From...

by Ann Harrison and Kathleen Ohlson

(IDG) -- A free e-mail service has been receiving complaints from AOL users that one of its subscribers is stealing AOL passwords. But a manager at the service charges that AOL has taken weeks to even begin to address a security hole that allows passwords to be stolen.

Christian Dysthe, sales manager at Gonzales, Texas-based e-mail service OperaMail, charged that AOL's customer support staff disregarded the problem when he phoned to alert them last month. He said they attributed the bug to the general lack of security on the Internet and asked for the IP addresses of the offending accounts without discussing remedial measures. "They didn't seem too worried and suggested that I go to the FBI," said Dysthe. "I said, 'Why should I go to the FBI with your problem; there is nothing I can do. Why don't you go to the FBI?'"

According to Dysthe, OperaMail has been flooded with complaints from AOL users who are opening e-mail attachments that include a Trojan horse-like virus that swipes their passwords. The password is then automatically mailed back to the malicious sender. Victims have traced the messages back to OperaMail, which is owned by Opera Software in Oslo, Norway.

	QUICKVOTE
Have you ever had your AOL account hijacked? Yes No View Results

Dysthe said he has responded to the complaints by shutting down the abusive OperaMail accounts and, in one case, freezing an account to preserve evidence. But he said OperaMail cannot squelch the attacker or attackers because they rapidly reopen new accounts. "I gave up," Dysthe said.

According to Dysthe, incoming messages that he has been monitoring via OperaMail logs show at least 10,000 stolen AOL passwords. But he noted that the exploit generates an e-mail each time the victim logs on, so many of those passwords could be duplicates. Dysthe added that because each OperaMail account is limited to 10M bytes, the attacker has at least two open accounts at all times to handle incoming passwords.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Computerworld's home page
Stupid AOL tricks
Why Microsoft hates AOL
Cracking down on identity theft
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Computerworld Minute
	Fusion audio primers

Dysthe said AOL finally contacted him via e-mail last week after sending only autoresponse messages from its e-mail fraud account to which Dysthe reported the problem. AOL wrote that it would like to assist him, but Dysthe said the company doesn't seem eager to find a remedy. He said he sent AOL OperaMail logs of the malicious accounts, which have also been forwarded to Earthlink and other Internet service providers that seem more eager to address the issue. "It is kind of irritating since this has been going on since Sept. 28," said Dysthe.

AOL spokesman Rich D'Amato confirmed that AOL hasn't discussed remedial measures with OperaMail but insisted that the company has returned phone and e-mail messages. D'Amato said AOL is aware of attempts to steal passwords from an OperaMail drop box and has requested that the drop box be closed. He said AOL may "pursue legal remedies" and is currently investigating the matter.

"The problem's on the Internet. We make [security] information and tools available," said D'Amato, who noted that AOL offers services such as its Neighborhood Watch, which distributes information on security alerts and defensive software to AOL members. "It's our responsibility to protect our members and the larger Internet community, and we believe we do it," D'Amato said.

"It obviously is too easy to do this, and [AOL] hasn't been very responsive," Dysthe countered, who tells irate AOL subscribers to contact the company. "I just hope we can stop this. We are not a big company, and we don't have the resources to deal with thousands of AOL users."