FRAMINGHAM (06/21/2000) - Customer service representatives at the world's largest consumer online service apparently failed to heed a computer security warning impressed upon the public in recent months: Don't open suspicious e-mail attachments.
America Online Inc. acknowledged Tuesday that 200 member accounts were compromised when targeted AOL employees opened infected e-mail attachments. The attachments unleashed a Trojan horse program that created a connection to employees' machines, allowing intruders to access password and credit-card information.
Observers.net, a site frequented by current and former AOL employees that first reported the security breach, asserts that the exploit has given crackers root access to AOL's Unix servers, allowing them to create back doors to customer data. The site claims that the hole could be used to steal thousands of credit-card numbers.
AOL spokesperson Rich D'Amato, who said the company is investigating the incident, expressed frustration that employees have failed to shield AOL's 23 million customers from security breaches. "We spend a great deal of time messaging our employees and our members that they need to take care in not downloading attachments that come from senders unexpectedly," said D'Amato. "We even put out alerts to people, but obviously a lot of what we do occurs via e-mail."
Some outside security experts said lax control over company desktops also helped intruders gain entry into AOL's internal network. Crackers targeted AOL employees with access to the company's Customer Records Information System (CRIS) to open the gate. CRIS is the user interface to the main AOL database that contains customer information, credit-card data and passwords that allow the theft of screen names.
"Obviously AOL needs to do a better job at securing their desktops and not allow certain applications such as e-mail to be run from the same desktops that people use to connect to internal systems," said Elias Levy, chief technology office at San Mateo-based securityfocus.com. "It shows that your firewall is not going to be a solution that stops all security problems. AOL had security measures in place to keep (outsiders) from accessing certain systems unless they were on the local network, and by using this (Trojan horse) technology, (crackers) were able to bypass that."
In an account which D'Amato didn't dispute, Observers.net described how the Trojan horse used a TCP-redirect program capable of defeating firewalls that block incoming Transmission Control Protocol (TCP) connections. When the Trojan horse is triggered by an AOL employee with access to the internal network, the software acts like a client and attempts to connect to the company's servers.
The TCP redirect program makes the AOL servers believe the intruder is on the internal network.
"You edit your tcp.ccl file to connect to localhost," explained an Observer.net participant named "Retired," who said TCP packets are then sent from the invading computer to the internal Trojaned computer. The Trojaned computer opens a connection to Americaonline.aol.com and acts as an intermediary, allowing CRIS access. Retired said CRIS can be accessed without a special account by having the tcp.ccl file connect to a cable modem, which can't be traced to the attacker's computer. The cable modem then relays commands to the Trojan on the AOL employee's workstation.
Because the AOL servers believe the intruder is dialing in from "On Campus," they don't trigger a security setting called SecurID preferences, which Retired said is often set to "Challenge Off Campus Only." This allows an intruder to sign on without the use of a SecurID key. D'Amato confirmed that in an effort to stop intruders from logging on to internal accounts and accessing CRIS, AOL is resetting all internal SecurID preferences to "Challenge Always."