Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
America Online

Password Thief Ransacks AOL 149

NoWhere Man writes "Just surfed into Wired and read an article about a theif using email to get AOL passwords. Using OperaMail and a program similar to those used to hack ICQ, the sender can get the password to anyone's account on AOL; all the user has to do is open the email. " You've Got A Password! (Done in sing-song voice).
This discussion has been archived. No new comments can be posted.

Password Thief Ransacks AOL

Comments Filter:
  • PORNO SPAM!!!! Once the average 14 year-old cracker gets a new ISP so that (s)he can gain some sort of status with funky ASCII characters instead of letters, they realize that real ISPs BLOCK Spam (or try thier darnedest). Unwilling to socially interact and find a real significant other, they need access to the latest greatest porno spam, fueled by a desire for more "creative" uses of the word cum instead of come. The solution? Gain access to the greatest repository for porno links in the world . . . AOL accounts!

    Not to sound bitter or anything. I rarely leave the house myself ;-) But certain things I've grown out of . . .
  • I don't know what the brouhaha is all about. People have been doing this for *years* now, using hotmail and juno and the like. And everytime aol upgrades or patches to stop these "pass word stealers" someone vb programmer finds a way around it, and immediatly hundreds of people have access to it. By the very nature of it, you have to give people the file for it to work. Then anybody can simply hex their email address in place of the original. I guess someone finally noticed.
  • Why? It's just users opening attachments from people they don't know. Nothing spectacular...

  • I agree - this is not an issue. The same thing can happen with any other Windows user, regardless of whether he/she is using AOL or another ISP. Countless non-AOL users have accidentally installed Back Orifice on themselves, which leaves them open to anybody getting their ISP password.

    I don't see why this is a Slashdot story - it's happened many times before and it's not anything particularly restricted to AOL.

    On top of that, the slashdot story is just plain wrong. The user does not just have to open his email. He must open it, download the executable, and run the executable. Big difference.
  • you can only do javascript if you use a lame mail reader that supports HTML mail!
  • I used to run the internal systems for one of their web sites. And while I was pretty suspicious then the tech support guys in Virginia said "If you get e-mail with an attachment from someone you don't know, don't open it -- delete it immediately," I've seen people get their passwords stolen just by reading AOL mail.

    ---
    Consult, v. t. To seek another's approval of a course already decided on.
  • This thread is already a day old (slashdot effect #2: discussions die in 24 hours), but what the hell.

    Trick wrote:

    >Unfortunately, with AOL, this is not true (and >I'm not just talking out of my ass here --

    Maybe not, but you're definitely wrong.

    There is no scripting capability in AOL mail. It doesn't support VBScript, JavaScript, ActiveX, anything. It's pure text, with a small bit of pseudo-HTML mixed in for fonting.


    There's no way to get a virus/trojan without actually downloading the attachment - and, as mentioned, we put up a big splash screen before you download telling you all about the nasty things people will try to send you.

    As for passwords, as of 4.0 (July 1998), we don't store them in the clear, nor do we transmit them in the clear. The vast majority of users are now on 4.0. However, I believe most of the modern trojans will capture live keystrokes straight out of the keyboard driver.

    And then there are the "click here for our new NetMail web page that requires you to enter your password" scams...

    Jay Levitt
    Chief Architect, Mail Systems
    AOL
  • Well, Jay -- you might want to pass that on to the people answering the phones for support in Vienna. I've asked them, very directly, if such a thing could happen -- and I've received a very definite "yes."

    ---
    Consult, v. t. To seek another's approval of a course already decided on.
  • Well, I never said government intervention either, did I? I think it is an error to assume that "Big Brother" like tactics are only applicable to government agencies. I believe that it is just as a horrible idea to have a community belief that results in Big Brother like monitoring by other community members, whether they are government officials or not.

    I don't believe it is in the best interest of society to hold ISP's responsible for the actions of their customers. Sure, if the Internet self-regulating community makes an ISP aware of abuse by one of it's customers then it should take immediate action, although allowing for a rebuttal to prevent against actions against innocent victims of falsely reported misconduct. I think almost everyone agrees with this. I don't think that anyone expects ISP's to have a "hands off" policy even when they are notified and shown "evidence" from the community that someone is using their service unethically and in contradiction to their policies. I believe that ISP's should even cooperate with investigators if it is shown that the acts of one of their customers is or could be illegal. Certainly they should comply with any court orders demanding the turnover of any logs or records of the customer's actions.

    This, however, is MUCH different than saying that ISP's should monitor each and every transaction that it's members have on-line, and that failure to do so is unethical. That would mean that ISP's would have to install monitoring equipment to check each and every email, web post, and usenet message sent by all of their customers for specific things. Someone would have to review the flagged messages and make a decision whether to turn over the "evidence" to authorities, terminate the users contract, or let it pass. How else are ISP's supposed to be "ethical" by making sure their customers are not using their free services for unethical and immoral things (such as child pornagraphy), which according to you is their moral and ethical obligation. Yes, ISP's can install software or design their system so that use of "free" services is easily trackable to someone who actually pays the phone bills -- much like HotMail records the IP address of users who send mail, which should be trackable by the ISP as to who was assigned that IP address at a particular date and time. Having these tracking mechanisms in place is not the same as saying that ISP's are ethically responsible to ensure that their customers are acting in an ethical and moral manner. I support, and I would guess that most others support, the "tracking" of messages like this. Unfortunately, I may differ in that I don't support the "release" of this information unless sufficient evidence is provided to indicate that the person being tracked has committed an illegal act or an act that is against the use policy for the ISP.

    So, may be our views are more similar thay you think. I disagree in your terminology, however, that ISP's are acting "unethical" or "immoral" if they provide for free services that they don't monitor to assure compliance with the law, their fair use policy, or common decency. I think it is enough to "cover their but" legally, morally, and ethically, to ensure that proper tracking mechanisms are in place so that people who break the law, their fair use contract, or common decency can be tracked.

    I don't want to live in a police state whether enforced by actual government authorities or by my fellow citizens. I sincerely doubt that you do either, so there has to be some misunderstanding...




