Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security America Online

AOL's Merlin Compromised? 240

Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though." Here's the original Wired story.
This discussion has been archived. No new comments can be posted.

AOL's Merlin Compromised?

Comments Filter:
  • Welcome! (Score:5, Funny)

    by Anonymous Coward on Sunday February 23, 2003 @01:41PM (#5365518)

    You've got problems!
  • Merlin? (Score:1, Funny)

    by Anonymous Coward
    Gandalf wouldn't have gotten whooped so easily. Time to upgrade.
  • Wow thats insane..i just closed merlin to go on break (free pizza weekend)..and i this popped on on slashdot. Insane!
    • by Anonymous Coward
      free pizza weekend

      When is this free pizza weekend? And how much is it gonna cost?

    • Re:I work for aol. (Score:3, Interesting)

      by SimplexO ( 537908 )
      As it turns out, the crackers used social engineering. Among their many exploits [neowin.net] was sending trogan'ed files to support workers.

      Lets hope you don't let that happen.

      You should also read the above link [neowin.net] so you don't get duped.
  • by BabyDave ( 575083 ) on Sunday February 23, 2003 @01:45PM (#5365548)

    Guinevere compromised. Faulty key mechanism in chastitybelt.dll blamed.

  • hmmm... (Score:5, Interesting)

    by jeffy124 ( 453342 ) on Sunday February 23, 2003 @01:46PM (#5365554) Homepage Journal
    From the Wired article:

    The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library.

    Sounds like AOL needs to read Mitnick's book - The Art of Deception.
  • wait a minute... (Score:3, Insightful)

    by trmj ( 579410 ) on Sunday February 23, 2003 @01:49PM (#5365571) Journal
    35 million user's names

    They have ~35 million users, and yet can't make a profit?

    Let's see... ~35,000,000 * $22.99 = ~$804,650,000
    They get that much money each month, and still posted a loss how?
  • by Anonymous Coward on Sunday February 23, 2003 @01:50PM (#5365576)
    The securid makes it unlikely that anyone was
    able to hack it, at least without physically
    stealing one of AOL's securid cards and the
    pin for that card.

    For others that don't know how they work, the code
    changes every 60 seconds (and is different
    on every card made), and the old code
    is no longer good when the code changes, it
    makes it really hard to bypass without having
    an actual securid card that is valid for
    the system that is being broken into, and the
    proper username and pin for that card.
    • That much is true but if
      • they were able to trick the AOL rep into installing some type of remote control software
      • and AOL allows the rep's computers to make random outgoing connection
      then they might be able to remotely control a machine that already had all the necessary passwords entered.
      • by PeteEMT ( 92003 ) on Sunday February 23, 2003 @02:11PM (#5365696)
        SecurID is a physical token. it's not something stored in the computer.

        http://www.rsasecurity.com/products/securid/tokens .html

        They come in two forms (at least the AOL ones did when I was a contractor there) A Key chain Fob and one that looks like a Credit Card Calculator.
        If I remember right, the system also automatically marks the login code invalid once a successful login is achieved. So someone can't use a Key Sniffer to steal your code. If you logged in and got disconnected for some reason, you needed to wait for your SecurID to rollover to the next code.
        • It is currentlly still like this, secureid is used for everything, from my AIM logon (and to debunk other peoples theories, AIM file transfers, and direct connects only work internally to corp machines, no external networks machines can use the file transfer service, so no trojan could have been installed... email is another story though)... To email.
        • by Grax ( 529699 ) on Sunday February 23, 2003 @02:34PM (#5365796) Homepage
          I understand how SecurID works. My point is that if you have remote control of a machine that is logged in and not disconnected then it doesn't matter how secure SecurID is. It is much the same principle as logging into a machine with your SecurID and then going for coffee.

          I am not claiming at all that the article is actually accurate as it offers no proof and no reliable sources. But, it is theoretically possible to take over a machine where the SecurID has already been entered and cause havoc.
          • I understand how SecurID works. My point is that if you have remote control of a machine that is logged in and not disconnected then it doesn't matter how secure SecurID is. It is much the same principle as logging into a machine with your SecurID and then going for coffee.

            My company uses SecurID, and when my connection is active (we use it for VPN), I can't connect to any other machines on my subnet, and blocks off most ports. I'm pretty sure that what you stated is possible, but not trivial by any means.

