Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Security only as good as workers....

By skim123 in News
Sun Jun 18, 2000 at 01:44:21 AM EST
Tags: Technology (all tags)
Technology

Well, seems like hackers accessed some AOL accounts. No big news there, really, but it was interesting how they did it... they used an email hack, similar to the ILOVEYOU worm in that it was sent as an attachment and executed with the attachment was run. The funny thing was that this email was sent to AOL support staff! These support staff folks then ran the attachment which sent member information to the hackers.


Hammers home a point: the entrance to the castle is only as secure as the guy operating the draw bridge. I found it somewhat amusing that AOL's tech staff (which you hope would have the sense not to run an attachment) are to blame. Oh well, stupid AOLers.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o hackers accessed some AOL accounts
o Also by skim123


Display: Sort:
Security only as good as workers.... | 31 comments (31 topical, editorial, 0 hidden)
Dumb AOLers. Don't give them attent... (1.00 / 1) (#24)
by Dolgan on Sat Jun 17, 2000 at 01:20:09 AM EST

Dolgan voted -1 on this story.

Dumb AOLers. Don't give them attention.

So what?... (none / 0) (#3)
by Pelorat on Sat Jun 17, 2000 at 02:19:53 AM EST

Pelorat voted -1 on this story.

So what?

I wanna know what they thought they... (none / 0) (#10)
by 31: on Sat Jun 17, 2000 at 02:53:44 AM EST

31: voted 0 on this story.

I wanna know what they thought they were running... that would be worth a 1 :)

-Patrick

isn't that ironic ... (none / 0) (#17)
by Peureux et anonyme on Sat Jun 17, 2000 at 03:01:23 AM EST

Peureux et anonyme voted 1 on this story.

isn't that ironic don't you think ?

MLP. More writeup.... (none / 0) (#5)
by kmself on Sat Jun 17, 2000 at 03:30:02 AM EST

kmself voted -1 on this story.

MLP. More writeup.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.

Every time I see a question asked a... (3.00 / 1) (#7)
by Louis_Wu on Sat Jun 17, 2000 at 03:34:57 AM EST

Louis_Wu voted 1 on this story.

Every time I see a question asked about security here or at /. I find that some of the best comments include "Security is a process, not a [insert techno-jargon], so concentrate on your implementation." It would seem that the implementation of security for an ISP (or whatever AOL is) would include making it hard to get account info in bulk. BTW, wouldn't it take certain 'inside' knowledge of the AOL user account management system to write code to do this? Was it an inside job?

Louis_Wu
"The power to tax is the power to destroy."
John Marshal, first Chief Justice of the U.S. Supreme Court

Re: Every time I see a question asked a... (none / 0) (#31)
by wozz on Mon Jun 19, 2000 at 06:25:36 AM EST

Hah, I just said something like that in an earlier comment before I saw this one. In any case, the most important aspect of security for any company, but especially for an ISP, is the security policy. You can install all the firewalls and IDS's and virus scanners and hoo-wah wizbang security products you want. If your employee's don't know not to give their password to people over the phone, or not to open strange attachments, you might as well have spent the money on a comfy chair or a new car. Even more important than the security policy, is the design of the security policy. I can't tell you how many jobs I've been on where I've been asked to make a security policy. When I tell the requestor that you don't "make" a security policy, you build one with the help of all affected parties in the company, I was told they didn't have time for that. So, why bother with a security policy that may very well make no sense to those folks who should have been involved in its development but weren't. Nothing is more annoying than that. Its amazing the amount of money people will spend on security, but ask them to stop taping their passwords to their monitor, and they no longer think security is important.
OpenBSD - A Better Solution
[ Parent ]
An interesting twist on social engi... (none / 0) (#18)
by Macross on Sat Jun 17, 2000 at 03:52:55 AM EST

Macross voted 1 on this story.

An interesting twist on social engineering.

Sort of interesting, but if the tro... (none / 0) (#1)
by Fish on Sat Jun 17, 2000 at 08:55:31 AM EST

Fish voted 1 on this story.

Sort of interesting, but if the trojan opens up a connection to the author's computer, then it must be fairly easy to trace him/her?

Funny stuff. That's how support sta... (none / 0) (#13)
by jmcneill on Sat Jun 17, 2000 at 10:17:19 AM EST

jmcneill voted 1 on this story.

