Slashdot Mirror
Password Thief Ransacks AOL
NoWhere Man writes "Just surfed into Wired and read an article about a theif using email to get AOL passwords. Using OperaMail and a program similar to those used to hack ICQ, the sender can get the password to anyone's account on AOL; all the user has to do is open the email. " You've Got A Password! (Done in sing-song voice).
If I read the article right, the problem is that AOL users are opening an executable attachment to an e-mail. Sorry, but there is no way in the world to protect against this. People often say it doesn't matter on a Linux system since only user files can be affected, but this is little comfort to me. I can easily re-install a broken system. Protecting the user data I've created since last backup is far more important to me.
Users seem to be requesting that AOL identify all possible malicious attachments and install virus checking software that will identify them. AOL is quite right in saying this is hopeless. The only solution presently is for AOL users to grow a brain (after the appropriate education) and refuse to open attachments they did not solicit.
It would be nice if attachments could run/open on a VMWare virtual machine or something like it created specifically for the purpose, with monitors for suspicious activity. If the virtual machine gets destroyed, no biggee. Delete it and create it again. I doubt this is practical at the consumer level now however.
No, I have to agree with AOL that this problem is between keyboard and chair.
There have been far more serious security problems in the Microsoft world of late that would destroy a system on merely opening a mail or viewing a web page. These are real holes that need fixing, or better, making impossible.
I have never used HTML mail, and I wish no one would. Almost all of it I get is spam anyway. The internet was designed around text for a good reason, and even though HTML is text, any language that can embed executables is still dangerous. Limiting mail HTML to a formatting subset like Slashdot's would be an acceptable compromise.
If you came back to your car and some kind soul had left a free bottle of "engine performance enhancer" on your bonnet, with a note saying "Just pour into your fuel tank for an incredible performance boost," would you:
My point being, you don't have to know much about engines to treat such things with due caution. You just need a little sense.
There's some witty paraphrase of the "million monkeys with typewriters" line I could make here, but what's the point?
"I ache therefore I am. Or in my case, I am, therefore I ache." -- Marvin
Buffer overflows in early versions of Sendmail allowed people to break into the root account, again without any action on the part of users.
Buffer overflows in e-mail readers are a potential source of chaos, too. It may be possible to exploit such bugs to inject code into a system without the user needing to actively execute an attachment.
The general advice "you can't get a virus from e-mail" is ONLY true in general, across all systems and across all e-mail software. Special cases and exceptions DO exist for significant subsets of cases. Within those subsets, you would be advised to be aware of what exploits exist.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
:"I'm closing down these accounts everyday.
:I can't stop them," said Opera sales manager
:Christian Dysthe.
Is it just me, or is this nothing new, something that every new 'free' service runs into? If it's not a security exploit, it's a dropbox for stolen passwords, or a website to peddle porn... I can't think offhand of a site offering 'free' services that hasn't been used in such a way.
It's the hurry-up syndrome; Ventures are in such a hurry to get on the web that they offer free services to boost membership, methods of verification simply don't exist; They'd rather grow, at the cost of other users of the net.
Of course, commenting about net-ethos anymore is a rather moot point
This 'blurb' incorrectly states that all you have to do is open the email. Untrue.
In fact, all this kiddie is doing is mass-mailing an AOL grabbing trojan to AOL users. If they open the attached executable file (bypassing the warnings that AOL gives), then it gets the users stored AOL password and sends it back to a specific email address.
While I'm not an AOL fan or user, I have to say that this no more cracks AOL than BO2K cracks my windoze machine. As long as I don't run any unknown exe, its fine. However, If I'm dumb enough to do so, then the OS won't help me out with security. Same with AOL, don't be stupid, but if you are, then be aware that AOL stores your password on your machine in an easily accessable way.
This is not new. There've been lots of AOL password grabber trojans. Shouldn't AOL take the hint and possibly NOT store the password in this way? Not that I care too much about AOL.
Although it is tempting to immediately slam AOL on the technical merits of this particular hack and further lambast AOL's users as neophytes, it is important to consider what AOL actually provides.
;-)
For new internet users and those completely unfamiliar with computers, AOL is by far the most user friendly environment in which to begin to use email and the internet. Don't get me wrong. I don't use the service. But for my grandparents and my parents who aren't comfortable with computers in the first place, the service hits the spot.
Certainly AOL should take steps to secure passwords on the users systems. Regardless, the key is educating their users. I know enough not to open attachments from people I don't know. I even know enough not to open an attachment if I have no clue of its contents. Unfortunately most new users (particularly the kind that sign on to AOL) don't. Don't dismiss AOL. They provide a valuable service for folks for whom the internet and email are daunting. At least they're a step above "WebTV"