|
Who's Online? |
There are currently, 43 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
Quotable Quotes™ |
"I'm so fucking gay" --a2n3d7y |
|
|
|
AOL Security Defeated by 14 Year-old |
Posted on Wednesday, March 26 @ 19:53:33 GMT by just_dave
|
>http://www.geocities.com/sunsetstrip/palms/7416/kill_aol.jpg
It turns out anyone with a telephone and some clever voice acting can access anyone's AOL account.
Taken from
Using a combination of trade tricks and clever programming, hackers have thoroughly compromised security at America Online, potentially exposing the personal information of AOL's 35 million users.
The most recent exploit, launched last week, gave a hacker full access to Merlin, AOL's latest customer database application. As a security measure, Merlin runs only on AOL's internal network, but savvy hackers have found a way to break in.
The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library. When the file is executed, the Trojan horse connects the user who launched it to an Internet relay chat server, which the hacker can use to issue commands on the targeted machine. This allows the hacker to enter the internal AOL network and the Merlin application.
Merlin requires a user ID, two passwords and a SecurID code, all of which hackers obtain by spamming the AOL employee database with phony security updates, through online password trades, or by "social engineering" attacks over IM or the telephone.
The hacker who first used this exploit is said to be a 14-year-old boy. (He could not be reached for comment.)
Another recent exploit reportedly allowed anyone to log in to any account with a password, using a hole in AOL's Japanese Webmail portal. That flaw has since been repaired.
Yet another hole has allowed hackers to steal AOL Instant Messenger screen names, even those of AOL staff members and executives.
Most at risk are screen names that hackers covet, like Graffiti, or single-word names like Steve. Also at risk are internal AOL accounts like TOSGeneral, which is used to monitor abuse reports.
While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone.
These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user's password reset. Logging in with the new password gives the intruder full access to the account.
In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling.
A third hacker, using the name hakrobatik, confirmed the mumbling method.
"I kept calling and pretending I just had jaw surgery and mumbling gibberish," hakrobatik said. "At first I had no info except the screen name, then I called and got the first name and last name by saying, 'Could you repeat what I just said?' Then each time that I got information I called back making the real information understandable, and everything else I just mumbled."
In the end, hakrobatik said, service reps he talked to got so frustrated having to ask him to repeat information that they'd give up and reset the password. Hakrobatik later proved he could compromise any AOL account armed only with its screen name.
Typically, hackers target reps at offshore call centers in India or Mexico, who they claim are less savvy and have far less training than American service agents.
"You can basically get any account information from AOL by just calling and pestering," hakrobatik said.
At least one rep was susceptible to the proverbial oldest trick in the book. Cam0 said he masqueraded as "a teenage girl" to win favors from a smitten AOL employee after engaging in flirtatious chat sessions and sending phony photographs. Some hackers also pose as internal AOL Operations Security staff to wheedle information. And hackers claim disgruntled AOL employees freely provide account information and favors to friends on the outside.
Of the latest AOL attacks, Adrian Lamo, renowned hacker and founder of disbanded watchdog site Inside-AOL, said: "It's unprecedented in the history of AOL. AOL employee education is centered around fake online communication. There's very little effort to guard against voice scams."
Why hasn't AOL let users know about the site's rampant security problems? "Every now and then something flashy happens, but AOL keeps it quiet pretty effectively," Lamo said.
The reason, Lamo said, is that AOL rarely prosecutes hackers.
"They tend to employ technical countermeasures and otherwise ignore intruders," he said. "There's an oft-stated perception that no one has ever been busted for hacking an AOL account."
AOL did not return repeated calls requesting comment for this story.
"You see all those commercials saying AOL 8.0 is so secure," said Dan. "If people knew how insecure their data was they probably wouldn't use it."
|
|
| |
| |
|
Article Rating |
Average Score: 0
Votes: 5
|
|
|
| "Login" | Login/Create an Account | 8 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
[ No Comments Allowed for Anonymous, please register ]
shelley (Score: 1)
by vacheron on Wednesday, October 13 @ 10:16:07 BST
(User Info | Send a Message) | | nd diamonds paved dial while the other featuring black sapphires on its bezel These two versions are available on a black rubber leather strap and gluchant strap replica watches adorned with precious stones ugg boots breitling watches Even though the designers from Rolex have aimed at recreating the fanciest design possible wholesale replica rolex one of the strong points of this nicely looking Rolex Datejust Royal Black Watch is represented by its technical performance The mechanism equipping this watch was COSC certified and goes by the name of Rolex Calibre gmt master ii being a self-winding movement able to offer hours of power reserve along with meters water resistance Apart from the traditional funct |
[ No Comments Allowed for Anonymous, please register ]
[ No Comments Allowed for Anonymous, please register ]
[ No Comments Allowed for Anonymous, please register ]
bell (Score: 1)
by vacheron on Monday, November 01 @ 22:18:24 GMT
(User Info | Send a Message) | | s publishes the luxury watch review site aBlogtoRead Jaeger LeCoultre is presenting this Grande Reverso Duodate as a classic use of the Reverso case On one side of the JLC is guilloche engraved silvered dial with the time subsidiary seconds dial replica omega watches and a large open date display not a fan of these panoramic open date windows and look forward to this trend ending soon replics cartier Overall new Tag sea dweller replica watches this side of the watch is attractive but nothing special Reverse the case with a flip as is iconic of this line and you get another watch face in black wit |
[ No Comments Allowed for Anonymous, please register ]
[ No Comments Allowed for Anonymous, please register ]
[ No Comments Allowed for Anonymous, please register ]
Re: AOL Security Defeated by 14 Year-old (Score: 1)
by tina on Thursday, September 22 @ 04:43:40 BST
(User Info | Send a Message) | There are so many different kinds of bags in Longchamp. Longchamp bags - The women's fashion bags on longchamp outlet. This is where to look for your style, and spread one's individuality. In particular,Longchamp le pliage is very popular with yong ladies. It is designed by Mario Sorrenti. If you want to own unqie one, please contact us. Thanks!
|
[ No Comments Allowed for Anonymous, please register ]
|
