InternetNews – Hackers Again Strike AOL – June 19, 2000

America Online, Inc. is the latest Net crime victim to have the privacy of some of its 23 million members violated.

While the extent of weekend damage is unknown, the knowledge of how to access security holes in America Online’s (QuoteChart) network is spreading quickly through Internet channels.

While AOL members are assured at every point of contact that their information is secure from potential maliciousness, a hacker with the handle “Retired” shared information with security watchdog Observer.net about some of his exploits at the expense AOL’s security.

According to the Observer.net report, the chasm of the security breach is at AOL’s Customer Relations Information System. CRIS is the user interface to the main AOL database that manages all member accounts, information and other related data.

AOL employees who need to access information use CRIS to determine a member’s last login date, type of software used on the last login, account status, account type, pricing and contact information. The database also reveals a member’s full name, address, phone number, and all screen names and passwords connected with the account.

While customer care consultants access and support technician’s access to the database varies, AOL limits full access to CRIS to only a few hundred employees.

After AOL’s network security was compromised in 1995, the largest online service provider in the nation implemented a new policy designed to limit access to CRIS. Only employees accessing the database from inside its campus could be logged onto the internal office network, remote access as banished.

“Retired” managed to access the supposedly secure customer database by creating a redirect program through the Transmission Control Protocol.

AOL’s firewalls naturally block incoming TCP connection attempts, but hackers can readily send a “trojan” program to an internal AOL server. Like the mythical “Trojan Horse,” the program conceals the hacker’s external access by acting like a client that is connecting to a local host server.

By editing a TCP.CCL file to connect to the localhost, the port identifying the hacker’s computer is sent to an internal AOL “trojaned” computer, which appears to be a completely legitimate internal connection to AOL operations and the CRIS database.

The hacking method only works over a cable modem. After a TCP.CCL is edited, it can connect and send commands to through the cable modem, just like AOL would send commands internally through a workstation. In order to complete the access, AOL staffers must unwittingly download the fixed files onto local computers inside the network.

Observers.net contends that AOL could readily scan and disable both “trojan” and viral attempts to access its networks. Observers.net further condemned AOL, because it has had ample time to get a security fix built-in to its networks.

Last year, AOL had Jay Satiro arrested for using a “trojan” hacking program to prove to the online giant how easy it was to access its networks.

At the time AOL informed its members that privacy and account security is of utmost importance to the firm and that its billing information is stored on a different computer, separated from servers that operate its online access connections.

From its base operations in Colorado, YTCracker Labs makes a point of defacing public, private, and institutional networks that don’t lift a finger to keep violators out of their systems.

Orchestrated by a 17-year-old benevolent hacker, “YTCracker” has a court date looming in his near future for defacing the City of Colorado Springs Web site in December 1999 when he publicized its security flaws.

YTCracker, who wrote the Observers.net bulletin, said AOL’s latest network compromise is a huge security lapse that the company could quickly remedy.

“This is really big because the guy gained access to development libraries and access to a lot of things,” he said. “AOL’s thinking that their firewall is impenetrable. Network operations and security needs to look at it a little more objectively to see how they can manage internal security and not just worry about external issues.”

YTCracker added that companies and institutions can take action to stop the security breaches in their tracks, but few seem to take security seriously.

“This idea is not only restricted to AOL, but to any corporate Intranet or government network,” he said. “Their systems are also at risk through a similar programs, using like methodology.

“Intrusion detection systems are able to pick this up to stop complete access behind a firewall. If a company is set up right, it’s not a problem,” he added. “I think AOL has gotten cocky about their security.”

Consistent with past security breaches, AOL has not commented on the latest violation while the Web crime is under investigation.

 

Source

1 Comment

  1. -shed

    I miss the golden days

    hit me up fb.com/causemichiphop

Leave a Reply