        • Still, if you take over the user's session after the user has authenticated, OR pop up a trojan dialog asking the user to type in his PIN, the fact that a nice fancy hardware token has been used doesn't matter anymore.

          Token authentication is used to try and clean up all kinds of security problems that it doesn't address well-- problems with the client computer being owned, or using unencrypted transport (which is vulnerable to sequence prediction or sniffing to hijack the session, even if the password itself is not replayable).
        • Actually SecurID comes in both hardware and software tokens. The first is what most people are familiar with (credit card shaped or keychain version). The other is also known as a SoftID, which is software that is installed on a PC or on a PDA (Palm and Pocket PC). The hardware token is tough to beat, however the softid ones are easier. Besides usually lasting longer than 1 minute, there's been issues with people being able to advance the clock into the future to acquire future passcodes. If someone stole a PDA with a SecurID softid program installed, and they had the persons PIN (probably stored in a note on the PDA along with other passwords), then they could get in using SecurID. This is the reason why hardware tokens is the preferred method. Most large corporations I've seen do use both (probably not all corporations though), however the majority are hardware and software tokens are usually only issued out to specific people or applications.
    • The social engineering portion of this I can easily believe. I've worked at a lot of different places as an employee or contractor and none of them were very good about security. They might have balls to the wall security devices in place but you could bypass them just by holding up a toolcase or some cables and saying your from support and someone would let you in. You can get into practically any place that way.

      As for dongles and keys they are pretty easy to lay hands on. A little skill as a social engineer and a pick pocket and you can have one. You do have to be physically there though. You can't pick a pocket remotely.
    • by Anonymous Coward
      If you can get about 10 of the sequence you can crack a secureID. I did it with my dad's secureID a bout 4-5 years ago, just watched it change and wrote it down. Could figure out the algorithm in about 10 pops. I was motivated, oddly enough by the desire to MUD over his corp inet connection...

      Once you have the mostly universal changing sequence (based off the previous) you just need to know which one it started with and the approx time and you can nail a secureID system. A glimpse of the card over 10 minutes is enough to break that system if you're smart about it.

      It's still pretty tough to do tho, so I agree with you on it being unlikely.
    • by aloisis ( 652895 ) on Sunday February 23, 2003 @05:36PM (#5366784)
      SecureID is notorious for its clock getting out of synch with the cheap clock in its Secureid cards. To make sure the server clock and clock in the Secureid card stay in-synch, they sometimes set up the server so that the same Secureid number can be used for several minutes, whatever the sysadmin requests, to allow for the drift of the clocks. The SecureID number is in plain text so that someone with a sniffer-type device could sniff a SecureID number and use it for access. To demonstrate how the SecureID card's clock can drift, just place one within the vacinity of a microwave oven (2-3 feet will do) and watch the clock accelerate.

      • The SecureID number is in plain text so that someone with a sniffer-type device could sniff a SecureID number and use it for access.

        SecurID numbers can only be used once for access. Replay attacks will not work because of this. From RSA's [rsasecurity.com] web site:

        A distributed lock manager tracks user authentication between replicated servers and blocks redundant requests in order to prevent replay attacks against servers or agents.

  • This is why.... (Score:2, Insightful)

    by marshac ( 580242 )
    We have 'private' networks. Hackers etc. can't get into a network that isn't connected to the outside world. Yes, it's a little simplistic, but if you're going to have sensitive information used by internal processes (ie: billing), then why do these servers need to have any kind of exposure at all? Keep the web servers in the DMZ, everything else out.
    • Re:This is why.... (Score:3, Informative)

      by kryptkpr ( 180196 )
      Did you read the article?

      They tricked/convinced/conspiderd with AOL employees (those hooked to internal, and external networks at once) into accepting and running a trojan, that would act as a gateway between AOL's systems and the outside world while idling on IRC..

      This is how most DDOS bots work, I guess they just took it one step further.

      Disclamier: I could be wrong, IANAAH (I Am Not An AOL Hacker), this is just what I got out of reading the article.
      • if AOL has computers that are connected to both the Internet and their internal private network, it negates the benefits of having an internal private network. You want to give your employees AIM? Set up a TOC proxy or something. Even NAT is too much to give a client computer. Dumbasses.
      • Your parents post suggested that if the computers in question had no internet connection then they couldn't be remoted. Information for internal use such as billing shouldn't have a physical connection to the internet. Info used for their website such as usernames and login passwords should be on a physically seperate network. This means no checking you account online, though. In return, physical access to the site is necessary to crack your billing info.
    • Hackers etc. can't get into a network that isn't connected to the outside world.

