LISTSERV - VICUG-L Archives - LISTSERV.ICORS.ORG

VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG

	LISTSERV Archives
	VICUG-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	AOL Security Compromised After Upgrade
From:	Chris McMillan <[log in to unmask]>
Reply To:	Chris McMillan <[log in to unmask]>
Date:	Tue, 23 Oct 2001 20:36:12 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (92 lines)

For Your Information!!

Sincerely,

Chris McMillan


AOL Security Compromised After Upgrade
October 23rd, 2001, 2:56 AM ET
By: David Worthington, BetaNews
Story URL: http://www.betanews.com/article.php3?sid=1003820211

Less than one week after it rolled out version 7.0 of its flagship
software amid pomp and circumstance, America Online experienced an
embarrassing lapse in security. Through relatively simple means hackers
managed to obtain access to 'Rainman', a major content server for the
online service. Rainman granted the hackers an all access pass to create
and edit content to their own liking, which in turn was featured at
three unique AOL keywords for nearly 12 hours, according to reports
received from the alleged hackers.

The defaced pages remained accessible to over 30 million subscribers for
a prolonged period of time in place of what would ordinarily be
considered universally trusted subject matter. The breakdown of its
security measures left AOL Time Warner vulnerable to being unwitting
participants in the subversion of information at a time when world
events dictate the need for reliable media resources.

BetaNews obtained word of the incident late last night when anonymous
sources provided screenshots of the keywords: EIU, JOC, and ECONOMIST.
Shortly thereafter, BetaNews confirmed that each had been vandalized.
Keywords are shortcuts that take AOL users to online content hosted on
the company's own servers.

Further investigation revealed postings to online bulletin boards
regarding the incident. According to WhiteHat Security CEO and founder
Jeremiah Grossman, 'site' hackers often accumulate cracked accounts. One
such account obtained by the hackers had Rainman overhead -- meaning it
had the ability to edit associated content. Once logged in, all that was
needed for editing rights was a group ID and password. Group IDs are
exposed in a URL when an attempt is made to access Rainman, making the
password the only roadblock to unfettered access.

Apparently, when a hacker was signed into the compromised account, an
AOL employee sent an instant message mistaking the individual for a
co-worker. With slight of hand and some misdirection, the AOL employee
offered up the password to Rainman, as well as the password to his
wife's account. In each instance, the login for the AOL account itself
was identical to the Rainman password.

The alleged hacker summed up the experience in a bulletin board posting.
"I hopped on it the other day and got a message from a coworker telling
me about how he uploaded the new version of the economist and found out
that he also used 'my' account. To make a long story short...I told him
I was locked out of my account and he gave up the password. The next day
I figured I could extort the rainman password out of him and I later
found out...He also gave me the rainman password for his wifes account
who also has rights to those keywords. It turned out that her logon
password was also the same as here Rainman password but was bound to a
Securid key." (sic)

Reports indicate that a brute force style program dubbed "Rainstorm" may
have been used in the attack as well. However, all indications BetaNews
has received point to human error as being a principal and deciding
factor.

According to Grossman, "AOL and its staff require increased enforcement
of security guidelines and policies when it comes to user account
security. Whether it be an internal AOL account or a user account. These
types of employee disclosure incidents should be allowed to take place.
If employee accounts can be compromised through such modest means, what
assurances do normal users have that they won't be targeted next?"

He continued on, "Apparently, AOL account passwords, whether belonging
to employees and/or users need stricter requirements. Requirements such
as, password length and sophistication have been implemented in security
for quite some time. Its clear AOL has a big job and should be doing a
better job in protecting accounts from this style of attack," said
Grossman.

Despite repeated attempts to notify AOL and obtain comment, AOL did not
respond by press time.


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG