Slashdot Mirror
Password Thief Ransacks AOL
NoWhere Man writes "Just surfed into Wired and read an article about a theif using email to get AOL passwords. Using OperaMail and a program similar to those used to hack ICQ, the sender can get the password to anyone's account on AOL; all the user has to do is open the email. " You've Got A Password! (Done in sing-song voice).
I agree - this is not an issue. The same thing can happen with any other Windows user, regardless of whether he/she is using AOL or another ISP. Countless non-AOL users have accidentally installed Back Orifice on themselves, which leaves them open to anybody getting their ISP password.
I don't see why this is a Slashdot story - it's happened many times before and it's not anything particularly restricted to AOL.
On top of that, the slashdot story is just plain wrong. The user does not just have to open his email. He must open it, download the executable, and run the executable. Big difference.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
This thread is already a day old (slashdot effect #2: discussions die in 24 hours), but what the hell.
Trick wrote:
>Unfortunately, with AOL, this is not true (and >I'm not just talking out of my ass here --
Maybe not, but you're definitely wrong.
There is no scripting capability in AOL mail. It doesn't support VBScript, JavaScript, ActiveX, anything. It's pure text, with a small bit of pseudo-HTML mixed in for fonting.
There's no way to get a virus/trojan without actually downloading the attachment - and, as mentioned, we put up a big splash screen before you download telling you all about the nasty things people will try to send you.
As for passwords, as of 4.0 (July 1998), we don't store them in the clear, nor do we transmit them in the clear. The vast majority of users are now on 4.0. However, I believe most of the modern trojans will capture live keystrokes straight out of the keyboard driver.
And then there are the "click here for our new NetMail web page that requires you to enter your password" scams...
Jay Levitt
Chief Architect, Mail Systems
AOL
Well, Jay -- you might want to pass that on to the people answering the phones for support in Vienna. I've asked them, very directly, if such a thing could happen -- and I've received a very definite "yes."
---
Consult, v. t. To seek another's approval of a course already decided on.
If I read the article right, the problem is that AOL users are opening an executable attachment to an e-mail. Sorry, but there is no way in the world to protect against this. People often say it doesn't matter on a Linux system since only user files can be affected, but this is little comfort to me. I can easily re-install a broken system. Protecting the user data I've created since last backup is far more important to me.
Users seem to be requesting that AOL identify all possible malicious attachments and install virus checking software that will identify them. AOL is quite right in saying this is hopeless. The only solution presently is for AOL users to grow a brain (after the appropriate education) and refuse to open attachments they did not solicit.
It would be nice if attachments could run/open on a VMWare virtual machine or something like it created specifically for the purpose, with monitors for suspicious activity. If the virtual machine gets destroyed, no biggee. Delete it and create it again. I doubt this is practical at the consumer level now however.
No, I have to agree with AOL that this problem is between keyboard and chair.
There have been far more serious security problems in the Microsoft world of late that would destroy a system on merely opening a mail or viewing a web page. These are real holes that need fixing, or better, making impossible.
I have never used HTML mail, and I wish no one would. Almost all of it I get is spam anyway. The internet was designed around text for a good reason, and even though HTML is text, any language that can embed executables is still dangerous. Limiting mail HTML to a formatting subset like Slashdot's would be an acceptable compromise.
Wouldn't it be good if people made things like this but when the email was opened the program actually done some good for you, like point out that you were a bit silly opening this without knowing who it were from, or suggesting some tips to make your system run a bit better.
Of course, some people would argue that deleting people's windows installation is a good thing..
If you came back to your car and some kind soul had left a free bottle of "engine performance enhancer" on your bonnet, with a note saying "Just pour into your fuel tank for an incredible performance boost," would you:
My point being, you don't have to know much about engines to treat such things with due caution. You just need a little sense.
There's some witty paraphrase of the "million monkeys with typewriters" line I could make here, but what's the point?
"I ache therefore I am. Or in my case, I am, therefore I ache." -- Marvin
Yeah, I found it downright spooky that they painted it that way. What exactly is Opera supposed to do differently? Clue in the AOL users for AOL?
