the hard disk and sends it back to the hacker's OperaMail address."
Slashdot says: "Using OperaMail and a program similar to those used to hack ICQ, the sender can get the password to anyone's account on AOL; all the user has to do is open the email."
What gives? Does it really open automatically? If so then AOL is at fault. If the users are running an attached executable, then the user is at fault.
numb
Although it is tempting to immediately slam AOL on the technical merits of this particular hack and further lambast AOL's users as neophytes, it is important to consider what AOL actually provides.
;-)
For new internet users and those completely unfamiliar with computers, AOL is by far the most user friendly environment in which to begin to use email and the internet. Don't get me wrong. I don't use the service. But for my grandparents and my parents who aren't comfortable with computers in the first place, the service hits the spot.
Certainly AOL should take steps to secure passwords on the users systems. Regardless, the key is educating their users. I know enough not to open attachments from people I don't know. I even know enough not to open an attachment if I have no clue of its contents. Unfortunately most new users (particularly the kind that sign on to AOL) don't. Don't dismiss AOL. They provide a valuable service for folks for whom the internet and email are daunting. At least they're a step above "WebTV"
OK, it's the buddylist trojan deal again. We've seen this before - sometimes it's a trojan, sometimes a damaging virus, but it's almost always "buddylist.exe" or "buddylist.zip". So, they're sending from OperaMaiL? Big deal, it's happened before from Yahoo, Hotmail, and seemingly every other freemail service. Finally, you don't get it just by opening email - as usual, you have to open the attachment, which they've been warned a thousand times not to do.
So, where exactly is the news in this? We've got idiots senidng mail to morons who open programs as attachments from people they don't know, and someone makes a federal case out of it. Crap, it's mostly Darwinized computing - maybe this'll keep the idiots off the net.
What's the bir deal?
(am I being redundant?)
--
Stay tuned for some shock and awe coming right up after this messages!
While I like beating up on AOL as much as the next guy the truth is, there is no security hole in the AOL software. There is a very good rational explination on why the AOL account password is unencrypted--it wouldn't make any difference!
.fetchmailrc file. He stated that it would only foster a false sense of security. Anyone could decompile the program and see what the key was. They needed to have access to your account on your machine anyway to get a copy of the .fetchmailrc. He figured that if they had that kind of access any encryption he put in would be useless. KPPP also does not encrypt your ISP password for the same reason.
I think it was mentioned in the CatB, on how ESR refused to implement encryption for the
The same goes for the AOL client, if they encrypted your password they would have the same encryption key in every copy of the AOL client software. It could be decompiled and the key found. This would not be a significant challenge.
Also anyone who has physical access to the computer with AOL client installed could just log in as you anyway, because there is no security in the Windows 9x OS.
Oh this same security threat can be applied to your favorite Unix clone as well, although I think there are very few people who would run an unknown bash script they received on email. If Linux "World Domination" happens though there will be a whole host of clueless users who would. How easy would it be to make a shell script that sent copies of your local passwd database (if not shadowd) and passwords in ISP/Email conf files.
1) Security through obscurity is no security at all.
2) False security is worse than no security.
-- Remember: Wherever you go, there you are!
Username: Hemos
Password: b30wo1f
Also I used to make "AOL Addons" and I have made things that can steal your AOL pw, among other things. There are two main ways to do steal the pw.
1) The old way: If you choose to store your AOL password, its stored UNENCRYPTED in the file main.idx in the idb directory.
2) Better Way: capture the text of the password box before they sign on.
And if they won't d/l a trojan you can always try to scam the person to give out their pw.
Maybe AOL should learn about encryption, that way you wouldn't have to type it in, and you wouldn't be able to extract if from main.idx.
*sigh* Last i checked, aol does not do java or javascript in its email, just some very simple html. So i dunno how 'just opening the email' would steal your password...esp since if you don't have it stored, where will it steal it from?
Insufficient proteciton of the password is definately the reason. The user has to run the program that is sent to them, it is not run automatically.
The program then reads the password from the drive (I'm not sure if it's encrypted at all, it may be, but obviously not enough), and sends it to the opermail account.
Hmm. Can you say "DON'T OPEN UNKNOWN FILES!". Duh. This is even better than Worm_Explorer_zip.
I mean jeesh. None of this is real "hacking" or even "cracking", it's all social engineering. Not that that's not interesting, but is would seem that people would catch on after a while.
Fool me once, shame on you. Fool me twice, shame on me. Fool me 1000 times, I must be used to windows.
-- IANAEG - I am not an elder god.
If the user has to be using opera mail then it sounds like it may be a bug in opera mail. Since i use netscape. Hmm guess they will be releasing a new version soon I'd hope or loosing a lot of customers. Personally I'd use something with a bit more presence then opera mail, like netscape or outlook even. There are plenty of mail programs out there both windows and *NIX.
Only 'flamers' flame!
does that mean AOL are going to stop bothering to send people CDs now? :)
smash
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.