  • by jflynn ( 61543 ) on Tuesday October 12, 1999 @04:21AM (#1621558)
    If I read the article right, the problem is that AOL users are opening an executable attachment to an e-mail. Sorry, but there is no way in the world to protect against this. People often say it doesn't matter on a Linux system since only user files can be affected, but this is little comfort to me. I can easily re-install a broken system. Protecting the user data I've created since last backup is far more important to me.

    Users seem to be requesting that AOL identify all possible malicious attachments and install virus checking software that will identify them. AOL is quite right in saying this is hopeless. The only solution presently is for AOL users to grow a brain (after the appropriate education) and refuse to open attachments they did not solicit.

    It would be nice if attachments could run/open on a VMWare virtual machine or something like it created specifically for the purpose, with monitors for suspicious activity. If the virtual machine gets destroyed, no biggee. Delete it and create it again. I doubt this is practical at the consumer level now however.

    No, I have to agree with AOL that this problem is between keyboard and chair.

    There have been far more serious security problems in the Microsoft world of late that would destroy a system on merely opening a mail or viewing a web page. These are real holes that need fixing, or better, making impossible.

    I have never used HTML mail, and I wish no one would. Almost all of it I get is spam anyway. The internet was designed around text for a good reason, and even though HTML is text, any language that can embed executables is still dangerous. Limiting mail HTML to a formatting subset like Slashdot's would be an acceptable compromise.


  • Wouldn't it be good if people made things like this but when the email was opened the program actually done some good for you, like point out that you were a bit silly opening this without knowing who it were from, or suggesting some tips to make your system run a bit better.

    Of course, some people would argue that deleting people's windows installation is a good thing..
  • Agreed! The article is vague on how the attachment gets executed. Info, anyone?

    While a lot of /. rips AOL, they're the #1 ISP, and the place for computer illiterate people. I can't stand using it, but I realize that AOL has it's place online. How many of your relatives or friends of your family use AOL? I know mine do, and to be honest it's easier to support than the typical Win9x dialup/IE/Outlook combo.
  • We use Outlook 97 here at work, and the default email "reader" was Word97, instead of the internal reader of Outlook. I would imagine it would be possible in this instance to embed one of those silly macro viruses. Of course, it would only affect those using Word as their mail reader, but still, I think that would be quite a lot of people. The previous posts also mentioned embedded Javascript, which could affect lots more.

    But, yes, the email itself cannot contain viruses. If you were to, say, read your email using pine or elm or something, then simply reading the message won't hurt. But all these fancy new mail clients that use Word or process HTML could be damaging.
  • by synchromesh ( 39735 ) on Tuesday October 12, 1999 @04:26AM (#1621562)
    highHorse.ClimbOn();

    If you came back to your car and some kind soul had left a free bottle of "engine performance enhancer" on your bonnet, with a note saying "Just pour into your fuel tank for an incredible performance boost," would you:

    1. think "it's my lucky day," and pour it in;
    2. ring up an engine-knowledgable friend and check first;
    3. throw it away as a reflex action, as soon as you read "Just ..."

    My point being, you don't have to know much about engines to treat such things with due caution. You just need a little sense.

    There's some witty paraphrase of the "million monkeys with typewriters" line I could make here, but what's the point?

    "I ache therefore I am. Or in my case, I am, therefore I ache." -- Marvin

  • I hope not! One of my favorite kitchen physics experiments involves putting a CD in the microwave for, or say 3 or 4 seconds. Just until the current in the foil reached the point where the entire foil disc pops! It makes a really cool fractal-like pattern! They make great suncatchers, too.

    --
  • The problem with this 'hack,' as with most of the popular worms & trojans of late, is right between the keyboard and the chair. Part of the blame should be placed on user stupidity. AOL repeatedly warns not to open attachments from people you don't know or trust. They also tell you not to go and give out your password to anyone. While AOL and ICQ do have a responsibility to keep their systems secure, the users also have a responsibility to protect their own account information. If a user opens a file that extracts their password, despite the fact that AOL (and that little voice in the back of their head called common sense) tells them not to open strange files, then it's partly their problem. Although on the other hand, it seems now that the way AOL stores user passwords on their hard disks is somewhat insecure, and AOL has a responsibility to modify their software and distribute a patch so that this doesn't happen again.
  • Yeah, I found it downright spooky that they painted it that way. What exactly is Opera supposed to do differently? Clue in the AOL users for AOL?

    Another scary thing is that they seem to be ignoring the fact that people are continuing to open attachments without considering the ramifications.

    "Malicious" E-mailer: Open the enclosed attachment. Trust me.

    AOL User: OK.

    "Malicious" RL Criminal: Open the front door to your house and look the other way for awhile. Trust me.

    AOL User: OK.

    I also found the following phrase interesting: "...the company repeatedly educates AOL users to beware the techniques of the wily password-stealer." It seems more apparent than ever that AOL's greatest enemy is an educated user.
  • Unfortunately, I don't think it's possible. When the Luser sees something flashy, they want it, period. If they get a mail entitled "Check this thing out, it's Soooooo cool'" then guess what happens. It doesn't matter the mail client either-they see something that sounds like the next 'frog-in-a-blender' and they'll open it. Yes, and hopefully they'll learn that they had better pay attention to the warnings that most (all?) ISP's provide about opening email. Then comes the formatting of hard-disks, and gnashing of teeth.
  • They are big and bloated enough =) >All the user would have to do is to open the email. Gee..I don't know if many people subscribed to AOL use their email services..hehe I'd like to see how quickly AOL replies with a patch. The media would keep a close eye on this - about as close as Hotmail has received in recent months.
  • by Suydam ( 881 )
    Well...there is one possible good that can come from this. I'm not saying that it's a good thing people's passwords are floating around, but at least the major systems out there are being forced to clean up their act a bit. I would be surprised if this hole lasts for long...and as long as they close it, that's a good thing.

    Now if they'd just open source some of their stuff, we could actually HELP them patch the holes. OH well.