Another scary thing is that they seem to be ignoring the fact that people are continuing to open attachments without considering the ramifications.
"Malicious" E-mailer: Open the enclosed attachment. Trust me.
AOL User: OK.
"Malicious" RL Criminal: Open the front door to your house and look the other way for awhile. Trust me.
AOL User: OK.
I also found the following phrase interesting: "...the company repeatedly educates AOL users to beware the techniques of the wily password-stealer." It seems more apparent than ever that AOL's greatest enemy is an educated user.
Now if they'd just open source some of their stuff, we could actually HELP them patch the holes. OH well.
Werd.
Just think.. If all these people are so worried about and getting easily screwed over by crackers and script kiddies , just imagine if more actual hackers were lame enough to devote most of their time cracking .. Of course, knowing the media, upon the arrival of people with actual intelligence on the 'hacking' scene, the 'lesser' 'hackers' would still be called hackers, and the 'elite' 'hackers' would probably finally be called crackers.. and thus, completely reverse the meanings of the two words in their own minds. =P
~ Kish
Buffer overflows in early versions of Sendmail allowed people to break into the root account, again without any action on the part of users.
Buffer overflows in e-mail readers are a potential source of chaos, too. It may be possible to exploit such bugs to inject code into a system without the user needing to actively execute an attachment.
The general advice "you can't get a virus from e-mail" is ONLY true in general, across all systems and across all e-mail software. Special cases and exceptions DO exist for significant subsets of cases. Within those subsets, you would be advised to be aware of what exploits exist.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The program probably just reads a registry key. Easy as pie. Obviously, this is being done to educate AOL and get their users riled about the fact that their passwords are so easily comprimised. I woldn't be surprised if a Microsoft employee is responsible for this.
What I saw it as was a "license to spam". For $5 you get unfiltered access to the ISP's mail gateway. You slam your message traffic through, then punch out. What? Your account gets shut down? No problem. Run the the Quickimart, slap down a $5 bill, and you've got another license.
Of course, I don't think this ever became an issue. At least, my friends at the ISP never mentioned it. Either spammers don't know about it... or there's much cheaper ways to pull off the same thing. Right now, I'd put my money on "cheaper ways".
To get a trojan horse you have to download an attachment. Then you have to execute the attachment; just like getting a virus. This isn't like outlook where attachments automatically download, and macros automatically execute. You have to do this to yourself, despite warnings.
Wired really misrepresents the situation, probably because none of them have every used aol, just HOTMAIL where it really is insecure. Everytime you get a letter with an attachment in aol it pops up a window that fills the screen that says, "WARNING YOU PUNK - DOWNLOADING SHIT CAN FSCK YOUR SYSTEM" - only in kinder red letters. After that, you have to click, "Yes, i still want to download this". Next ... after choosing a name and location like in all SaveAs dialog's, you have to then EXECUTE the file!
No versin of aol has the ability or CODE to execute ATTACHMENTS.
This really disturbs me.
Read Heinlein's 1953 Revolt in 2100, now more than ever.
Uh, I don't know where you got such an assumption from my post.
I never suggested government intervention; I did suggest that the producers of free services were perhaps being unethical because they weren't monitoring their services. You said "it is for grown adults to take responsibility for their actions". Correct, and this includes running a service that is relatively free of abuse.
If an internet firm cannot control what goes on on their services, they should configure themselves accordingly, rather than exerting the costs of their services (i.e., spam, etc.) on the user.
I wasn't pushing to restrict free access, at least not by legislative means, and I'm not sure where you got that assumption. However, it is the responsibility of the provider to control what resides, and what comes from his/her own system. Thus, yes, a firm should require some sort of verification, to assure that their users -- and thus themselves -- are not putting a burden on the internet at large.
The reason we don't/shouldn't need government intervention on the internet is because it should be able to police itself. The government shouldn't be involved, but I daresay the idea of individuals completely monitoring themselves is somewhat idealistic. If someone refuses to adhere to the net-ethic, then it is the responsibility of the firm through whom they have the services, to deal with it accordingly. To suggest that a firm doesn't, or shouldn't have any responsibility or liability towards the internet community, regarding the actions of its users, is ludicrious.
