For years, criminal hackers (
crackers) have thrown rocks at the great glass house called America Online--to no avail. AOL has successfully resisted attacks over the years as it built its tremendous subscription base. But like so many businesses today, while AOL's perimeter defenses keep outsiders out, the company hasn't done enough to keep insiders from causing just as much, if not more, damage. Last week, an employee of AOL was fired after his arrest in New York, charged with stealing the e-mail addresses of 92 million AOL subscribers. The complaint filed in court alleges that Jason Smathers, 24, whose job did not put him in contact with member e-mail lists, used another employee's ID and password to copy a list containing the e-mail address, telephone number, zip code, and type of credit card (but not the actual credit card numbers) used by AOL members. The activity occurred in April and May of 2003.
The incentive? Money, of course
The case originated when AOL began investigating spammers, using the CAN-SPAM Act of 2003. In an investigation of a group of spammers, one confessed that the address had come from within AOL. The spammer, who sent out solicitations for anatomical enlargement pills--you've probably gotten one or two of these pitches over the years--provided AOL with a list. AOL was able to trace it back to the stolen employee ID and password. Working with the U.S. Secret Service, AOL then identified Smathers as the one copying the lists.
AOL joins a growing list of big-name companies that have withstood outside attacks only to fall victim to internal threats.
|  |
|
Smathers allegedly sold the lists to many, for figures as high as $100,000. One purchaser is alleged to be Sean Dunaway, 21, of Las Vegas, who used the list to promote online gambling. The complaint in federal court in New York alleges that Dunaway was the broker for further spammers, hooking them up with Smathers's lists. If convicted, Smathers and Dunaway could each face fines of up to $250,000 and up to five years in prison.
AOL not alone
AOL joins a growing list of big-name companies that have withstood outside attacks only to fall victim to internal threats. Acxiom, a data profiling company, found itself the victim of a subcontractor; an employee of Market Intelligence Group allegedly stole credit reports from Acxiom customers, using data he had routine access to as part of his job.
Perhaps the most alarming case involved Omega Engineering. Fired after 11 years on the job, in 1996 a disgruntled former employee, Timothy Lloyd, used a stolen password to access the company network and send a computer "bomb" to Omega Engineering. The malicious code erased sophisticated software under contract with NASA and the U.S. military and cost the engineering company nearly $10 million in losses. Lloyd was found guilty and sentenced in 2002 to 41 months in prison.
What can be done?
The good news is that AOL apparently segregates its data across different servers. The data that Smathers allegedly stole did not include individual passwords or credit card numbers, for instance. According to the Wall Street Journal (registration required), Smathers may have obtained the lists by searching letter by letter across nearly 30 different servers.
|
Affected AOL members can expect to hear their phones ringing more and see their in-boxes a little fuller in the near future.
| |
|
However, as of this writing, AOL has not offered a site where AOL members can see if their e-mail address, telephone number, and zip code was sold, nor has the ISP offered any further assistance to those affected beyond a simple apology. That's unfortunate, since the stolen lists contain enough information for direct marketers to add customers to e-mail and telemarketing lists. Affected AOL members can expect to hear their phones ringing more and see their in-boxes a little fuller in the near future.
Other threats from inside the company
In addition to rogue employees, companies are also under attack from virus-infected laptops connecting inside their networks and Trojan horses installed on individual workstations that give outsiders inside access. Using that yardstick, last summer's MSBlast worm also qualifies as an inside attack. By installing personal firewalls and antivirus software on each workstation and laptop (even home computers that connect to the corporate network via VPN), companies can eliminate these dangers. Still, even these measures won't stop a determined cracker who gains employment in a company as a janitor or a temp to snoop around for vulnerable points of access.
Toward that end, companies can remove all floppy, ZIP, and CD- and DVD-burning media drives from individual workstations (making it harder for employees to copy large databases), shred all unnecessary printed documents, and physically check all book bags and purses upon leaving the company premises. I don't favor these draconian measures, but given the abuses now being reported, these procedures may become necessary to protect the corporate property--at the loss of individual rights.
Got a security question? Let me hear about it!
