AOL Security Compromised by Teenager 99
Freaky_Friday wrote with a link to an InfoWorld article about a teenage kid accessing customer information at AOL. The alleged criminal trespass began late last year, and extended up through early April. According to the article, the guy used some 'off-the-shelf' hacking software he downloaded online to gain access to, and then transmit information from, AOL's systems. "The complaint states that Nieves admitted to investigators that he committed the alleged acts because AOL took away his accounts. 'I accessed their internal accounts and their network and used it to try to get my accounts back,' the defendant is quoted as saying in the complaint. He also admitted to posting photos of his exploits in a photo Web site, according to the complaint ... If the defendant was honest about his motivation in his reported confession, it's safe to assume that he wasn't interested in stealing data for financial gain, [Managing director of technology at FTI Consulting Mark] Rasch said. Still, it'll be interesting to find out what steps AOL is taking if customer data was in fact compromised, he said."
Article is Loaded with Errors (Score:4, Interesting)
To quote the article:
"AOL has had pretty good security over the years."
This is a massive error in any credibility on AOL's part. Within the past 6 months there have been countless exploits in their systems including the ability to register accounts that were 1 or 2 characters long, register accounts of names that were already in use, including over registering internal accounts and accounts such as "AOL System Msg", the ability to register accounts with vulgar and racist words in them via non-American AOL sites, and thats just to name a few off the top of my head. Currently there is still a major issue with accounts having more than one working password.
I could go on and on about the flaws of AOL, but why bother, they know that the flaws exist but instead of tying to fix them they bury them by going after the people who find them, and leaving the holes still in their systems.
Re:Some of us say why others say why not? (Score:3, Interesting)
Re:Some of us say why others say why not? (Score:3, Interesting)
Just because you can click yes all the way through installing something on Windows doesn't mean the NSA should hire you to harden the Linux or BSD kernels they use on their systems...
Re:Some of us say why others say why not? (Score:4, Interesting)
Incidentally, they were all Windows 95 boxes with some pretty bad security software on it. I found at least two ways through it - the fun one was they didn't lock down Winkey-F. Search on the program you wanted to run, and run it. Likewise, you could load an "approved" program, pull up the Open File dialog, and find the program in there and run it. The other way was Winkey-E. It would pop up a "You don't have permission to run this program" error. Hold it down and the screen filled with them very quickly. Eventually, Windows ran out of memory, Explorer crashed, and it would automatically repop without the security software there. Voila.
So, I guess I was kind of a hacker. Oh well
Re:Some of us say why others say why not? (Score:1, Interesting)
They started running Fortress but you could still open up apps like Word and get to the system information tool where you could run other applications from- similar with netscape- just configure a helper application for some odd protocol and try and go to a site with that protocol and bam your program runs.
I also discovered a loophole with their digital card catalog system (green screen terminals) that allowed me to outdial from their interlibrary connection system. I don't remember the exact mechanism, but if I had to guess, I think I let it dial the other library, then just did +++ATH0 and then dialed to wherever I wanted to dial. I think I only used it to dial up my local shell account (local call)- in theory, though, I could have called anywhere, I don't think they had it hooked to the PBX.
Anyway, I didn't count myself a hacker, but I did find a couple ways to end run their security so I could do day-to-day (for me, ~1996) things like check email that nobody else really did.
I both hated and loved high school.
Re:Some of us say why others say why not? (Score:2, Interesting)
Re:Article is Loaded with Errors (Score:1, Interesting)
Entirely incorrect. AOL teaches all its new hires about various social engineering attacks. I know, I was forced to sit through it on my first day as an employee. And they remind people about it at least as much as anywhere else I have ever worked.
Should they do even more? Maybe so. But the fact is that the people themselves get lazy, or they get access for whatever reason that they probably shouldn't have. That's one reason I ignore all attempts for developers to get access to production databases... they don't generally know squat about security. They care more about meeting their deadline, or making their own lives easier. Unfortunately, someone in Operations either screwed up themselves, or they caved into pressure to allow one of the idiots in Dev or one of the "support" teams to have production information. *sigh*
At least when dev complains on Monday that they don't have access to my database, I can point at an article when I tell them to stick their request where the sun doesn't shine.
