Forwarded From: Aleph One <aleph1@nationwide.net>
http://www.news.com/News/Item/0,4,22512,00.html?st.ne.ni.lh
AOL security lapse opens accounts
By Jim Hu
Staff Writer, CNET NEWS.COM
May 28, 1998, 4:00 a.m. PT
Hackers have discovered an apparent security lapse in America
Online that has on some occasions yielded them access to subscriber
and AOL staff accounts, giving them free reign to alter or deface
company pages or subscriber profiles.
The lapse may explain a series of vandalized company and organization
pages featured on the proprietary online service, including last
week's attack on the American Civil Liberties Union AOL site.
And it comes just
months after AOL
said it would redouble its efforts to protect private information. An
AOL spokeswoman said that the lapse was an exception and the firm is
investigating the matter. A spokesman for the ACLU said he does not
blame AOL for the problem.
But others worry that the incident may not have been exceptional.
An AOL insider who asked to remain anonymous said that more than one
would-be vandal has been able to call up AOL support lines armed with
user information such as screen name, real name, and address and
convince some customer service representatives to reset the
unsuspecting user's password. The hackers, then armed with a new
password, are given exclusive access to the account.
The process is a "social engineering" hack, so called because it
involves a hacker convincing or tricking someone into willingly
handing over information.
In this type of case, the culprit apparently convinces a customer
service representative that he or she is the account owner without
disclosing billing information. Hackers can obtain other member
information by looking at member profiles, which are self-descriptions
in the AOL community.
Sometimes members include their home addresses and telephone numbers
in their profiles, which hackers then can use to take over accounts.
Hackers also can use more obvious means of getting information such as
addresses--by looking in public phone directories, for instance.
AOL has emphasized that company policy prohibits service
representatives from disclosing information without asking for proper
proof, which usually comes in the form of a credit card or checking
account number.
But in these instances, the source said the hacker, who he said goes
by the screen name "PhatEndo," convinced an AOL representative that he
was the remote staff member who had publishing privileges in the
ACLU's AOL site.
"[Endo] got the account by calling AOL, pretending to be the account
owner, and having the password reset," said the source, who has been
in communication with the ACLU hacker for a few months. "He didn't
even give the account owner's name."
Someone using the screen name PhatEndo claimed credit for the hack in
online interviews using AOL's Instant Messenger client. But he would
not comment on how he did it. He did ask, however, that his cohort be
credited.
The customer service representative who compromised the ACLU password
has since been identified and terminated, AOL said.
"We are appalled by these acts of deliberate vandalism," said AOL
spokeswoman Ann Brackbill. "If this is the same person who compromised
the ACLU site as he claims, he apparently has violated federal and
state computer fraud and trespassing laws. We are investigating
further, working with law enforcement, and will take every action
possible to stop this activity."
But it is unclear how often these hacks occur. The source suggested
testing out the lapse.
"Got any friends on AOL?" the source asked. "Try it (with permission
of course): Call AOL, pretend to be your friend, give them their
screen name, say you forgot your password. The rep might ask for your
name and address, or they might not."
A CNET NEWS.COM reporter decided to call AOL support and see if he
could reset his own password without giving credit card information.
Six of seven requests for the data without credit card information
failed. But in one call, the AOL representative reset the password
after the reporter provided his screen name, full name, street
address, and city of residence--but not his credit card information.
In addition, both the AOL insider and the person who claimed to be the
hacker PhatEndo have claimed that AOL technical support volunteer
accounts had also been taken over in previous instances. In an online
interview with PhatEndo, he said he had been on "Members Helping
Members Services" (MHMS) staff accounts. MHMS volunteers are remote
AOL members who volunteer to help users with general questions about
the service.
Anyone with access to MHMS could pose as a volunteer and lead users
astray.
"It would be fun to be able to be the staff that helps you...and
[mess] with people," PhatEndo wrote in an AOL instant message.
The presence of an apparent security breach follows just months after
the online giant came under fire for revealing the real identity
of an AOL member who typed "gay" under "Marital Status" in his profile
to Navy investigators. The Navy ordered the discharge of officer
Timothy McVeigh of Hawaii (no relation to the Timothy McVeigh
convicted of bombing the federal building in Oklahoma) after an AOL
employee disclosed his real identity without asking the naval
investigator to identify himself. McVeigh has since been reinstated.
"In the wake of that, AOL gave all its subscribers strong assurances
that they would redouble their training for people answering phones,"
said David Sobel, legal counsel for the Electronic Privacy
Information Center, referring to the McVeigh incident. "I guess this
raises questions about how effective those initiatives are after the
McVeigh incident was disclosed."
After the incident gained considerable attention, AOL admitted to
the privacy lapse and blamed the incident on "human error under very
unusual circumstances."
Nonetheless, the ACLU remains confident of AOL's commitment to
increasing security. Although the ACLU considered last week's break-in
an inconvenience, the organization maintains that a company the size
of AOL is bound to have a weak link.
"I don't blame AOL in any way for having lax security or lax
procedures," said ACLU spokesman Phil Gutis. "I know they consider
[security] one of their highest priorities and are working to improve
this all the time. I'm sure anybody else that has had this situation
happen doesn't blame AOL."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sat May 30 13:53:32 1998