  • And is AOL really to blame. I mean is AOL's problem have anything to do with their methods, or is just there sheer size? Most ISP's have holes I am sure, but if there isn't enough exposure for them then they wouldn't have to worry, and their certainly wouldn't be any news articles posted. Keeping this in mind is there really any reason for users to be unhappy with their service from AOL? And I am sure AOL has the proper disclaimers in place......Besides getting free hours on AOL isn't real hard, and who wants to read my email anyways??
  • Just think.. If all these people are so worried about and getting easily screwed over by crackers and script kiddies , just imagine if more actual hackers were lame enough to devote most of their time cracking .. Of course, knowing the media, upon the arrival of people with actual intelligence on the 'hacking' scene, the 'lesser' 'hackers' would still be called hackers, and the 'elite' 'hackers' would probably finally be called crackers.. and thus, completely reverse the meanings of the two words in their own minds. =P

  • Its been said a million times before but i'm going to say it again. Security is 90% common sense. Don't be an idiot and open exe's from people you don't know. Although... what should we expect from aol users.
  • nah.. that's just an email-addy the pwd gets sent to. On a sidenote.. check out myownemail for a really insecure system. it runs on cold fusion under windows. 'Nuff said

    //rdj
  • Seems to me the real problem is the AOL password is stored in the clear on every client's machine. (That's the only way a trojan horse could e-mail it out, right?)
  • I've seen a lot of comments about "AOL should beef up their security", "People shouldn't open attachments", etc,etc...
    Yes, these are all valid points. AOL should stay on top of things, and there HAS to be some way to get it through to end users that opening attachments, especially from unknown origins, could be potentally damaging. (I'm speaking from a general perspective, not just this latest exploit).
    However, remember that AOL is one of the largest ISP's in the country. New users are constantly joining, and seasoned users leave to find a more "streamlined" provider. To stay with the up and up, AOL has to continue to provide new services and features to attract more users. AOL admins probably have a heck of a time keeping up, I would imagine. Also, when you have such a large user base, mostly of "newbies", that represents a pretty nice target for crackers. And really, no matter how much you try to secure a system, no system will EVER be 100% foolproof. Yes, most of the attacks we hear about are actually pretty basic, social engineering methods. But when you look at it, those kinds of exploits are often times the most effective.
    Basically what I'm saying is, because of AOL's very large user base, it presents itself as a very big target with lots of opportunity for crackers. The best thing to do is to continue to patch holes as they are found (being a little bit proactive wouldn't hurt, either) and continue to educate users.
  • How can they close the hole? The hole is, in my opinion, the cluelessness of lusers just opening about any attachment that gets sent to them. And, last time I checked, there hadn't been invented a cure for stupidity and, given human track record, I don't think there ever will be.

    Just look at the number of AOLers that fell for this Trojan: some 10.000 already. And I'm sure this isn't the first Trojan targeted at AOL. Will they ever learn? I think not.

    Form a Dutch point of view, however, that would prove them not to be asses: "Een ezel stoot zich in 't gemeen geen tweemaal aan dezelfde steen." "An ass is not prone to stumble twice on the same stone." (Dutch proverb, transalation provided by yours truly. :-)
    --
    Beware of geeks baring GIFs.

  • well.. if the passwords are that easy to get, they're probably not encrypted . . .
  • The cite is wrong... The AOL member needs to do a lot more than just open the email. He has to open it, download the executable, either attached, or often to a remote link on some free website like fortunecity or angelfire. Then he has to run the executable. It's not quite as easy as it's implied to be. Not only that, but we toss up a warning window on suspiciously suffixed files telling the member what it might be, and asking a yes/no if they really want to download it.

    (Darn... now I can't moderate this topic =)
  • Uh. I terminate people's accounts all the time for spamming and the like. What does the size of the service have to do with ease of finding exploits?
  • by jd ( 1658 ) <(imipak) (at) (yahoo.com)> on Tuesday October 12, 1999 @05:01AM (#1621584) Homepage Journal
    It =IS= possible to get a virus, simply by reading e-mail under VMS 5.5 - Dec Mail permitted you to insert script commands into the subject line, which would be executed on display. Action by the user was not necessary.

    Buffer overflows in early versions of Sendmail allowed people to break into the root account, again without any action on the part of users.

    Buffer overflows in e-mail readers are a potential source of chaos, too. It may be possible to exploit such bugs to inject code into a system without the user needing to actively execute an attachment.

    The general advice "you can't get a virus from e-mail" is ONLY true in general, across all systems and across all e-mail software. Special cases and exceptions DO exist for significant subsets of cases. Within those subsets, you would be advised to be aware of what exploits exist.

  • Has anyone thought that half the problem comes from the phrase "open the mail", not necessarily the mail itself?
    I treat it as indicative that people want, and are given, flashy features such as (for example) javascript-enabled mail clients (netscape), which then prove to have problems.

    If we were to give up on the verb "open", and actually *read* mail instead - insert "hey everyone let's use mutt [mutt.org]" rant here - then would we have the same problem? I think not.

    Now, how do we persuade people to use simple mail clients that actually do just what they need with *NO* fancy features?
    "Look! PigMail has new security plugin! Complete with rm /var/spool/mail/$USER technology!"

    ;]
  • You mean a painless experience using the computer?

    GUI users can also click off the checkbox next to
    "JavaScript in mail/newsgroups," and WALA, no more
    problems.

    It's amazing how someone who obviously feels
    incredibly smart is pinning his hopes on the PAST.
    In case you hadn't noticed, text-based UI's are
    not exactly the stuff of futuristic books and
    movies -- FOR A REASON.

    -WW
  • AOL is going to make OperaMail look like the bad guy in this, when it's their hole that let the whole thing happen. Couldn't the thief use just about any other free email client to do this, or was their something special about OperaMail?
  • We use Outlook 97 here at work, and the default email "reader" was Word97

    That is just so very stupid, I don't know where to start. Use the most virus-prone app on your entire computer as the primary email reader? Whoever made that decision (and any IT person who didn't object to it) should be flipping burgers.

    This sort of tightly integrated package, the world definitely does not need. IMO, another data point in favor of breaking up M$.

    p.s. Wired didn't mention it, but I presume the attached file was a Win/DOS executable, and couldn't affect other platforms. A good reason organizations should avoid domination by a single OS.

