[iwar] [fc:Presidential.adviser.calls.for.cyberspace.defense]

From: Fred Cohen (fc@all.net)
Date: 2002-03-01 08:00:26


Return-Path: <sentto-279987-4548-1014998403-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Fri, 01 Mar 2002 08:01:08 -0800 (PST)
Received: (qmail 3547 invoked by uid 510); 1 Mar 2002 15:59:55 -0000
Received: from n13.groups.yahoo.com (216.115.96.63) by all.net with SMTP; 1 Mar 2002 15:59:55 -0000
X-eGroups-Return: sentto-279987-4548-1014998403-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.165] by n13.groups.yahoo.com with NNFMP; 01 Mar 2002 15:40:20 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: unknown); 1 Mar 2002 16:00:03 -0000
Received: (qmail 90136 invoked from network); 1 Mar 2002 16:00:03 -0000
Received: from unknown (216.115.97.172) by m11.grp.snv.yahoo.com with QMQP; 1 Mar 2002 16:00:03 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta2.grp.snv.yahoo.com with SMTP; 1 Mar 2002 16:00:03 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g21G0QN01015 for iwar@onelist.com; Fri, 1 Mar 2002 08:00:26 -0800
Message-Id: <200203011600.g21G0QN01015@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 1 Mar 2002 08:00:26 -0800 (PST)
Subject: [iwar] [fc:Presidential.adviser.calls.for.cyberspace.defense]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Presidential adviser calls for cyberspace defense

By Michelle Delio, IT World.com, 2/28/02
<a href="http://www.wired.com/news/business/0,1367,50697,00.html">http://www.wired.com/news/business/0,1367,50697,00.html>

America Online users, you have unwanted packages -- due either to the
activities of malicious hackers, aggressive pop-up ads or a sudden
widespread epidemic of shopping amnesia.

AOL has billed thousands of its users for products presented in pop-up
ads after users clicked a "no thanks" button to refuse the offer,
according to a lawsuit filed last week in U.S. District Court in San
Francisco. The charges were made public late Monday.

AOL steadfastly maintains there are no glitches in its shopping system
that could have resulted in the erroneous charges and shipments. Users
insist that they did not mistakenly click "Yes" when they meant to click
"No." So who made the purchases?

A group of hackers who focus on finding security holes in AOL's systems
contend the most likely culprits are a bunch of bored kids who hacked
into AOL accounts, perhaps with the assistance of disgruntled AOL
employees.

Members of this group recently reported two major security holes in
AOL's Instant Messenger program.

Although it's far from certain that kid-crackers are to blame for the
shopping sprees cited in the lawsuit, it's possible that once a cracker
has a user's screen name and password, he can log on as the account user
and order merchandise through AOL's shopping service.  Products ordered
through the service are automatically charged to the account holder's
credit or debit card.

These hackers say AOL passwords are remarkably easy to come by, claiming
that they sometimes gain access to accounts with the aid of AOL
employees who provide information in exchange for a share of the spoils.

"One guy in AOL's Operations Security told me if I used a hacked account
to get his girlfriend a $700 necklace from Barneys Online he would get
me access to six more accounts," a hacker known as Flyman said. "What it
comes down to is that AOL's biggest security risk is corrupt employees
who will straight up give away info for a price."

But the easiest way to crack an account is by using a password generator
that matches a password to an AOL screen name, hackers say.

"If a password is an actual word, not a healthy mixture of upper and
lower case characters with numbers and even some symbols, it's trivial
to figure out the password using one of the hundreds of AOL password
crackers and password stealers lurking around on the Internet," said a
white-hat hacker known as Mancow.

"AOL doesn't want to burden their users by making their password system
too complicated for John Q. Public, but by refusing to force users to
use strong passwords they have left an important aspect of security
solely in the hands of a possibly clueless consumer," Mancow added. "If
AOL wants to allow users to use simple passwords, the service should
then find some way to verify a users' identity before allowing products
to be charged to the credit card associated with the account."

AOL spokesman Nicholas Graham declined to comment on any specific
allegations, but agreed it was possible that unauthorized charges for
merchandise could be the work of malicious hackers. AOL will investigate
the possibility, Graham said.

Meanwhile, Graham suggested that AOL users visit the service's
Neighborhood Watch section for security tips.

"Our members have the responsibility to make sure that their passwords
and accounts are secure," Graham said.

"It certainly seems logical that the problem is more likely to have been
caused by hackers, or confused AOL users who perhaps pushed 'Yes,
please' instead of 'No, thanks,' than by a glitch in AOL's shopping
system," said Nathan Cohen, an attorney who specializes in Internet law.
"AOL has about 30 million users now. If there was a glitch, it should
have affected more than the 'thousands' of users that the court case
cites. A glitch should have affected millions of people."

"I can't help but think this is the 2002 version of the old stunt of
sending a dozen pizzas to someone who pissed you off," Cohen added.

AOL hackers admit their more malicious brethren crack accounts because
they are angry at the owner of the account. Once they have access to the
account they typically change the password, "muck around with e-mail and
order stuff," Flyman said.

Sometimes the cracks are random: People with short or "cool" screen
names are also prime targets, according to the hackers.

"Ninety percent of the account hacks that some people do is because they
see a cool screen name and they want to use it," said Solitude, another
hacker.

The warning signs of account intrusion include e-mail that has been
marked as read or deleted that users know they haven't seen, as well as
a sudden spike in account activity, say the hackers.

They also advise users to disable any unused sub-accounts. AOL members
can have six screen names per account, and hackers say seldom-used
screen names are ripe for exploitation.

Cohen said AOL would not likely be held responsible for the types of
security breaches outlined by the hackers.

"AOL is following the practices that are standard in the industry,"
Cohen said. "I don't know of any commercial service that forces users to
use secure passwords. While you could rightfully argue that the policies
should be changed, I don't see any evidence of negligence."

But should the court find AOL responsible for the fraudulent billing,
the company would be "in a world of trouble," criminal attorney Frank
Anderson said.

"I expect that they'd much rather find out that hackers are rampaging
through their system than to face charges that a bug in their software
is spontaneously billing customers for things they did not order,"
Anderson said. "But the best outcome of all for AOL would be to discover
that they have a bunch of amnesiac shopaholic users."

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:04 PST