America Online, Inc. is the latest Net
crime victim to have the privacy of some of its 23 million members violated.
While the extent of weekend damage is unknown, the knowledge of how to
access security holes in America Online’s
spreading quickly through Internet channels.
While AOL members are assured at every point of contact that their
information is secure from potential maliciousness, a hacker with the
handle “Retired” shared information with security watchdog Observer.net about some of his exploits
at the expense AOL’s security.
According to the Observer.net report, the chasm of the security breach is
at AOL’s Customer Relations Information System. CRIS is the user interface
to the main AOL database that manages all member accounts, information and
other related data.
AOL employees who need to access information use CRIS to determine a
member’s last login date, type of software used on the last login, account
status, account type, pricing and contact information. The database also
reveals a member’s full name, address, phone number, and all screen names
and passwords connected with the account.
While customer care consultants access and support technician’s access to
the database varies, AOL limits full access to CRIS to only a few hundred
After AOL’s network security was compromised in 1995, the largest online
service provider in the nation implemented a new policy designed to limit
access to CRIS. Only employees accessing the database from inside its
campus could be logged onto the internal office network, remote access as
“Retired” managed to access the supposedly secure customer database by
creating a redirect program through the Transmission Control Protocol.
AOL’s firewalls naturally block incoming TCP connection attempts, but
hackers can readily send a “trojan” program to an internal AOL server. Like
the mythical “Trojan Horse,” the program conceals the hacker’s external
access by acting like a client that is connecting to a local host server.
By editing a TCP.CCL file to connect to the localhost, the port identifying
the hacker’s computer is sent to an internal AOL “trojaned” computer, which
appears to be a completely legitimate internal connection to AOL operations
and the CRIS database.
The hacking method only works over a cable modem. After a TCP.CCL is
edited, it can connect and send commands to through the cable modem, just
like AOL would send commands internally through a workstation. In order to
complete the access, AOL staffers must unwittingly download the fixed files
onto local computers inside the network.
Observers.net contends that AOL could readily scan and disable both
“trojan” and viral attempts to access its networks. Observers.net further
condemned AOL, because it has had ample time to get a security fix built-in
to its networks.
Last year, AOL had Jay Satiro arrested for using a “trojan” hacking program
to prove to the online giant how easy it was to access its networks.
At the time AOL informed its members that privacy and account security is
of utmost importance to the firm and that its billing information is stored
on a different computer, separated from servers that operate its online
From its base operations in Colorado, YTCracker Labs makes a point of
defacing public, private, and institutional networks that don’t lift a
finger to keep violators out of their systems.
Orchestrated by a 17-year-old benevolent hacker, “YTCracker” has a court
date looming in his near future for defacing the
City of Colorado Springs Web site in December 1999 when he publicized its
YTCracker, who wrote the Observers.net bulletin,
said AOL’s latest network compromise is a huge security lapse
that the company could quickly remedy.
“This is really big because the guy gained access to development libraries
and access to a lot of things,” he said. “AOL’s thinking that their
firewall is impenetrable. Network operations and security needs to look at
it a little more objectively to see how they can manage internal security
and not just worry about external issues.”
YTCracker added that companies and institutions can take action to stop the
security breaches in their tracks, but few seem to take security seriously.
“This idea is not only restricted to AOL, but to any corporate Intranet or
government network,” he said. “Their systems are also at risk through a
similar programs, using like methodology.
“Intrusion detection systems are able to pick this up to stop complete
access behind a firewall. If a company is set up right, it’s not a
problem,” he added. “I think AOL has gotten cocky about their security.”
Consistent with past security breaches, AOL has not commented on the latest
violation while the Web crime is under investigation.