  • The program probably just reads a registry key. Easy as pie. Obviously, this is being done to educate AOL and get their users riled about the fact that their passwords are so easily comprimised. I woldn't be surprised if a Microsoft employee is responsible for this.
  • Redundant? I beg your pardon ?

    Not that i feel sad or anything... :-)

  • Hmm I doubt it, I'll look more this week at this. Emails in ascii won't have the embedded macros, nore will HTML formatted mail. Word formatted mail isn't a complete word document, so it will strip all macros out.

    Whats more silly perhaps is that MS allow people to set HTML email to be in the "trusted zone". This means all javascript will be ran. Of course you can't get really nasty with javascript, but it's possible to do DOS attacks and to do the popping up porno window.

    Barry

  • I miss the days when AOL would mail out the floppy disks. All you had to do was reformat them and you had another spare blank disk handy.

    I those days the company I was working for stop providing them and required that I work such hours that there were no stores open when I was not working. I appreciated AOL maling to me blank disks for free.
  • I agree 110%. I was blown away when I saw what they did. And, for the longest time, we were unable to alter the Outlook settings (well, we could, but as soon as you closed Outlook, your changes were wacked). So, every morning I had turn off the "Use Word as your Email Editor" option (fortunately, M$ did make this pretty easy). Only after a macro virus spread throughout the company did they FINALLY come to their senses and change the default to use the internal editor (which, is almost every bit as bad as Word).

    Yet, this company lives and dies by M$ apps. You know the worst part about it? I get friggn ripped' whenever a NT server crashes or whatever, and I casually say "Heh, that's NT for ya. Guess you don't always get what you pay for.". Everyone's like "Oh PLEASE. Your Linux and FreeBSD stuff wouldn't be any better..yada..yada..yada.."
    It sucks, I tell ya.
  • Ooooh the irony.

    Grammar errors by this AC:

    Leading capitals missed on all sentences.
    "moderator's" used instead of plural form "moderator"
    Third sentence is not correctly formed.

  • Now, how do we persuade people to use simple mail clients that actually do just what they need with *NO* fancy features?

    Unfortunately, I don't think it's possible. When the Luser sees something flashy, they want it, period. If they get a mail entitled "Check this thing out, it's Soooooo cool'" then guess what happens. It doesn't matter the mail client either-they see something that sounds like the next 'frog-in-a-blender' and they'll open it. Nothing you or I can do to stop it either. I know OE>4 gives warnings about posting to Usenet in HTML excessive quoting, etc...why don't they put automatic warnings in about running programs that come as attachments?

  • It ain't stored in the clear on ANY of my three machines; I type it.

    Your point's well taken, however. A sufficiently adept and motivated cracker could probably find a way to retrieve this off a client machine. Worse, I've heard (dunno if true) that AOHell can intercept a lot of behind-the-scenes stuff at the server end; if somebody's logging off one screen name and onto another, I wonder if they'd be vulnerable.

  • AOL is going to make OperaMail look like the bad guy in this, when it's their hole that let the whole thing happen.

    What "hole" are you referring to? If you mean their target audience of inexperienced users, you're right. If you mean some particular flaw in AOL, I think not. Any ISP connection tool that saves your password to a file in a known location can be compromised. The user open an executable from a stranger, the trojan finds the file and emails it back, done.

    Someone with way too much free time could send me an AppleScript that would find the FreePPP prefs file on my home computer, pass it to Eudora, and send it -- if I was dumb enough to open their attachment. The same would hold true for any known combination of an OS and an internet service with a saved password.

    Even an encrypted password wouldn't help. Since all copies of AOL would use the same key, it would eventually be solved.

  • Damn, there go my skeet targets. Back to spending $$ for clay pigeons.

  • Woo woo. Look at me! I can fight a meaningless little battle so mommy doesn't dare call anyone less elite than me a "hacker." After all, who would want to be deprived of their deity-given right to have a REALLY ph3ersome moniker with which to label themselves?

    Those with real knowledge don't concern themselves with labels. They know they're good, so they go and do what they need to do, media be damned.
  • Q. WHY THE HELL do you want AOL passwords?

    A. They were pissed off 'cause their hundred free hours cd arrived with a scratch in it.

    :D



  • Where I work we use outlook and I agreee that was the most moronic decision. All curtasy of our IT group. so far the melissa virus has shut down company e-mail three times. the same virus. This is all do to MSCE certified idiots, Who went to your one year tech school because he got regected from tractor training school.
  • While a lot of /. rips AOL,....

    I've noticed from time to time that this extends to AOLers on /. as well. Back when we had the flap over "ni**er.com" and the NAACP, I got into a side discussion with a software engineer of African ancestry who pointed out that I could now understand how other's perceptions of oneself could be predjudiced by some relatively shallow cues.

    Pls excuse the off-topic "waaaah."

  • >Unfortunately, with AOL, this is not true (and >I'm not just talking out of my ass here -- >another unfortunate thing is that I worked for >AOL as a systems administrator for a few years). >They've got some built-in scripting

    No, they have no built in scripting. Load up a copy of aol and try it. They have limited html, but that's all. Aol mail cannot give you a virus from opening an email. Read the article, it's stated there.

    Eric

  • what we woudl need is the source code to the human brain. locate the bit that makes people want to open executable attachments, and #ifdef it out, or replace it with a call to suddently_feel_like_going_to_take_a_dump() or something.

    seriously, the problem is with the user, not with the software. you can't blame the sw for making things easy; you could blame it for not warning enough, but people will ignore warnings (esp. after seeing the same warning when their friend last sent them a new screensaver, clicking on 'yes', and nothing wrong happening).

    no matter whether it's linux, windows or openbsd, people need to learn the difference between data (safe to view) and executables (unsafe to run). and the fact is that they won't.

  • Unfortunately, with AOL, this is not true (and I'm not just talking out of my ass here -- another unfortunate thing is that I worked for AOL as a systems administrator for a few years). They've got some built-in scripting (a la VBScript in MS Outlook) that *can* be executed if a user does not open the attachment. The attachment is just there so the script has a file to install when it gets triggered.
    Completely untrue. Exactly what kind of systems were you administrating at AOL?
  • I don't see what the big deal is? Back in my AOL days (3 years ago) I use to do this all the time from other webmail accounts. Sometimes you didn't even have to attach a PWS and could just talk eloquently from a Juno account and they'd hand it right over.
  • ..what in the hell are you babbling about?