Funny stuff. That's how support staff are though; my ISP's phone support is terrible "reboot your computer, if that doesn't work, reset your broadband modem". Oh and then there was the time that they tried to tell me it was illegal for me to run NetBSD with their service...
``Of course it runs NetBSD.''

Ouch. That sucks for the AOL PR dep... (none / 0) (#4)
by Skippy on Sat Jun 17, 2000 at 12:54:49 PM EST

Skippy voted 0 on this story.

Ouch. That sucks for the AOL PR department big time.

Having said that, I think that the poster covered all the conversation we could have about it. Your security is only as strong as your weakest link and that's often the employee.
# I am now finished talking out my ass about things that I am not qualified to discuss. #

I do think K5 should expect a bit m... (3.00 / 1) (#9)
by Arkady on Sat Jun 17, 2000 at 01:17:27 PM EST

Arkady voted 0 on this story.

I do think K5 should expect a bit more discussion than "Oh well, stupid AOLers.", though I sympathazie with the attitude. I like the news aspect of these sorts of posting, so I won't vote -1, but it'd be nice if you'd described how you'd propose AOL support and admin could prevent this sort of thing (though that's probably just "stop using AOL's mailer", so it might not be much of a discussion ... ;-).

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


This is a case of 'social hacking',... (none / 0) (#23)
by chipuni on Sat Jun 17, 2000 at 01:46:46 PM EST

chipuni voted -1 on this story.

This is a case of 'social hacking', the one hack that will always be around. However, this comment adds nothing new to anyone's hacker lore -- be it programming, or even breaking into computers. It just confirms that a method of hacking that's been around for thirty years is still around.
--
Perfection is not reached when nothing more can be added, but only when nothing more can be taken away.
Wisdom for short attention spans.

Allowing email-content to be execut... (none / 0) (#25)
by Bart Meerdink on Sat Jun 17, 2000 at 02:24:36 PM EST

Bart Meerdink voted 1 on this story.

Allowing email-content to be executed just like that is a serious design flaw in Windows, as has become ever more apparent over time. Maybe a Java-like sandbox model would be appropriate.

Re: Allowing email-content to be execut... (none / 0) (#30)
by wozz on Mon Jun 19, 2000 at 06:20:00 AM EST

There's a comment on this thinking in the current issue of Cryptogram (Bruce Schneier's newsletter, required reading for security folks). His basic idea was that Java's sandbox would NOT have fixed this, because this was not a case of a language failing. It was a case of a insecure feature that was designed into the program, something no language, including java could have solved. He was responding to comments Scott McNealy made about how such things couldn't happen if everyone used Java. The biggest problem with security today is that folks think of it as a product, when, in fact, its a process. If AOL's security policy had something about such social engineering attacks in it, and every employee was trained on that policy, these kind of things would happen a lot less. Crytogram is available at www.counterpane.com.
OpenBSD - A Better Solution
[ Parent ]
hee hee, oh AOL, you so craaayzyy... (none / 0) (#14)
by reas0n on Sat Jun 17, 2000 at 03:19:14 PM EST

reas0n voted 1 on this story.

hee hee, oh AOL, you so craaayzyy

sounds like an aol bashing article.... (none / 0) (#6)
by confidential on Sat Jun 17, 2000 at 04:05:08 PM EST

confidential voted -1 on this story.

sounds like an aol bashing article. If you had more of a writeup, other then saying "stupid AOLers" i might 0 it, but still questionable

This is pretty funny! Even the peop... (none / 0) (#22)
by brotherhayashi on Sat Jun 17, 2000 at 06:10:49 PM EST

brotherhayashi voted 1 on this story.

This is pretty funny! Even the people who work for AOL are lusers!

I voted zero. Here's the math: ... (none / 0) (#20)
by Denor on Sat Jun 17, 2000 at 07:14:18 PM EST

Denor voted 0 on this story.

I voted zero. Here's the math:

(-1) Won't really generate discussion beyond "Ha-ha!" (+1) Good to see bad things happen to AOL :) ----------------------------------------------------- (0) Total.

-Denor


-1 flamebait : `stupid AOLers' was ... (none / 0) (#12)
by robin on Sat Jun 17, 2000 at 08:33:22 PM EST

robin voted -1 on this story.

-1 flamebait : `stupid AOLers' was a bit too much
--
W.A.S.T.E. (do not antagonise the Horn)

Obviously a chain is only as strong... (none / 0) (#2)
by Inoshiro on Sat Jun 17, 2000 at 09:30:40 PM EST

Inoshiro voted 0 on this story.

