AOL Security Compromised After Upgrade
Less than one week after it rolled out version 7.0 of its flagship software amid pomp and circumstance, America Online experienced an embarrassing lapse in security. Through relatively simple means hackers managed to obtain access to 'Rainman', a major content server for the online service. Rainman granted the hackers an all access pass to create and edit content to their own liking, which in turn was featured at three unique AOL keywords for nearly 12 hours, according to reports received from the alleged hackers.
The defaced pages remained accessible to over 30 million subscribers for a prolonged period of time in place of what would ordinarily be considered universally trusted subject matter. The breakdown of its security measures left AOL Time Warner vulnerable to being unwitting participants in the subversion of information at a time when world events dictate the need for reliable media resources.
BetaNews obtained word of the incident late last night when anonymous sources provided screenshots of the keywords: EIU, JOC, and ECONOMIST. Shortly thereafter, BetaNews confirmed that each had been vandalized. Keywords are shortcuts that take AOL users to online content hosted on the company’s own servers.
Further investigation revealed postings to online bulletin boards regarding the incident. According to WhiteHat Security CEO and founder Jeremiah Grossman, 'site' hackers often accumulate cracked accounts. One such account obtained by the hackers had Rainman overhead -- meaning it had the ability to edit associated content. Once logged in, all that was needed for editing rights was a group ID and password. Group IDs are exposed in a URL when an attempt is made to access Rainman, making the password the only roadblock to unfettered access.
Apparently, when a hacker was signed into the compromised account, an AOL employee
sent an instant message mistaking the individual for a co-worker. With slight of hand and some misdirection, the AOL employee offered up the password to Rainman, as well as the password to his wife's account. In each instance, the login for the AOL account itself was identical to the Rainman password.
The alleged hacker summed up the experience in a bulletin board posting. "I hopped on it the other day and got a message from a coworker telling me about how he uploaded the new version of the economist and found out that he also used 'my' account. To make a long story short...I told him I was locked out of my account and he gave up the password. The next day I figured I could extort the rainman password out of him and I later found out...He also gave me the rainman password for his wifes account who also has rights to those keywords. It turned out that her logon password was also the same as here Rainman password but was bound to a Securid key." (sic)
Reports indicate that a brute force style program dubbed "Rainstorm" may have been used in the attack as well. However, all indications BetaNews has received point to human error as being a principal and deciding factor.
According to Grossman, "AOL and its staff require increased enforcement of security guidelines and policies when it comes to user account security. Whether it be an internal AOL account or a user account. These types of employee disclosure incidents should be allowed to take place. If employee accounts can be compromised through such modest means, what assurances do normal users have that they won't be targeted next?"
He continued on, "Apparently, AOL account passwords, whether belonging to employees and/or users need stricter requirements. Requirements such as, password length and sophistication have been implemented in security for quite some time. Its clear AOL has a big job and should be doing a better job in protecting accounts from this style of attack," said Grossman.
Despite repeated attempts to notify AOL and obtain comment, AOL did not respond by press time.