Telecom and Logistics Associates 

new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  publication: Christian ALT 

Save Time and Money 

TLAnews: Security NEWs Service

 19.6.2000 SecurityAOL security breach exposes personal info
America Online has confirmed that hackers have illegally compromised an undisclosed number of its member accounts by targeting key company employees with an email virus.

En français: AOL une brêche de sécurité expose des données personnelles
America Online a confirmé que des pirates ont illégalement compromis un nombre non révélé de compte de ses membres en envoyant un virus par mail à des employés essentiels de l'entreprise.

Home
Consulting
Tech Doc
FW-1 FAQ
Training
Products
TLAnews
Archive
Advertising
 

TLAnews
Information for security concerned people

 
Register to TLAnews letter
 

 

 

 

 

 

 

 

 

 

 


 
English version
AOL spokesman Rich D'Amato said the perpetrators gained access to the accounts when unsuspecting AOL staff downloaded virus-infected email attachments. But he declined to comment on how many accounts were affected or what kind of information was accessed by the perpetrators. The attacks targeted employees authorized to review and edit account data, including credit card information and passwords.

The break-ins were first discovered by two AOL insider Web sites, Observers.net and Inside AOL.

The online service has begun investigating the attacks; it plans to hand its findings to law enforcement agencies

According to the publications, the perpetrators targeted AOL customer service representatives who have access to the company's main member database, dubbed CRIS (Customer Relations Information System). The targeted employees have the authority to bump people off their accounts and reset their passwords. The employees also had access to personal and billing information.

The perpetrators sent emails containing a malicious attachment known as a Trojan horse.

 

 
Résumé en français
Le porte-parole d'AOL Rich D'Amato a dit que des pirates ont eus accès à de l'information personnelle lorsque des collaborateurs d'AOL ont ouverts des fichiers reçus par la messagerie. Par contre il n'a pas donné d'information sur le nombre de comptes compromis et surle type d'information obtenue. Les cibles de ces attaques sont des employés autorisés à saisir et modifier les données personnelles des clients d'AOL, comme les mots de passe et les numéros de carte de crédits.

Il s'est agit d'une technique de Trojan qui lorsque le malicieux fichier était ouvert l'ordinateur du collaborteur établissait une connexion directe avec celui de l'attaquant. Ce qui lui permettait d'accèder directement au CRIS(Customer Relations Information System).

A la suite de cet incident AOL a pris les mesures de sécurité complémentaires. Cet incident illustre des pénétrations astucieuses malgré la présence d'un firewall et d'anti-virus.

Nous constatons dans beaucoup d'entreprises de très bonnes mesures de sécurité avec les firewall et les anti-virus, par contre des mesures de protection très faibles pour les systèmes internes et les accès distants une fois autorisés dans le réseau interne. 

Ce cas devrait  faire reflêchir plus d'un responsable informatique et sécurité.

 When a  victim opens the email and downloads the attachment, it automatically establishes a connection between the employee's computer and the sender's. Once the sender is connected, he or she can access areas within AOL such as CRIS that are normally restricted to authorized employees.

AOL  customarily warns employees and members to never download attachments from strangers and scans scans incoming email for possible viruses .

AOL, the largest Internet service provider with 23 million paid subscribers, is targeted frequently by  crackers. In some cases t hey have gained unauthorized access to accounts by convincing AOL employees to provide restricted information.

 

How it happened(extract  from http://www.observers.net)

Between about three people with access to the internal network, 500 screen names were CRIS'd. Is this a crime? No. The faults in the network and the methods used for breaching were not put in place by any destructive means. What scares me, however, is the ease with which it was done. Quite ingenious, actually.

As many know, since 1995 access to CRIS has been restricted to those behind the AOL LAN firewall. The revered ability to hack CRIS was dismissed as a myth. Many technologies like SecureID and Defender Key were implemented to make any breach of AOL seemingly impossible.

One of my mottos has always been "As long as there are people behind the keyboard, computers will never be secure." The majority of these inexperienced teens working for minimum wage in AOL's call centers probably aren't the most equipped to deal with e-mails containing attachments that harbor crafty programs. AOL assumes it is secure from attacks because of features listed in the previous paragraph and therefore pays no attention to the caliber of employees they are hiring.

AOL sacrificed a great deal of security for convenience. On the internal network, SecureID challenges are not in place. By being on the internal network, the SecureID challenge is ignored, allowing anyone with remote access to the intranet to sign on to binded accounts with no questions asked.

If I had to count the amount of "starrpw" and "siterep" accounts I've come across in my AOL experiences, I'd need an IRS adding machine. These accounts are useless to any casual aohax0r and consequently are given away as vanity accounts so the recipients can say, (sic) "Yea, I got a sid int dawg what u bout." In the hands of someone with internal access, it is a dangerous weapon of CRIS proportions.

The technical aspects of this exploit were revealed to inside-aol.com and Observers.net staff or affiliated acquaintances. This technology has been implemented before and simply not explained in great detail. I'll explain it in layman's terms.

AOL utilizes various departments to handle their workload. These departments are staffed by simple people just doing a job answering calls and negotiating users. The accounts used in these departments are special. For instance, members of the Community Action Team (CAT) have the ability to reset passwords and bump users offline. To do this, they use the Customer Relations Information System (CRIS).

After about an hour of social engineering, one of these accounts (called "in-house") you pass them a carefully crafted trojan horse, saying it is a picture of your car that you're selling. They view it and the fun begins.

Because the firewall restricts inbound TCP/UDP access, the trojan needs to connect (outbound) to a machine. This can either be a relay server acting as an intermediary proxy, negotiating the connection for you, or your own PC. The other trick is to bind the trojan to port 5192 on AOL's logon address (americaonline.aol.com) so as to not interfere with the employee's connection.

Once the connection is made, you simply log on through yourself or a relay as you would AOL by altering the tcp.ccl/csl file in the AOL directory on your local machine to connect to your target.

Point AOL toward keyword CRIS. Click "I Accept" and watch the fireworks.

 

How AOL reacted to its employees
  
Important: SecurID Update

We are taking additional steps to additional security! This coming Tuesday, 6/20, we are changing our SecurID policy. As of Tuesday morning, (6/20), all call center employee accounts will be "bound on-campus." This means you'll need your SecurID to access your account not only at home, but also at work.

Please be sure you have your SecurID with you when you arrive at work Tuesday morning. You do not need to take any action to bind your SecurID on campus; we are using an automated process to ensure your screen is bound on-campus and off.

Note: A SecurID is attached to your internal account and secures ALL screen names on that account. Remember, AOL policy states that only you can use screen names on your internal account. If you currently allow family members to use a screen name on your internal account, you must immediately create a new screen name (on another account.)

 

 




Additional information may be found at: http://www.observers.net/securecris.html

 

 

 

 

 
Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juin 26, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.