  • Becouse you can BUY things and have the products automagically charged to your AOL users account..
  • I can't help but feel that the point of your post is that free services are "bad" and that they are somehow unethical because some people use them for unethical purposes. What else is one to assume from your post? Why do we need "methods of verification?" Do we really want Big Brother watching over our every move to ensure we don't hurt ourselves? The answer is not to restrict free or "anonymous" access to the net. Rather, it is for grown adults to take responsibility for their actions and not try to push the responsibility onto another entity. For children and other minors, it's the parents responsability to protect them and nurture them. Handing off the sresponsibility to another person or entity is as neglectful and act as any.

    When people learn to take responsibility for their actions our current "problems" will cease to exist, or at least be reduced to a level that our law enforcement authorities can deal with effectively.


  • Does anyone remember the cracks done by Hex with AOMaster? Those always made life more interesting until there was no challenge in it anymore. AOL is almost to the point where I would sign back up just to give me something to fuck around with on the other end of the phone line... :)

    OK, AOL, is K-Rad ph0r d4 SkrIpt KiDDi3z and all. For anything even remotely more serious you will be forced to sign up with an ISP. I still remember when AOL would scare people away from ISPs by saying [when you tried to leave the service] "Do you have a working knowledge of how to setup IP addresses, POP accounts, IMAP, FTP, HTTPD, Gopher, and Newgroups?" and would go on in this manner until you either hung up ( and didn't get your service cancelled ) said "Yes." ( and didn't get your service cancelled ) or cursed at them ( and didn't get your service cancelled). AOL, go figure.
  • by E-Rock ( 84950 )
    Have you ever written or used a word macro? I don't think you have or you'd know how stupid your post is. When you use word as your mail editor, it just shoves the raw text into word. You'd have to be stupid enough to open the word document attached to the original e-mail to activate a macro.
    Sorry for that, just ingorant posts annoy the shit out of me. If you've made it this far, the blame sits on your IT departments shoulders as well as the users. My organization had no ill effects from melissa, because i've trained my users enough not to open strange .exes and i took it upon myself to disable macros.
    MS makes a handy dandy patch for 97 that lets you password protect the normal.dot file & office 2000 comes with macros disabled by default.

    BTW i do agree that an MCSE is way too easy to get. The paper puppys scare me shitless, i had one that was a full msce and couldn't set up TCP/IP for a DHCP server.
  • You cannot get a virus simply by reading email. It's a saying that's been repeated to newbies since who-knows-when, and I'm surprised that /. missed it.

    This was true when e-mail was ASCII only, but now that Web-based e-mail sites, Outlook Express and other mail software support HTML, ActiveX controls, and even scripting languages like JavaScript, it's possible to get a virus simply by reading e-mail. All it takes is an Internet Explorer security hole -- lord knows there are plenty of those -- and a malicious programmer with a little free time.

    Your statement should be amended: If you only read mail as plain text, you cannot get an email virus simply by reading e-mail.

  • How exactly is this any safer than using a POP mail reader? When I get a message with a malicious attachment in MS Outlook, I too laugh my ass off. Or at least ignore it. Outlook doesn't run attachments automatically when you read a message; I can't imagine that any mail reader does.

    If you're thinking about Javascript, rather than executable attachments like the example that you gave, then that's a slightly different story... Javascript should be safe, but like any software, the interpreters can have bugs. However, a lot of webmail services support Javascript now anyway, and I'm sure eventually they all will.

    (I know most /. readers can think of a bunch of security holes that would let you bypass the security in Outlook, at least older versions of it... but those are bugs. We're talking about design flaws here.)
  • These people are lucky that the only bad thing that happened to them is that their passwords got stolen. Sheesh...
  • For most of my online discourse, etc, I use my deja-news email address, check it about once a wekk to delete all the spam and answer the occasional real letter, etc. If I were a windows/AOl user it would have saved my ass on at least one occassion. Like when I opened a message and saw text looking roughly like;

    Begin Happy99.exe---------------
    oiuDHFlisdhfoi(&#*OHQI#RFIfnlkH*@
    #YR*OWHFNKJSF83ulleoirjeoirjerpte
    3-2uirposd;foksd;gotj;osgpd[sepdj


    Needless to say I about laughed my ass off, then emailed the sender back to run a virus checker on his system. The Deja account also does not render HTML, so there is no chance of a java bomb waiting in my inbox.

    Perhaps AOL and a few other of the big boy ISPs could get a clue here and strongly push this option to new users. Maybe they could even offer two email addresses, one for pop retreival on the client's machine and one web-based one that the world gets to see whenever they post somewhere or chat or do whatever they do on AOL. May cost a little up front, but would definately minimize the effect of this sort of thing...

  • Anyone too stupid to open the attatchment and use aol in the first place deserves it.

    I want an AOL shell so i cna be leet' =]

    But WHO THE HELL WOULD WANT AOL ACCOUNTS? (other than to go into sex chat's under the persons name hehe)
  • This sounds lame, but I've decompiled a couple of those out of curriosity. It seems they just send a wm_gettext() type of WinAPI command to the "AOL_EDIT" control, or something along those lines. (It's been a while).

    Also, I looked at a log of all system messages trapped by Spy++ (comes with ms visual c++ 5) and aol & that free isp both send the password as plain text.

    And, as has been pointed out, they have to download and execute the trojan to get it. Not just from reading the mail.

    E


  • Yep -- And the guy doing it doesent sound like a genius, so after any experience whatsoever with AOL, you would probably find that the passwords are stored in the registry, or a lightly or non encrypted file.

    i would like to see the message received at the operamail end of it. I dont know if maybe the program sends the data to the operamail account and the 'hacker' further decrypts it from there or if its actually parsed at the client side..

    somehow, just based on the nature of the 'attack', the guy in charge aint the biggest genius the world has ever seen. (something about wanting mad aol passwords just dont make me think 'genius'), so i would assume its something relatively simple. i am thinking he programmed it in Visual Basic 6.0 Pro he stole off a Top50 whoreboy warez site =]
    he went out and bought a vb book for dummies and it took him 40 days and 40 nights to finish his program. all at the same time being quiet about it because his mom is in the next room!!!!
  • I love people who actually read the article before responding ...