      Neither can customers.

      why do these servers need to have any kind of exposure at all?

      To create accounts, authenticate user log-ins for e-mail and RADIUS, allow users to update billing information, etc.

      There are many ways to make it incredibly difficult to access a server or group of servers, but you really can't cut off access completely, unless you have some sort of rarely used information which can be accessed, updated and verified manually.
      • Okay, I agree with every part of your post. But let's realize, it is AOL. This is a company that panders to the lowest form of internet users (outside of spammers I would say). I have talked with many people who have worked for them, none of whom were exactly mensa members. Even if their security is pristine, and even if someone did not crack it this round, someone will. All of a sudden, the whole world knows what a juicy bit of goodies this customer database is. Besides, it doesn't matter how good the firewalls are configured, or how many levels of internal private networks you have. Most companies I have done security for you could walk out of the datacenter with the whole friggin' server with little more than a smile and a fake name. I'm sure AOL is not much better.
  • And as always the really weak link is the human one...

    But then again getting the password of a single user reset may be a big thing for that user, but in the overall scheme of things, it's not much.

    As for Merlin; well, just downloading the 35mil Credit Card numbers, could take a while :-)
  • by peterdaly ( 123554 ) <.moc.mocten.xi. .ta. .yladetep.> on Sunday February 23, 2003 @01:54PM (#5365611)
    While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone. These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user's password reset. Logging in with the new password gives the intruder full access to the account. In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling. A third hacker, using the name hakrobatik, confirmed the mumbling method.

    This article is more about social engineering than about the AOL break in. This is odd, if this were true, I would expect a much different type of artcle to be on the lead edge of the breaking news like this. I don't know if this is true or not, but the Wired article does not really have a whole lot of meat with it.

    • Yeah, the social engineering exploit seems pretty interesting. Blame it on poorly trained help-desk personnel, and probably some pretty lax guidelines as well. 400 calls in the queue, I'm supposed to average a call every two minutes... screw it, this is probably the right guy.

      I imagine you could work the same exploit with a really thick foreign accent. Or a cell phone that kept having mysterious problems.

    • Not sure if this is freaky coincidence or the editors having fun, but the fortune at the bottom of the page (while I'm posting, anyway) says:

      If in doubt, mumble.

  • by 0x0d0a ( 568518 ) on Sunday February 23, 2003 @01:59PM (#5365637) Journal
    It's a given that at some point, given the potentially *massive* financial benefits inherent in compromising CC databases, that CCs must go away. They're totally inappropriate for today's society.

    The only question is how much money CC providers and companies are going to lose before moving to smartcards that authorize payments on a per-transaction basis.
    • hey maybe we should blow up all the credit card company's buildings so we reset the debt to zero. it'll create complete chaos.

      The world I see -- you're stalking elk through the damp canyon forests around the ruins of Rockefeller Center. You wear leather clothes that will last you the rest of your life. You climb the wrist-thick vines that wrap the Sears Tower. You see tiny figures pounding corn and laying strips of venison on the empty car pool lane of the ruins of a superhighway. *cough*fight club*cough*

    • American Express and VISA already allow you to generate a single-use number. It's only good for a single transaction at a single point in time.

      But a per-transaction scheme can't, by definition, handle recurring payments.
      • American Express and VISA already allow you to generate a single-use number. It's only good for a single transaction at a single point in time.

        Yes, but the CC number space isn't large enough to allow this to be a universal solution. (That's ignoring the fact that it's all divided up and whatnot).

        I guess you could try to set up some cyclic reuse thing...

        But a per-transaction scheme can't, by definition, handle recurring payments.

        [shrug] Same system could pretty easily be used to authorize recurring payments.

        Frankly, though, I'm not entirely sure that I wouldn't just like my CC company to just send me a bill with *requested* recurring payments, which then get authorized on a per-transaction basis so that I know where my money is going, and I have absolute control over who gets it.