Same old same old (Score:5, Interesting)
I remember when the phishing trend started. AOL's biggest mistake at that point was creating a special People Connection lobby that overhead/internal accounts would default to. Initially, it was just a private room whose name changed occasionally (who else remembers THEBLIMPSAIDITALL, and numerous incarnations of IllIlIIlIIlllIlIIlI...?). Anyone who knew the name could get into the room with any regular account, and phish privileged accounts to their heart's content. Eventually AOL made some progress and created a viewruled lobby, which they assumed would keep the riff-raff out, but they forgot to plan for the fact that the riff-raff already had access to privileged accounts.
In the early to mid 90s, there was no such thing as phishing. If you wanted privileged access, you had to work for it, and it was a thankless (but sometimes rewarding) task. There were a handful of folks - okay, probably a few handfuls, maybe numbering in the tens - who spent their free time doing real hacking. Those of us on the Mac side were busy poring over logs from Serial of Champions, reverse engineering the client-server communications. Through trial and error, we determined that every client request would send a two-character "token" and an argument to match. For example, double-clicking a message board to open it up might send the token "mB" with the message board's ID as the argument. Using the Keyword feature would send a Kk token, that's the only one I still remember for sure.
We eventually compiled a list of the various "tokens" that made up the AOL protocol, and what they did. There was a developer's client extension that allowed for sending arbitrary token/args, and like most things inhouse, it was leaked to a few people. This gave some of us the ability to do things nobody else could. Way before AOL ever introduced "Mail Controls," for instance, we were able to reject mail from specified users. The feature had been built into the system from the beginning but had never been released to the public (IIRC, the then-system-devs didn't even know it was possible). We'd stumbled upon the feature by sending random tokens to the server.
Here's a funny story about how something went from blackhat to implemented feature. At some point I discovered a token that would refresh the client's installed list of screen names. Basically, if you had AOL installed on multiple computers, or had multiple copies of the client on one machine, the list of your available screen names would inevitably become outdated across clients: if you created a new screen name on one client, then switched to another, the new name wouldn't show as a sign-on option. Likewise, if you deleted a screen name while you were logged in from one machine, that name would still (incorrectly) display as available on another machine. There was no way to synch up the list of names, so if you created screen name FoobarMan on machine A, the only way to sign onto it from machine B was to reinstall the client.
Well, I found out that if you sent a certain token to the server, it would force a client-side refresh of the screen names on the sign-on list. Having legitimate access to publish things - did I mention I was not only a haxx0r, but also remote staff - I created a little form with a link that would send that token, thus refreshing the client's list of screen names. I passed it on to a TechLive friend who started giving it out to members who were having this (common) problem. Eventually someone inhouse got wind of it. I got reamed, my creation was removed, and a month later a shiny new feature appeared at keyword: NAMES... "Refresh Screen Name List."
Go figure.
Accessing member information is hardly anything new. AOL has a customer management system
Re:Same old same old (Score:5, Interesting)
I won't go into much more detail, but good ole star tool (as it was called, adding a menu titled * that gave any account a direct interface to the internal FDO scripting) led to countless exploits for the small group of people able to take full advantage of it (i.e. it was significantly harder to interface with AOL through FDO than the Visual Basic programs everyone with half a brain flooded the scene with). Some of the more ambitious exploits made the news; I recall one time the leak of the next version of AOL months before it was even supposed to enter early beta got a mention in a major news outlet; while it wasn't me that leaked it, I was the one who found the eB library where it resided and passed along the token to those who did make it public. OpsSec (operations security, the highest level of AOL network security staff) knew us by name, and terminated my access more than a few times. It was really cool stuff, especially for a kid. I don't know if newer AOL software still allows clients to use tokens and other FDO code, or if AOL figured out how to secure privileged resources from those who could program in it, but back in the day security was so poor that our group of 10-13 year olds walked in and out of staff resources like they were our own personal playground.
Re:Same old same old (Score:3, Interesting)
FDOs and atoms were the Windows side of things. Your mention of OpsSec brings up another anecdote. There was an internal account, "NOC Nodes," run by network ops. I once created a fake account with the screen name "N0C Nodes" (november zero charlie Nodes) and IM'd a friend with his full phone number. The poor bastard logged off and wiped his hard drive. It only became a joke years later when he forgave me.
Fun times.