    IMHO, anyone who opens an executable attachment should be glad it didn't format their hard drive ... which is much simpler than stealing passwords when you've got dolts who run the program at the recipient's end.
  • It's the hurry-up syndrome; Ventures are in such a hurry to get on the web that they offer free services to boost membership, methods of verification simply don't exist; They'd rather grow, at the cost of other users of the net.
    Some time ago, I found out my ISP was offering internet access "calling cards". For X dollers (5, 20, 100) you get X minutes of PPP via a 1-800 number. Apparently designed for traveling users.

    What I saw it as was a "license to spam". For $5 you get unfiltered access to the ISP's mail gateway. You slam your message traffic through, then punch out. What? Your account gets shut down? No problem. Run the the Quickimart, slap down a $5 bill, and you've got another license.

    Of course, I don't think this ever became an issue. At least, my friends at the ISP never mentioned it. Either spammers don't know about it... or there's much cheaper ways to pull off the same thing. Right now, I'd put my money on "cheaper ways".

  • No - this is not how it is.

    To get a trojan horse you have to download an attachment. Then you have to execute the attachment; just like getting a virus. This isn't like outlook where attachments automatically download, and macros automatically execute. You have to do this to yourself, despite warnings.

    Wired really misrepresents the situation, probably because none of them have every used aol, just HOTMAIL where it really is insecure. Everytime you get a letter with an attachment in aol it pops up a window that fills the screen that says, "WARNING YOU PUNK - DOWNLOADING SHIT CAN FSCK YOUR SYSTEM" - only in kinder red letters. After that, you have to click, "Yes, i still want to download this". Next ... after choosing a name and location like in all SaveAs dialog's, you have to then EXECUTE the file!

    No versin of aol has the ability or CODE to execute ATTACHMENTS.

    This really disturbs me.

  • Uh, I don't know where you got such an assumption from my post.

    I never suggested government intervention; I did suggest that the producers of free services were perhaps being unethical because they weren't monitoring their services. You said "it is for grown adults to take responsibility for their actions". Correct, and this includes running a service that is relatively free of abuse.

    If an internet firm cannot control what goes on on their services, they should configure themselves accordingly, rather than exerting the costs of their services (i.e., spam, etc.) on the user.

    I wasn't pushing to restrict free access, at least not by legislative means, and I'm not sure where you got that assumption. However, it is the responsibility of the provider to control what resides, and what comes from his/her own system. Thus, yes, a firm should require some sort of verification, to assure that their users -- and thus themselves -- are not putting a burden on the internet at large.

    The reason we don't/shouldn't need government intervention on the internet is because it should be able to police itself. The government shouldn't be involved, but I daresay the idea of individuals completely monitoring themselves is somewhat idealistic. If someone refuses to adhere to the net-ethic, then it is the responsibility of the firm through whom they have the services, to deal with it accordingly. To suggest that a firm doesn't, or shouldn't have any responsibility or liability towards the internet community, regarding the actions of its users, is ludicrious.

    In any basic economics class, you'll learn that once someone owns property, as opposed to renting/leasing it, it tends to keep its value longer, because it is not abused. Free services are likely to be abused for just this reason, and thus since the likelihood is greater that users will abuse, the responsibility falls on the owner to halt the abuse -- else, as we've seen -- the burden falls on the internet as a whole.

    Free services aren't bad; I never said that, and don't think such is the case. But the fact remains that many of the free services out there, in their frenzy to create a net-presence, neglect to maintain their service according to its usage, neglect netiquette, and thus neglect the internet itself.

    If a free service is offered, the service should offer the same level of protection to the 'outside world' of the internet, as it assures to its customers; abuse should be stopped in either direction.
  • No - this is not how it is.

    To get a trojan horse you have to download an attachment. Then you have to execute the attachment; just like getting a virus. This isn't like outlook where attachments automatically download, and macros automatically execute. You have to do this to yourself, despite warnings.

    Wired really misrepresents the situation, probably because none of them have every used aol, just HOTMAIL where it really is insecure. Everytime you get a letter with an attachment in aol it pops up a window that fills the screen that says, "WARNING YOU PUNK - DOWNLOADING SHIT CAN FSCK YOUR SYSTEM" - only in kinder red letters. After that, you have to click, "Yes, i still want to download this". Next ... after choosing a name and location like in all SaveAs dialog's, you have to then EXECUTE the file!

    No versin of aol has the ability or CODE to execute ATTACHMENTS.

    This really disturbs me. :-) and yes i posted this on a different thread.

  • Actually, Microsoft has already disproven the million monkeys theory. (either that or they are the exception to prove the rule.)
  • I distinctly believe I said 'exploit'..not virus. They are two very different things.
    Plus, like everyone else has been mentioning, you can use javascript to do the same thing, which automatically get launched in some cases.

    True that wasn't the case here, but the line also caught your eye and forced you to read the article. It may have been a bit deceptive, but it peaked your interest
  • Yes folks, it true!
    Reading email is just the sport for nosy company system admin (Bastard Opertor from Hell), You
    too can take please in reading random email from people all over the world.
    Just sign up for a free email service and watch for exploits.

    BTW anyone have a webpage with archived bastard operator from hell episodes-storys?
  • I'd rather have the computer illiterate use simple 'my first computer' devices like WebTV than a full blown $1500 system. The customer-base is, from whom I've met, people very uninterested in learning anything about PCs than the proper way to double-click.

    How many trojans are there for webtv? Go ahead and try to format my cablebox. I'm willing to bet that 80% of computers sold today are entertainmnt boxes running only some form of internet client and videogames for the kids. It's a lot like buying a Ferrari to drive to church once a week. Too much power and too much specialized knowledge. Yeah I said specialized knowledge, to the lowest common denominator having a decent understanding of windows requires more time than they're trying to put in. Most of the internet revolution is people wandering out of their trailer homes and buying the Compaq AOL machine, but thats an argument for another day.