In any basic economics class, you'll learn that once someone owns property, as opposed to renting/leasing it, it tends to keep its value longer, because it is not abused. Free services are likely to be abused for just this reason, and thus since the likelihood is greater that users will abuse, the responsibility falls on the owner to halt the abuse -- else, as we've seen -- the burden falls on the internet as a whole.
Free services aren't bad; I never said that, and don't think such is the case. But the fact remains that many of the free services out there, in their frenzy to create a net-presence, neglect to maintain their service according to its usage, neglect netiquette, and thus neglect the internet itself.
If a free service is offered, the service should offer the same level of protection to the 'outside world' of the internet, as it assures to its customers; abuse should be stopped in either direction.
To get a trojan horse you have to download an attachment. Then you have to execute the attachment; just like getting a virus. This isn't like outlook where attachments automatically download, and macros automatically execute. You have to do this to yourself, despite warnings.
Wired really misrepresents the situation, probably because none of them have every used aol, just HOTMAIL where it really is insecure. Everytime you get a letter with an attachment in aol it pops up a window that fills the screen that says, "WARNING YOU PUNK - DOWNLOADING SHIT CAN FSCK YOUR SYSTEM" - only in kinder red letters. After that, you have to click, "Yes, i still want to download this". Next ... after choosing a name and location like in all SaveAs dialog's, you have to then EXECUTE the file!
No versin of aol has the ability or CODE to execute ATTACHMENTS.
This really disturbs me. :-) and yes i posted this on a different thread.
Read Heinlein's 1953 Revolt in 2100, now more than ever.
:"I'm closing down these accounts everyday.
:I can't stop them," said Opera sales manager
:Christian Dysthe.
Is it just me, or is this nothing new, something that every new 'free' service runs into? If it's not a security exploit, it's a dropbox for stolen passwords, or a website to peddle porn... I can't think offhand of a site offering 'free' services that hasn't been used in such a way.
It's the hurry-up syndrome; Ventures are in such a hurry to get on the web that they offer free services to boost membership, methods of verification simply don't exist; They'd rather grow, at the cost of other users of the net.
Of course, commenting about net-ethos anymore is a rather moot point
I've seen a few comments from people who read the thing about being able to have this thing infect your system simply by opening mail. I've seen some of those same people decide this must be misinformation, that surely the executable needs to be run after opening the mail for it to do damage.
Unfortunately, with AOL, this is not true (and I'm not just talking out of my ass here -- another unfortunate thing is that I worked for AOL as a systems administrator for a few years). They've got some built-in scripting (a la VBScript in MS Outlook) that *can* be executed if a user does not open the attachment. The attachment is just there so the script has a file to install when it gets triggered.
If you're an AOL user, don't be too sure you're safe just because you don't actually *open* the attachments. All you have to do is read the mail, and someone might get your password.
---
Consult, v. t. To seek another's approval of a course already decided on.
//Wegge
I don't think open source is the solution. Who would be interested in maintaining and supporting an AOL client? What self-respecting hacker would devote time and resources to plugging a script-kiddie hole this lame?
.aol extension to really throw off those bad hackers!
From what I understand, the Trojan gets the password from the user's hard drive. It does not require them to type it in again. What kind of security model is this? Is the passwrod stored in a plain text file called password.txt, or maybe they give it a
Exam the business model carefully. If AOL were to open up their software, it would simply invite a competitor to offer the service in a more focused way. That is, an AOL for women only or musicians only, or whatever. Who would devote time to fixing bugs and providing improvements? Not geeks.
While I agree that the software the AOL uses should be a secure about private information like passwords, ultimately OperaMail has to be able to decrypt the password so it can authenticate with the server. If OperaMail can do this, then a trojan can do it. There was nothing in the item that indictated to me that OperaMail is really at fault here.
Email that may be using a trojan horse-like virus -- the effects of which aren't immediately detected -- arrives at the inbox of an unsuspecting AOL user. One user reported that the attached program bore the name "buddylist.exe." If the user opens the attached file -- an action AOL claims to repeatedly warn users against -- it launches a small program that obtains the user's password off the hard disk and sends it back to the hacker's OperaMail address.