    • One of the reasons the current model--storing credit card numbers and charging them every month--is so popular is that it makes it more likely for people to remain customers. When a customer has to authorize a payment every month, she's more likely to cancel because she has to think about the expense every time. That's why we'll continue to see merchants storing credit card numbers for a long time.
  • by Anonymous Coward on Sunday February 23, 2003 @02:00PM (#5365640)
    Merlin is AOL's internal tool for keeping track of customer records. It only operates from the AOL LAN. However, this is defeated with a simple TCP/IP redirector. The security code is a SecurID code. It changes every 60 seconds, but its pretty useless if you social engineer someone into giving you the code. Same deal with passwords. The real hole here isn't any technical measures, but the complete fucking stupidity of AOL employees.

    Oh yeah, this has been going on repeatedly since at least 2000. However it gets media attention very infrequently, but the problem was always there, and always exploited.
  • Lose-Lose (Score:5, Insightful)

    by sebi ( 152185 ) on Sunday February 23, 2003 @02:00PM (#5365641)

    If this is true. Well--that's bad. If it isn't then that's even worse. I read the register piece before I followed the link to wired. I know nothing about the possible security measures and exploits that could have been involved in this. And that is exactly the point. From what I read all information that wired really had, was the claims of some self-declared hackers and the statement of some security expert.

    If that is enough to get an article like that one published--then why bother to actually try to hack/social engineer/whatever into the AOL database. Just claim something and watch the bad press hit AOL. I never used any of their products (well apart from iChat that kinda ties into their IM-network), but they are in enough trouble as it is. In this case there is such a thing as bad publicity. I am appalled by an article that consists of a whole lot of nothing and ends with "You see all those commercials saying AOL 8.0 is so secure," said Dan. "If people knew how insecure their data was they probably wouldn't use it."

  • by Cyclone66 ( 217347 ) on Sunday February 23, 2003 @02:02PM (#5365653) Homepage Journal
    I'll finally have a complete killfile for usenet!
  • These boys need to get laid.

    If AOL would subsidize this, they would see their security problems disappear overnight.

    also - I think Dick Tracy foreshadowed the cracking method used by these kids years ago with its "Mumbles" character.
    So by using that as an indicator, we should next look for people wearing bright colors and having odd facial features to be part of the next crack.
  • by reallocate ( 142797 ) on Sunday February 23, 2003 @02:03PM (#5365661)
    In the sanctimonious screed posing as reporting over at The Inquirer we find these completely unsubstantiated assertions:

    >> ...customers will vanish if they feel AOL can't protect their data...

    Nah. Most will stay because the cost and hassle of leaving AOL outweigh the risk they perceive from this alleged breach. ...You won't find many AOL members running firewall software...

    No, and people who use computers ought not to have to fuss about with building their own firewalls in order to have a modicum of security. Firewalls and other security-related code ought to be buried deep inside any consumer OS marketed for use on the Internet and their configuration ought to be done at a level of abstraction that requires no techncal knowledge.
    • "No, and people who use computers ought not to have to fuss about with building their own firewalls in order to have a modicum of security. Firewalls and other security-related code ought to be buried deep inside any consumer OS marketed for use on the Internet and their configuration ought to be done at a level of abstraction that requires no techncal knowledge."

      You're talking about making a completely idiofied operating system, far beyond that which was Mac OS 9. To make an analogy, you're talking about building a car where the user never has to use the brakes, because "no should have to fuss with doing anything any time there's an immediate need to decelerate." I think we can expect a little more from companies like Microsoft in terms of security, but I also think we can expect a lot more from consumers. I may not need to know exactly how the fuel combustion chamber in my car allows me to move forward, but I for damn sure know that I have to shift to drive to go forward, shift to reverse to go backwards, and press the brakes to stop. How many computer users, if they drove their car like they use their computer, would end up in the hospital once a day with a totaled car?

      While I can't provide a simple answer for solving the problem, I really don't think that building an OS that does all but completely remove user interaction is the answer. A certain level of security should be expected, but if a person can't even install Zone Alarm, or install a router, then perhaps they ought not be using a computer in the first place. Perhaps we should license computer use like we license car use. As much as I'd hate to have to muck around with a DIT (Dept of Info Tech) counterpart to the DMV, I think this would solve a whole lot of problems. Granted, however, this is not a likely or entirely feasible solution, but you have to admire how quickly we'd clean up tech support/virus/worm/security issues.

      • >> You're talking about making a completely idiofied operating system...