    I don't see the 'they will learn in time' argument going anywhere. Its like expecting a car-owner to magically become a mechanic after a few years, heh, there are people out there who have no idea how to change a tire and this is OLD technology. So instead of knocking webtv, we should be encouraging them to purchase no-brainers like WebTV or the new Dreamcast, for their own good and for the sanity of tech support.

  • I realise this has all sorts of privacy and security issues related to it, and i am sure the moderators will probably consider it as Flame but it has to be said

    WHY THE HELL do you want AOL passwords?

    come on guys [and girls], why dont you use your energy for something usefull

  • But surely that doesn't make any business sense.....you can't make money from an open source model, haven't you read all of the articles on /. :-) uh, or something........
  • all the user has to do is open the email.

    As an AOL user (not for much longer, though, for varying reasons), I panicked when i read that line. Then logic took over.

    You cannot get a virus simply by reading email. It's a saying that's been repeated to newbies since who-knows-when, and I'm surprised that /. missed it.

    It even says in the article, and I quote:

    If the user opens the attached file -- an action AOL claims to repeatedly warn users against -- it launches a small program that obtains the user's password off the hard disk and sends it back to the hacker's OperaMail address.

    AOL does repeatedly warn it's users about opening attachments from people you don't know... doesn't mean that people always heed these warnings.

    Just by opening the email, eh Hemos?

  • My question is -- how is this caused? The article from Wired is skimpy on the issue. Which is it?

    1. A buffer overflow in AOL's software
    2. Insufficient protection of the password on the local machine, perhaps by API or by trivial encoding
    3. The most nefarious: allowing executable content to be run without the user's permission

    If it's any of these, it's bad design and needs to be corrected and rolled out ASAP. If AOL does anything less, they're negligent.

  • Could this possibly prompt more people to be seriously concerned about their security?

    There are security holes in every software product shipped. Well, not every one, but you know what I mean. That a company as big as AOL can succumb to such a huge exploit boogles the mind. Don't they have their own security people?

    On the other hand, what would you do with someones AOL password? Go chat with another user's ID?
  • by cswiii ( 11061 ) on Tuesday October 12, 1999 @03:57AM (#1621642)

    :"I'm closing down these accounts everyday.
    :I can't stop them," said Opera sales manager
    :Christian Dysthe.


    Is it just me, or is this nothing new, something that every new 'free' service runs into? If it's not a security exploit, it's a dropbox for stolen passwords, or a website to peddle porn... I can't think offhand of a site offering 'free' services that hasn't been used in such a way.

    It's the hurry-up syndrome; Ventures are in such a hurry to get on the web that they offer free services to boost membership, methods of verification simply don't exist; They'd rather grow, at the cost of other users of the net.

    Of course, commenting about net-ethos anymore is a rather moot point :(
  • From what I got from the article, you have to execute a file attached to the email for it to work. Now you can't put the blame totally on the person sending the email, aol warns people all the time about that shit.
  • by jsm2 ( 89962 )
    hmmmm indeed ... I can just see the /. crowd running to "peer review" this one the moment it gets open sourced. You'd never live it down:

    "Hey d00d, r u l33t?"

    "Yeah, I've got code in the last three kernels, how about you?"

    "Well, as it happens, I fixed a security hole in AOL's email system! "First patch", too! Pretty cool, huh?"

    {laughter}

    jsm
  • .. for the media in a case like this; "Hacker", "Cracker", and "Malicious".
  • Why is AOL storing the password on the user's hard drive? It seems like this is asking for trouble, since there are so many published ways of getting files and such off of people's Windows computers. There must be a better way of maintaining a session without repeatedly sending the password.
  • Wow a voice of sanity among all the other noise!

    Facts to go along with this:
    1. AOL users can't get a virus or trojan horse by simply opening email, they have to proactively click DOWNLOAD NOW. Then they have to click "Yes I understand that this file contains executable content and I don't know who it's from" on the little warning screen that AOL puts up for file attachments.

    2. They have to double click the EXE file after downloading it to start the trouble.

    3. These trojan horses almost all use a keyboard capture routine to actually get the password AS THE USER TYPES IT. How do you design software to defend against that?

    4. The AOL password is not stored on the HD unless the user has "stored" the password so they don't type it in to sign on.

    5. AOL works with Network Associates to create a special version for detecting Password capture trojans. (They come out with a new "extra.drv" file every so often with new virus and trojan horse definitions in it)

    6. AOL is the biggest online community with a consistent interface, which makes it a large target. In other words, hackers see 15 million people all using the same interface and can write one trojan-horse hackware piece of copy and pasted code to try to get passwords for all those AOL members. Why do they do it? Why do 12 year olds do anything malicious? They need chores to do! LOL
  • Which of course means that you will once again be unable to escape the cavalcade of disks with your name on it.

    Muhuhahaha
  • Sure, that works just fine for netscape. (of course, any number of things can futz with your prefs and turn it back on.)

    SO, how the fsck does one go about turning off javascript in IE?
  • It would be nice if attachments could run/open on a VMWare virtual machine or something like it created specifically for the purpose, with monitors for suspicious activity. If the virtual machine gets destroyed, no biggee. Delete it and create it again. I doubt this is practical at the consumer level now however.

    Even running helper apps and plugins inside of a chroot would help loads, and that's pretty straightforward. Well, except for the fact that only root can chroot()...

  • I've seen a few comments from people who read the thing about being able to have this thing infect your system simply by opening mail. I've seen some of those same people decide this must be misinformation, that surely the executable needs to be run after opening the mail for it to do damage.

    Unfortunately, with AOL, this is not true (and I'm not just talking out of my ass here -- another unfortunate thing is that I worked for AOL as a systems administrator for a few years). They've got some built-in scripting (a la VBScript in MS Outlook) that *can* be executed if a user does not open the attachment. The attachment is just there so the script has a file to install when it gets triggered.

    If you're an AOL user, don't be too sure you're safe just because you don't actually *open* the attachments. All you have to do is read the mail, and someone might get your password.