It is really not a good idea to run files that are sent to you, even if those files are sent by what you think is a friend. There have been a few viruses/trojan horses that use the method of looking through the address book of its host and sending itself out as it its from the host user. Because of thise, you just cannot rust executable content that you get in your mailbox/ICQ. In ICQ, you should at least ask the person who is sending it "What is this?". The interactive conversation about the software that is being sent will help verify if it is a real program. Similar verification can be done by mail, although it is more of a pain.
The real solution to all of this, I suppose, is to type your password in everytime you start your emailer, and not use any "remember my password" features. If a program you run remembers your password, then another program run by you can find that password.
This article would have been better if, instead of trying to cut down AOL/OperaMail for something that isn't really its fault, it educated users on the dangers of running foreign programs whether or not they are named "buddylist.exe"
-no broken link
This 'blurb' incorrectly states that all you have to do is open the email. Untrue.
In fact, all this kiddie is doing is mass-mailing an AOL grabbing trojan to AOL users. If they open the attached executable file (bypassing the warnings that AOL gives), then it gets the users stored AOL password and sends it back to a specific email address.
While I'm not an AOL fan or user, I have to say that this no more cracks AOL than BO2K cracks my windoze machine. As long as I don't run any unknown exe, its fine. However, If I'm dumb enough to do so, then the OS won't help me out with security. Same with AOL, don't be stupid, but if you are, then be aware that AOL stores your password on your machine in an easily accessable way.
This is not new. There've been lots of AOL password grabber trojans. Shouldn't AOL take the hint and possibly NOT store the password in this way? Not that I care too much about AOL.
Although it is tempting to immediately slam AOL on the technical merits of this particular hack and further lambast AOL's users as neophytes, it is important to consider what AOL actually provides.
;-)
For new internet users and those completely unfamiliar with computers, AOL is by far the most user friendly environment in which to begin to use email and the internet. Don't get me wrong. I don't use the service. But for my grandparents and my parents who aren't comfortable with computers in the first place, the service hits the spot.
Certainly AOL should take steps to secure passwords on the users systems. Regardless, the key is educating their users. I know enough not to open attachments from people I don't know. I even know enough not to open an attachment if I have no clue of its contents. Unfortunately most new users (particularly the kind that sign on to AOL) don't. Don't dismiss AOL. They provide a valuable service for folks for whom the internet and email are daunting. At least they're a step above "WebTV"
You cannot get a virus simply by reading email
That used to be true. Now, thanks to HTML-enabled java-enabled mailreaders and trusted ActiveX documents, you can. (Those aren't just buzzwords)
I'm safe with pine, though.
Oh, wait, pine had a problem handling MIME headers at one point not TOO long ago... See the message on security focus.
MS Outlook had problems with a buffer overflow in MIME headers.
Everybody back to mailx!
--- Where's my X.400 protocol decoder?
First off, anyone care to explain to me how that was flamebait? I imagine it's because someone thought they'd moderate down anyone who's remotely on AOL's side, but then, I'm just paranoid.
Anywho, I should clear something up. You're right -- with scripting and HTML features in mail readers, you can get a virus or at least some troublesome annoyances just from reading email.
With the AOL mail reader, however, you can't. They barely even support HTML, in fact. The only possible way an AOL user could get a virus through their AOL email account is if they downloaded and ran an attachment.
--
"I personal[ly] think Unix is "superior" because on LSD it tastes like Blue." -- jbarnett
Insufficient proteciton of the password is definately the reason. The user has to run the program that is sent to them, it is not run automatically.
The program then reads the password from the drive (I'm not sure if it's encrypted at all, it may be, but obviously not enough), and sends it to the opermail account.
There are a lot of things you can do just from opening mail... because usually you can launch a javascript. From Javascript you can sometimes get to cookies (which store passwords) or worse. I'm not sure how this exploit works, but I wouldn't be surprised if this were the case.
Dangers from just reading email are still mostly a hoax, but it's not a totally safe activity anymore.
-- Virtual Windows Project