Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Pastimes : Computer Learning -- Ignore unavailable to you. Want to Upgrade?

To: MulhollandDrive who wrote (32003)	1/23/2003 3:11:48 PM
From: thecow	Read Replies (1) \| Respond to of 110652

34000 posts....that a lotta computer learning, tc... It will be when we get there....about 2000 more to go...we oughta be darn smart by then! tc :-)

To: MulhollandDrive who wrote (32003)	1/23/2003 3:17:23 PM
From: mr.mark	Read Replies (1) \| Respond to of 110652

you've got pain.... Security Flaw Exposes AOL Accounts By Nate Mook and Craig Newell, BetaNews The accounts of millions of AOL subscribers were jeopardized this week due to a serious flaw in the company's Web-based mail system, BetaNews has learned. The vulnerability stems from an error in one of AOL's international e-mail authentication systems, which granted users access without correctly verifying passwords. By simply entering an account name, an AOL user had the ability to read any other user's e-mail and all personal data contained therein. Private correspondence suddenly became open for public perusal, and sensitive information such as passwords and account numbers were potentially exposed to prying eyes. Although AOL plugged the security hole early Wednesday morning, it is unclear at this point how many AOL and AIM accounts have been compromised. The only accounts entirely spared from the snafu were those of AOL employees, as a SecurID code is required for such accounts, in addition to a password. While security issues are nothing new to AOL, the scope of this vulnerability and the ease with which it was executed are particularly disconcerting. Such a security breach extends beyond just e-mail and opens the door for potential identity theft. "There's two basic models of system security: Perimeter and Defense-In-Depth. Though no good system ever survives a weak perimeter, it's all too easy to suffer 'Candy Bar Security': Crunchy on the outside, soft and chewy on the inside," said Dan Kaminsky, security engineer for DoxPara Research. "Unfortunately, that's what hit AOL in this case. For whatever reason, AOL's mail servers were willing to grant access to user archives because they believed some trusted host at the perimeter had authenticated the necessary token—the password." The biggest risk lies in the connection between AOL and AIM. Because the messaging networks utilize separate databases, when an AOL account is created, an independently controlled AOL Instant Messenger account is also established with the same e-mail and password. Anyone with access to a member's e-mail can easily request a reminder of their AOL Instant Messenger password, which in most cases would also grant complete control over the AOL account. This would allow even more personal information to be accessed including addresses and phone numbers. According to reports, AIM accounts could also be hijacked by changing the password and e-mail address associated with the username. The vulnerability does not directly affect ScreenName, the unified sign-on system deployed across AOL's Web properties. However, once a password is obtained, personal information stored on any ScreenName-enabled site is potentially at risk. Major online players such as Microsoft with its Passport service, and the Liberty Alliance backed by AOL and Sun have been advocates of single sign-in technologies, where a user only needs to log in once to access numerous services. But with such a large repository of user data, security concerns become paramount. AOL has faced several major security breaches in the past, most notably in summer of 2000 when hackers were able to access the subscriber's information database that includes detailed customer records like credit card information. AOL was unavailable for comment at press time. Editor's Note: This story originally ran on BetaNews.com and appears on eWEEK with the site's permission. eweek.com