        That's an example of tech bigotry. Ease of use doesn't mean loss of capability. In fact, it should mean just the opposite: enabling more people to do more computing, more often.

        I'd imagine that even you are using a leyboard and a monitor, rather than pushing buttons and watching LED's.
      • To make an analogy, you're talking about building a car where the user never has to use the brakes

        Brakes are on/off, and within my experience most people have a pretty good handle on the concept. Perhaps a better analogy would be building a car where the user doesn't have to be concerned with the timing and slippage thesholds of his ABS system--oh, wait--they already do that!

        This might be the appropriate moment for a rant about the generally crappy state of software design (complete with quotes of developers whining about how it'd be too hard to make something that works), but I have actual work to do....

  • by mix_master_mike ( 540678 ) on Sunday February 23, 2003 @02:10PM (#5365693) Homepage

    Some of you may recall this interview [slashdot.org] from a while back - I used to be an AOL nerd back in the day and I know a few of the kids mentioned in the articles (and I think cam0 is 15 now?) - anyway.. from what I can recall alot of the 'hackers' (script kiddies, whatever) would simply use extreme social engineering tactics, as these articles explain, to get whatever they wanted. As the amount actual bugs of the systems would dry up (your basic token bugs, invokes, problems with the systems themselves) alot of the 'hackers' would have to figure out other ways to get in.

    Getting past sID - this is not that big of a deal, while it's not that easy to do as long as you con the right person and you get lucky with the timing your all set. Once you have complete access to their internal system you will have no problems getting them to toss you their current number..

    the only non-realistic part of the articles I read were regarding how many attackers utilize programming bugs - there are far fewer now then there used to be..

  • Not too likely (Score:5, Insightful)

    by island_earth ( 468577 ) on Sunday February 23, 2003 @02:14PM (#5365719)

    Neither the Inquirer article nor the Wired article shows any evidence that an actual break-in occurred. Of course an occasional account may have been compromised... big hairy deal. But nobody provided any proof that even a noticeable percentage of the 35 million (active or inactive, whatever) accounts has been touched.

    The Wired article quotes sounded like a bunch of script kiddies, probably with their own AOL accounts, were making things up to sound important. (What? Online sources telling lies to seem cool? No way!) No evidence was provided in either article, and given the obvious safeguards (of which SecurID is a good one) it sounded like so much bull.

    This all sounds like a standard "AOL sux!!!" kind of posting, elevated to seeming respectability by badly-researched articles in the almost-mainstream media.

    • One of the biggest sensations in internet related journalism is to get the scoop on some break-down of security (and therefore break-in and theft) regarding personal material. It's a backlash against Orwellian fears, and is cried out much louder than warranted to carry the kind of attention the *journalist* wants to give it.

      I highly doubt this came from one of Wired's top staff, probably someone who wanted to scoop the next CC theft by the million. Nothing to see here, move along!
  • by scrain ( 43626 ) on Sunday February 23, 2003 @02:19PM (#5365731)
    disclaimer: I worked at AOL for 5 years... i'm pretty familiar with the system under discussion.

    One thing that hasn't beem mentioned is that the SecurID system also requires a pin number to log in, and employees are strongly trained not to give that to anyone.

    Also, Merlin requires a special client, that would be a bit hard for someone using a man-in-the-middle attack to enter information into and/or see the results of.

    As for the social-engineering aspect, people have been doing that all over the world, for centuries. Only a few of them are called hackers. The rest are called journalists.
  • Oh, wired... (Score:5, Insightful)

    by Ravagin ( 100668 ) on Sunday February 23, 2003 @02:20PM (#5365739)

    Please note that all the sources in the article are "hackers." Yet Wired reports it as _fact_ when they have no official confirmation or hard evidence. I guess a publication like Wired doesn't have very strict journalistic standards about news, but still... this is an instance where you use words like "alleged" and "claim."

  • Implausible (Score:4, Insightful)

    by Gyorg_Lavode ( 520114 ) on Sunday February 23, 2003 @02:23PM (#5365745)
    I agree that it sounds implausible. I'd think first, as the register states, that getting the hardware generated key would not be possible by the means outlined and second, that AOL would have a firewall on their internal network capable of blocking most trojan's. Also, you'd think that AOl would monitor port use by programs so as to know if someone was having a little too much fun online.
  • by microTodd ( 240390 ) on Sunday February 23, 2003 @02:30PM (#5365783) Homepage Journal
    "AOL's central customer database, Merlin, may have been been compromised"

    What a stupid comment. In other news...

