AOL security letter

Corey Bridges corey at netscape.com
Wed Jan 3 19:37:08 PST 1996 

Looks like AOL is being dragged, kicking and screaming, into the world of
security. This is a note that AOL subscribers are receiving today:

>>>>
bj:	ALERT: Password Security
Date:	95-12-31 07:27:13 EST
From:	Steve Case
Sent on:	America Online (using Stratus)

Dear Friend of America Online,

I want to raise your awareness about an issue that affects us all: the
importance of never revealing your password.

Recently there have been a few incidents where computer hackers have tried
to gain access to passwords by soliciting individuals online.  These hackers
have increased their level of sophistication so much that they have begun to
correspond in a style to make you believe they are representing America
Online.  Here's an edited excerpt from a recent e-mail attempt:


"Dear AOL Community Member:
AOL is experiencing major problems...Due to a virus that was recently
loaded...onto our main user database, containing most of our member
registration information, we are currently experiencing widespread system
failure. The problem originated...when our system was illegally breached by
a former AOL employee.
We believe the employee, who is currently being questioned by authorities,
loaded a virus into our database. Because we identified the problem quickly,
we were able to stop the problem before the entire database was deleted. 
The files that were deleted, however, happened to be the database link
files...that link a user's password and screen name to the rest of their
account. We are currently...working with McAfee Associates (Anti-Virus), to
replace the lost files...
...Some of the effects as a result of not having the database link files
include: random log-off's, AOLnet runs slower, and Email may accidentally be
deleted. These problems are MAJOR inconveniences to our users, so we need
your help to fix the problem."


The letter continues, outlining the steps you must take to keep your account
active, and awarding you free online hours for your troubles.

Sending e-mail is just one tactic.  Another approach is by using IMs
(Instant Messages), where a hacker will notice you are online and try to
pass himself off as an employee.  Hackers sometimes scan chat areas and the
member directory for screen names.

Simply put, your passwords are like items in your safety deposit box.
They're confidential.  YOU are the only person who should know your
password.  Giving someone (even unintentionally) your password -- especially
online -- is like handing over your wallet, keys, and other valuables to
complete strangers.

There is absolutely no reason why America Online would ever ask you for your
password! Be aware: NO EMPLOYEE OR REPRESENTATIVE OF AMERICA ONLINE WILL
EVER ASK YOU FOR YOUR PASSWORD, YOUR CREDIT CARD NUMBER, OR TO VERIFY YOUR
BILLING INFORMATION ONLINE.  IF THEY DO, BE SUSPICIOUS AND TAKE
ACTION--REPORT IT IMMEDIATELY.

Here are some quick steps to keep your passwords secure:

1) Immediately change your passwords (at keyword PASSWORD) to at least 6
alphanumeric characters -- combination of letters and numbers -- for all of
your sub-accounts.  Delete unused sub-accounts.
2) NEVER use your screen name, first or last name, town, street, etc. as a
password. Do not use a common word.  Add a few digits to a word, or misspell
it.  Hackers use all kinds of programs that search for common words.
3) Inform spouses, children, and others who have access to your account to
take the same safety measures, and to NEVER give out passwords.
4) Report suspicious behavior at keyword STAFFPAGER immediately.

Computer hacking on America Online is not widespread.  But it's an activity
-- and an illegal act -- which hinders our ability to conduct business and
ensure a safe online community.  

AOL will pursue all legal action and law enforcement protection within our
right to protect the security of our service.  

We also rely on our members, partners, remote community leaders, and others
with overhead accounts much like a neighborhood watch program -- to help
crush hacking, to maintain confidentiality of the simplest personal
belonging (your password), and to report activity of this kind to AOL
immediately.

If you have any questions, please discuss them with your contact at AOL.

Thank you, and have a Happy New Year.

Regards,

Steve Case


Corey Bridges
Security Documentation
Netscape Communications Corporation
home.netscape.com/people/corey
415-528-2978

More information about the cypherpunks-legacy mailing list