Obviously a chain is only as strong as its weakest link.

--
[ イノシロ ]

AOL bashing is getting old. We all... (none / 0) (#8)
by magney on Sat Jun 17, 2000 at 11:04:01 PM EST

magney voted -1 on this story.

AOL bashing is getting old. We all know it's The ISP For Those Who Don't Know Better (or for those who can't do any better for other reasions).

Do I look like I speak for my employer?

While it's funny that AOL got naile... (none / 0) (#16)
by bigdogs on Sat Jun 17, 2000 at 11:35:44 PM EST

bigdogs voted -1 on this story.

While it's funny that AOL got nailed, the concept is old news. Security folks have been talking about social engineering for ages.

Funny & a good security reminder. B... (none / 0) (#11)
by adamsc on Sat Jun 17, 2000 at 11:55:43 PM EST

adamsc voted 0 on this story.

Funny & a good security reminder. Boring writeup.

I don't want to read stories on a s... (4.00 / 2) (#19)
by hurstdog on Sun Jun 18, 2000 at 12:18:02 AM EST

hurstdog voted -1 on this story.

I don't want to read stories on a site that runs stories with quotes like "stupid aolers". I admit they aren't my favorite section of the internet population but that service is exactly what some people need. I would not be proud to call kuro5hin one of my bookmarked sites if there were many quotes like this in its comments and stories. I believe there are much better ways of making your point. And I would have voted +1 had that quote not been in there.

Re: I don't want to read stories on a s... (none / 0) (#28)
by skim123 on Sun Jun 18, 2000 at 02:27:04 PM EST

I don't want to read stories on a site that runs stories with quotes like "stupid aolers".

The quote wasn't geared to those who use AOL. I have nothing against those people. A ton of my friends and family use AOL because AOL works for them - they are not computer literate and just want to be able to check their email/CNN.com/ESPN.com every now and then.

The comment was directed at the AOL support staff; come on, support staff running email attachments? Come on. That was the group whom towards my ire was directed.

Money is in some respects like fire; it is a very excellent servant but a terrible master.
PT Barnum


[ Parent ]
Re: I don't want to read stories on a s... (none / 0) (#29)
by hurstdog on Sun Jun 18, 2000 at 04:48:58 PM EST

Ok, I see what you mean, but then I think the quote should be "stupid AOL support staffers". Because I totally agree with you that for them to run attachments is just dumb. I work tech support and we all use pine, not just because we all use so many different computers, but because its also safer. We just laugh when we got the ILOVEYOU attchment in the mail, since we just saw its source.
Anyway, my main gripe is just that I would like it if people picked their words more carefully, because a lot more people listen and respect someones ones when you refrain from making comments on their personal intelligence. I think it also makes the site look bad when there are comments demeaning people who don't know as much about computers as some other more computer saavy persons.

=Andrew

[ Parent ]
This kind of social-engineering vul... (none / 0) (#21)
by shadowspar on Sun Jun 18, 2000 at 12:57:26 AM EST

shadowspar voted 0 on this story.

This kind of social-engineering vulnerability isn't "new" news, but if others feel its worth discussing, we should take it up...
-- Drink Canada Dry! You might not succeed, but you'll have fun trying.

this is funny... (none / 0) (#15)
by nevyn on Sun Jun 18, 2000 at 01:40:36 AM EST

nevyn voted 1 on this story.

this is funny

re: Security only as good as workers.... (none / 0) (#26)
by aint on Sun Jun 18, 2000 at 11:51:50 AM EST

i of course agree with this statement and it apply's to virtual servers too. one can have a password such as : f8A(S_AFf9 yet still there will always be those with passwords like apple or susan. it would be nice if servers (apache?) came standard with a "hack checker" that basically tried hacking into the system 24/7 through various means, such as brute force. and upon finding passwords such as spot it would either email them nicely or band their account forever (or something in between ;) of course this does not take into account the human factor, especially the support staff! perhaps if it required a user to change their password every so often OR notify them if their account has been accessed through suspicious IP's or a veriety of other checks.
-- .sig -- did i overlook something? tell me, i love to learn.
More thorough information on AOL's poor security (2.00 / 1) (#27)
by skim123 on Sun Jun 18, 2000 at 02:24:15 PM EST

http://www.observers.net/securecris.html

Money is in some respects like fire; it is a very excellent servant but a terrible master.
PT Barnum


Security only as good as workers.... | 31 comments (31 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!