    "Aliens MAY have invaded Italy..."

    "Saddam Hussein MAY have a gay lover..."

    "I MAY have sex with Liv Tyler tonight..."
  • by seeksoft ( 579626 ) on Sunday February 23, 2003 @02:32PM (#5365789)
    Here, i copied this html for a friend a few days ago. Merlin @ opsec [aol.com]
    • Checking out the parent webpage: http://members.aol.com/eeyore10289/ I find all sorts of imitation AOL pages asking the user to enter credit card numbers, usernames, passwords, etc.

      So, how long have you been ripping off AOL customers?
      • Yup, and it looks like the nice friendly AOL folks just nuked everything in Mr. Eeyore's home directory there. I'm sure he'll have some nice friendly men in black suits showing up at his door in a few hours, and then he'll have some explainin' to do to his mommy and daddy.
  • You Asked for proof (Score:5, Informative)

    by JacobD ( 454288 ) on Sunday February 23, 2003 @02:39PM (#5365817) Homepage

    You all wanted proof that the hack was done. We're carrying that proof on Observers.net [observers.net]. Check out the first story and that will give you all the proof you need that the hack was done.

    The other news places (The Register, The Inquirer, and Wired) were not able to provide the proof that we have.

    • There is no proof in that store past unsubstantiated claims.

      Further, that story does not address the SecurID issue.
    • by Anonymous Coward
      And screenshots are definitive proof of... having screenshots? Perhaps an ex-AOL employee took a couple screen captures before leaving and later posted them online. And as for the further "proof", all I see is a bunch of HTML pages which someone could have done in Notepad.

      If you really want to show proof, how about listing Steve Case's information? Or why not ask someone to supply an AOL ID and you can post the complete account details the next day? Chances are, you're not able to do that because this is just stupid script kiddie posturing with no substance.
  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Sunday February 23, 2003 @02:39PM (#5365818)
    A reminder about security in general. No matter how many precautions you take, there's always a chance that somebody is going to get into a system. By taking advantage of human weaknesses or lapses in judgement, for instance.

    So it's always prudent to diversify and isolate systems to minimize disaster upon intrusion into one system. And always invest in a good damage control plan :)
  • Let's say I am a salesman, and I want to give you X amount of product in return for your money, or a dinner date with you, or to take you golfing, etc. Then I give you the information you requested, and you turn around and kill my fellow customers or steal from them- that is a crime.

    If you crack my system and steal credit cards and the like, that's illegal too, but now you are talking about two different crimes.
  • by Xipe66 ( 587528 ) on Sunday February 23, 2003 @02:57PM (#5365897) Homepage Journal
    I work for a _large_ games and betting company, somewhere in Europe. Apart from having firewalls in front and behind the Internet-servers, we also have firewalls that separate the employers network from the databases. I.e. we have three layers of security, and the only way to get through to the databases (where we have even more protection, just like AOL) would be to get access to a internet server and then try to get through three layers of passwords just to be able to _read specific_ user accounts.

    More or less impossible. And I can't imagine that AOL (stupid as their users may be) don't have something like this aswell... WHY ON EARTH would the internal network go staight to their extremely valuable databases?

    Most companies keep "mock up" systems for development, the actual production systems aren't accessible to anyone, basically...
    • They don't really. Clients on the internal network talk to processes which can interface with the databases. Even IF Merlin was compromised, you would have to crawl through looking up random accounts/names and extracting billing data from those. Only people who have specific need to modify billing data can see it at all, so you'd have to compromise the right PERSON as well.

      You have to have access to the DB servers themselves, in order to run queries against them. AOL's setup is really much like the one you describe here. It's as secure as it can be, while still being useful how it needs to be.
  • Here's how to hack any AOL account [usgs.gov], for educational purposes only.
  • by mackman ( 19286 ) on Sunday February 23, 2003 @03:30PM (#5366113)
    FBA agents recovering evidence from the 15 year old cracker's "apartment" in his parents' basement, found a copy of The Art of Deception by Kevin Mitnick, who was prompty returned to solitary confinement while authorities make up a reason for his arrest.
  • Kevin [slashdot.org]'s only been online ONE FRIGGING MONTH. Jeez man, lay off already. We know yer good.
  • by ccnull ( 607939 ) <null@@@filmcritic...com> on Sunday February 23, 2003 @04:14PM (#5366312) Homepage
    I'm glad this story is getting picked up in so many places, but I do want to clarify a few things for those who either don't believe this attack is possible, who think I simply wrote it based on a few script kiddies' comments, or who simply don't understand how journalism works.