    ---
    Consult, v. t. To seek another's approval of a course already decided on.
  • That's not true. AOL users (because of AOL's mail scripting) *can* get viruses simply by reading mail. They do *not* necessarily have to double-click the attachment.

    It's scary, but it's true.

    ---
    Consult, v. t. To seek another's approval of a course already decided on.
  • Am I the only one to think that the first few paragraphs of the article seem to imply that OperaMail is the bad guy? I don't think that this is what Wired intends, but even by accident, this article presents a different spin on matters, to the people who (like me) only reads the first few paragraphs, unless it looks really interesting.

  • I don't think open source is the solution. Who would be interested in maintaining and supporting an AOL client? What self-respecting hacker would devote time and resources to plugging a script-kiddie hole this lame?

    From what I understand, the Trojan gets the password from the user's hard drive. It does not require them to type it in again. What kind of security model is this? Is the passwrod stored in a plain text file called password.txt, or maybe they give it a .aol extension to really throw off those bad hackers!

    Exam the business model carefully. If AOL were to open up their software, it would simply invite a competitor to offer the service in a more focused way. That is, an AOL for women only or musicians only, or whatever. Who would devote time to fixing bugs and providing improvements? Not geeks.
  • While I agree that the software the AOL uses should be a secure about private information like passwords, ultimately OperaMail has to be able to decrypt the password so it can authenticate with the server. If OperaMail can do this, then a trojan can do it. There was nothing in the item that indictated to me that OperaMail is really at fault here.

    Email that may be using a trojan horse-like virus -- the effects of which aren't immediately detected -- arrives at the inbox of an unsuspecting AOL user. One user reported that the attached program bore the name "buddylist.exe." If the user opens the attached file -- an action AOL claims to repeatedly warn users against -- it launches a small program that obtains the user's password off the hard disk and sends it back to the hacker's OperaMail address.

    It is really not a good idea to run files that are sent to you, even if those files are sent by what you think is a friend. There have been a few viruses/trojan horses that use the method of looking through the address book of its host and sending itself out as it its from the host user. Because of thise, you just cannot rust executable content that you get in your mailbox/ICQ. In ICQ, you should at least ask the person who is sending it "What is this?". The interactive conversation about the software that is being sent will help verify if it is a real program. Similar verification can be done by mail, although it is more of a pain.

    The real solution to all of this, I suppose, is to type your password in everytime you start your emailer, and not use any "remember my password" features. If a program you run remembers your password, then another program run by you can find that password.

    This article would have been better if, instead of trying to cut down AOL/OperaMail for something that isn't really its fault, it educated users on the dangers of running foreign programs whether or not they are named "buddylist.exe"

  • by Rift ( 3915 ) on Tuesday October 12, 1999 @04:03AM (#1621670)
    This 'blurb' incorrectly states that all you have to do is open the email. Untrue.

    In fact, all this kiddie is doing is mass-mailing an AOL grabbing trojan to AOL users. If they open the attached executable file (bypassing the warnings that AOL gives), then it gets the users stored AOL password and sends it back to a specific email address.

    While I'm not an AOL fan or user, I have to say that this no more cracks AOL than BO2K cracks my windoze machine. As long as I don't run any unknown exe, its fine. However, If I'm dumb enough to do so, then the OS won't help me out with security. Same with AOL, don't be stupid, but if you are, then be aware that AOL stores your password on your machine in an easily accessable way.

    This is not new. There've been lots of AOL password grabber trojans. Shouldn't AOL take the hint and possibly NOT store the password in this way? Not that I care too much about AOL.
  • by dgb2n ( 85206 ) <dgb2n.comcast@net> on Tuesday October 12, 1999 @04:04AM (#1621673)
    Although it is tempting to immediately slam AOL on the technical merits of this particular hack and further lambast AOL's users as neophytes, it is important to consider what AOL actually provides.

    For new internet users and those completely unfamiliar with computers, AOL is by far the most user friendly environment in which to begin to use email and the internet. Don't get me wrong. I don't use the service. But for my grandparents and my parents who aren't comfortable with computers in the first place, the service hits the spot.

    Certainly AOL should take steps to secure passwords on the users systems. Regardless, the key is educating their users. I know enough not to open attachments from people I don't know. I even know enough not to open an attachment if I have no clue of its contents. Unfortunately most new users (particularly the kind that sign on to AOL) don't. Don't dismiss AOL. They provide a valuable service for folks for whom the internet and email are daunting. At least they're a step above "WebTV" ;-)

  • You cannot get a virus simply by reading email

    That used to be true. Now, thanks to HTML-enabled java-enabled mailreaders and trusted ActiveX documents, you can. (Those aren't just buzzwords)

    I'm safe with pine, though.

    Oh, wait, pine had a problem handling MIME headers at one point not TOO long ago... See the message on security focus [securityfocus.com].

    MS Outlook had problems with a buffer overflow in MIME headers.

    Everybody back to mailx!
  • First off, anyone care to explain to me how that was flamebait? I imagine it's because someone thought they'd moderate down anyone who's remotely on AOL's side, but then, I'm just paranoid.

    Anywho, I should clear something up. You're right -- with scripting and HTML features in mail readers, you can get a virus or at least some troublesome annoyances just from reading email.

    With the AOL mail reader, however, you can't. They barely even support HTML, in fact. The only possible way an AOL user could get a virus through their AOL email account is if they downloaded and ran an attachment.
  • Insufficient proteciton of the password is definately the reason. The user has to run the program that is sent to them, it is not run automatically.

    The program then reads the password from the drive (I'm not sure if it's encrypted at all, it may be, but obviously not enough), and sends it to the opermail account.
  • There are a lot of things you can do just from opening mail... because usually you can launch a javascript. From Javascript you can sometimes get to cookies (which store passwords) or worse. I'm not sure how this exploit works, but I wouldn't be surprised if this were the case.

    Dangers from just reading email are still mostly a hoax, but it's not a totally safe activity anymore.
  • My bad. They aren't getting passwords from OperaMail, that's just where the trojans are coming from.

    Actually, now that I think about it though, you could write a trojan that gets passwords from the IE5 "remember my password feature". Ugh. Just don't run untrusted programs.

An authority is a person who can tell you more about something than you really care to know.

Working...