    Yes, I was given substantial proof of the attacks. But my job as a journalist is not necessarily to PROVE that anything happened (that is what lawyers do) -- you'll note perhaps that Woodward & Bernstein's takedown of Nixon was initially based entirely on one man's tip in a Beltway parking garage. It all has to start somewhere.

    So I merely collect evidence and present what I have. It was completely credible in this case. In fact, I called AOL five times to get their side of the story. They refused to call me back. But YES, the proof does exist. In fact, observers.net posted some of it here [observers.net]. You can dig around to find their full story on the subject, which goes into greater depth than I had the luxury for at Wired -- which is a general tech news site, not a how-to site for hackers and wannabes. In any event, you will notice that AOL has not refuted the claims in any forum. I honestly have no doubt about the authenticity of these claims after seeing the information provided to me. It's now AOL's turn to either come clean about the attacks or say they didn't happen. Since AOL is afraid of negative publicity, they are trying to keep things quiet. This is not apparently working...

    Originally I had hoped to interview the unnamed 14-year-old hacker for my story (which was intended to be mostly about the Merlin break-in) but he balked out of fear of prosecution (he was later interviewed for Observers.net and privately apologized to me for not doing the interview). Hence I focused on the myriad other recent hacks (Japan Webmail, the mumble method, screen name thefts) that AOL has been hit with as well.

    Regarding the breaking of SecurID -- if a hacker can call up a rep on the phone and get him to reveal his name and password, it seems pretty plausible that you could get the SecurID code as well. Disgruntled insiders also provide this information readily to their pals on the outside. Of course that's all in the story...

    Anyway, if any AOL users are convinced their data is secure I'll be happy to pass along your screen name to the people in question...

    • Over the weekend there was an exploit posted to bugtraq about being able to access files on an xp machine with a win2k recorvery disk. But you had to have physical access. Most people replied that if you had physical access to the machine then all bets are off. There is no security at that point.

      Now, it seems to me that these people you are talking about essentially had physical access. They had someone logged into a machine on the inside and fed them information and did whatever they were asked. You say a friend, a disgruntled employee, gave them a code. Well at that point its simply a case of an individual with a lack of morals doing something wrong. Just because you are upset at your employer doesn't give you the right to screw over 35+million people.

      This is not a hack, it's simply an individual making a poor decision. I would like to think that aol had all sorts of firewall/proxy/logging going on and could easily identify where a problem was coming from, but I have no knowledge of the system other than what I've read. So I'm not going to argue that it couldn't be done. I'm just going to say it's not AOL's fault. AOL should be diligent in there security measure's, but what can you do when someone in the NOC is out to get you?

      An analogy for you. You go to a resturaunt and order food. You pay with a credit card that you give to the waiter. The waiter copies the card#, the exp date and even your sig from the receipt. That waiter runs up a bill on your card. Now, do you immediately blame the resuraunt? I don't think so, at a certain point, you have to trust people to be honest. Unfortunetely a certain few of them will chose to screw you over.

      AOL may have problems and should probably pay more attention to personel in critical positions, however, I'm not sure how much anyone can do if the door is unlocked from the inside.

  • A/S/L?!? (Score:3, Funny)

    by Munra ( 580414 ) <`slashdot' `at' `jonathanlove.co.uk'> on Sunday February 23, 2003 @04:18PM (#5366344) Homepage
    A user id/Specialised ID code/Lame couple of passwords?!!?!
  • Merlin doesn't exist (Score:5, Interesting)

    by fafalone ( 633739 ) on Sunday February 23, 2003 @06:11PM (#5366976)
    According to the last AOL support rep I talked to on the phone. According to them, AOL has never had an exploit resulting in compromising member information. Incidently, I was calling to report an open exploit that resulted in my information being compromised. They told me it was impossible. I explained to them, in detail, how the exploit worked. Nope, apparently it was still impossible. So I asked to be put through to operations security (opssec). I was told it didn't exist. I even pointed out a page on their website that mentioned it. Nope, doesn't exist. Quite fed up with this robotic imbecile, I asked to speak to a supervisor. The supervisor (this is in the fraud department, by the way) explained that they were trained to deny that AOL had any flaws. Interesting. After realizing the supervisor also had no idea what they were talking about, I requested to be put through to opssec. Well, the supervisor at least acknowledged its existence, but refused to put me through, despite the fact that I had very important network security information. In so many words, I was told they didn't care that my information was compromised.
    Soon after this, I cancelled my account. Not only did they charge me for 2 more months, but they charged me the dialup rate (I was BYOA). So I called them up, quite pissed off, and asked for the charges to be reversed. I was then told my account was still active. At this point, I explained to the incompetent billing employee how to use Merlin to pull the fraud record of the account termination. The charges were subsequently reversed.
    My experience gives new meaning to the phrase "AOL sucks"
    • by Reziac ( 43301 ) on Monday February 24, 2003 @10:52AM (#5370498) Homepage Journal
      This is from a usenet post of just last week, so take that for what it's worth, but the poster is normally a reliable enough sort ... anyway, this is a complete quote of his post:

      I used to work for AOL tech support as one of their trained monkeys for a while. There are a few things to keep in mind when dealing with them:

      Most of them (the techs) are NOT idiots. However, most of them think that the AOL customer base ARE idiots.

      The mission statement for AOL tech support is : Free AOL tech support - You get what you pay for - Call us, we will give you a fish... (you have to understand the old saying about giving a man a fish/teaching a man how to fish story)

      They use a case based software called Sherlock which is notoriously lacking in options. Most questions that they handle are so well known that the tech can handle it without sherlock, however, this sabotages the Sherlock program. The whole setup is designed to fail spectacularly while being held together by a few knowledgable floating expert individuals.

      These same floating experts double as whip wielding task masters, along with the supervisors, and other narcs, who wander around the phone floor enforcing the use of sherlock and the 3 minute time limit.

      AOL tech support, does not have solving the customers problem as it's goal. Pleaseunderstand, that solving your problem when you call has absolutely NO VALUE.

      The IDEAL revenue call is a call that is handled in exactly 3 minutes, which results in a positive step in sherlock giving ONE of many options - then results in a negative experience for the customer - prompting a return call in about 10 minutes - to another tech, who then gives the NEXT solution via sherlock - which ideally will fail - on and on until either sherlock runs out of options, (prompting for one of the floating experts to
      actually solve a problem, or shifting blame onto either a virus, the manufacturer of the hardware, drivers, etc...) or a final solution (usually a reinstall) and a grateful customer being transferred to another revenue partner, like a rent a car agency, or a cable modem installer...

      The ONLY value that any call has is that it is handled in an average of 3 minutes. This is known on the floor as Dumping... You give them one possible solution, then ask them to try it and call back if it doesn't work - you then cross your fingers and hope that YOU don't get them back. All while attempting to sell the illusion that you are an expert and are not merely reading a dialog off a computer screen. As I said above, it's trained monkey work.

      With that in mind, you can see why AOL tech support likes people with a minimum of knowledge working on the phones. People with actual extensive computer experience suffer from the "fix it" syndrome. Especially when sherlock cannot give you another option to Dump the customer with.

      The very worst thing that a tech can do, is attempt, with his own knowledge and experience, to actually explain why and how and fix your problem, especially because usually the problem is directly related to the stupidity of the customer. It is not unusual for the customer to reveal that they have 30 - 50 tray icons running!!

      People with a minimum of knowledge can accept the illusion that sherlock is actually giving good advice and can sell it convincingly as tech support. An actual trained computer tech/software repairman/programmer - usually cannot if he is honest.
      [end quote]

      The sad thing is, it's not just AOL ... this is the future of tech support everywhere. :(

  • Every security system is as strong as its weak link. When the hacker placed a trojan in an insider machine he has the machine for him. Maybe once the user on the machine typed his password, plus the onother pass and the token, it gave the access rights to the hacker. It could be a luck shot he conviced the right guy, maybe even unknowing, to run the trojan. Once the access is open from that machine, the system will probabl not request any more authorization, so that hacker had it for the day.

"The way of the world is to praise dead saints and prosecute live ones." -- Nathaniel Howe