In the Belly of the Beast

by slummin

Once upon a time, in the not-so-distant past (recent enough to know that this info is correct, long enough ago to prevent a connection between this article and my leaving the company), I was a very low-level worker bee for that much-maligned "ISP" AOL.

Since I am no longer employed with AOL and have promised to only use my power for good, I have decided that a (very) small tour of (very) basic AOL security is in order.

Note that because every action performed by an AOL employee is monitored (more on that later), I was unfortunately unable to poke around too terribly much, however I can relate the basic layout of AOL's internal security.

Disclaimer:  This information is based on my own observations and conclusions, and what little info I could pull out of my managers without being flagged with OpSec.  The information contained herein is true and correct to the best of my knowledge, but if you dick around and get caught because I left out a bit, I warned you!

First off, let's define some terms: OpSec is AOL Operations Security, the (understandably) uber-paranoid department that handles, well, operations security.  This includes internal and external network and computer security.  These are the people who start sweating profusely if they find you are browsing 2600.com (will get you yelled at, at least) or reading a copy of the magazine on break (will get you red-flagged and you will win an all-expenses paid visit from your operations manager, at the very least).

Merlin is the primary AOL member information database.

This is where all the information regarding each member can be accessed and changed as need requires.  The software that runs Merlin is PegaREACH, which is distributed by Pegasystems (wwww.pega.com).  The interface consists of organized clickable links known as workflows, which allow the user to access specific customer management tools.

For example, the "Password Reset" workflow under the "Password Appeals" category would allow a CCC (a Customer Care Consultant; worker bee) to reset a member's password.  Access to these workflows is determined by the department you work in and your level of importance.

A worker bee gets access to only those workflows that AOL deems necessary for completion of the job.  (By the way, much fewer people would get stuck in transfer-hell if AOL would allow all their CCCs access to all the Merlin workflows.)  Merlin is the latest incarnation of a number of customer management databases that have been tried by AOL, as somebody always figures out how to compromise security.

A couple of other AOL-related items you might run into are: ESOURCE, which is touted as the central repository of data regarding policies and procedures and MSU, the Member Services University (an online worker bee training resource).

Also some departmental names and acronyms: AOL Retention is the "cancellation" department.  These pathetic creatures have a tough time, as their meaningless existence revolves around attempting to prevent the approximately 1.5 million members who call them each month from canceling; CAT is the Community Action Team, responsible for Terms of Service (ToS) violations; CARE is the billing department; FRAUD handles, erm, fraud; SUBP is related to the (dying) broadband service.

On to the good stuff: Security starts at the desktop, right?

The workstations I have had experience with were all running Windows 2000 Pro.  Each CCC is given a unique UID with which to login.

However, password rules are pretty slack.  No less than four letters is the only rule that I am aware of.

Ctrl-Alt-Del is disabled after the initial login screen, as is most everything else.  There are several pieces of software run at login, including the desktop monitoring software, an internal messaging program called SMS, and a PowerPoint presentation that allows you to view (outdated) company announcements.

Management has the ability to globally change the desktop image of all workstations, and uses this to communicate important bits of information around the company.

Right-click seems to be suppressed in some (but not all) areas.  Either that or AOL provides consistently crappy mice to its valued workers.  For example, right-click at the desktop wasn't allowed, but right-click inside Internet Explorer was.

The window button on the keyboard worked, but the context-menu button usually didn't.  Access to programs was limited to PegaREACH, AOL (of course), Notepad, PowerPoint, and IE.  Access to the Control Panel and other Windows software was denied, as was access to the local drive and the command prompt (CMD.EXE).

Each CCC gets an internal AOL account, which is accessible through a standard AOL software installation.

The extra benefits that come with an internal account include the ability to send "chromed" official AOL email, and access to internal-only AOL keywords which in turn allow access to such things as ESOURCE, MSU, etc.

Apparently, somehow the AOL software has a higher level of access rights, as certain AOL internal keywords can launch external programs such as IE via a command prompt.

Authentication for the AOL internal account is a two-part process.

The first step is a standard UID/PW combo.  The second step involves using a SecurID hardware token.

These tokens and their associated authentication software are provided by RSA Security (www.rsa.com).  The hardware tokens that we use are the keyfob type, which uses an internal hash to generate a six-digit number that changes every 60 seconds.

I don't know much about cryptography and thus I was unable to determine the hash used to generate the numbers, however I did see one set repeat and I believe that it is somehow connected with the token's serial number, which is used to bind the SecurID to a specific internal account.

These tokens are carried by each and every CCC and are absolutely required in order to access their internal AOL account.  If an ID is lost or stolen, the only way to regain access is to have an operations manager or OpSec person re-bind your account with a fresh SecurID (which you have to pay for).

Merlin is accessed through the same UID/PW/SecurID procedure that is used to access the CCC's internal AOL account.  In fact, the master screen name and password used to access the internal AOL account is the UID/PW for Merlin login.  Also embedded in Merlin is the Computer-Telephony Interface (CTI) that allows access to the phones, handles call routing, etc.  Each CCC has a unique "teleset number" that identifies the CCC and allows supervisors and managers to listen to calls, watch what the CCC is doing on the computer, etc.  The phone is an Avaya 4324 and uses VoIP for call routing.

What makes this whole setup interesting is that access to this data is now limited only to computers whose IPs are registered as part of the AOL internal network.  All AOL internal sites, as well as outsourced call-centers, have to have their workstation IPs registered with OpSec or within a specific range.

In fact, many (outsourced) call centers have workstations that are set aside for use only for AOL CCCs.  They are physically and topographically separate from the regular company network.  Company managers who need access to both the AOL internal network and their company network have to have two workstations on their desk, one for each network.

What this means is that while I can access my AOL internal account from my home PC with my UID/PW/SecurID combination, I cannot access the internal-only keywords or office.aol.com webpages.

Lastly, we come to building security.

The building where I worked was under 24-hour-a-day lockdown.  Access was provided through a standard mag card.  The main external door (employee entrance) was set up with sensors that would detect if more than one person was attempting to enter on a single card swipe, and would forcibly eject both people if that happened.

Access to the (interior) break area, smoker's lounge, and various departments such as HR and coms areas were also controlled by mag card locks.

In fact, the only door that was open to the public led directly to security, where a 24-hour-a-day armed guard awaited them.

Non-employees were only allowed into the lobby/security and HR areas.  Visitors required registration, a visitor badge, and an escort at all times.  Access out of the building was also mag card controlled, so security, operations, etc. can see every move that their worker bees make.  Plus, if your mag card gets screwed up while you are in the building, you are screwed as you cannot get out!

In such a situation, you would have to phone security (as you can't get to the security desk without your mag card) and have them manually let you out of the building.

So, with all this physical and electronic security, where is the weak spot?  As it usually is, the weak point is the human element.

AOL has been and remains a very productive phishing ground... and apparently despite all of OpSec's efforts to the contrary, internal AOL employees are still blithely turning over their usernames and passwords to phony web pages that seem to be internal AOL pages.

During my tenure as an AOL employee I saw a new "scam alert" posted on ESOURCE every couple of weeks.  Frequently, a new email would float around promising pay or incentive increases, more paid time off, or a special prize or award in order to get internal employees to turn over their usernames and passwords.

Despite countless warnings and "uptraining" seminars, despite an entire training module dedicated to social engineering (how to spot it and avoid getting tricked), people still are getting tricked!  Is this a statement about the people AOL is hiring, their training practices, or what?

On a related note, I picked up on two security flaws during my tenure at AOL, both of which were completely ignored after I reported them.

The first has to do with the testing system that HR used to test new employees.  The test was web-based and used the applicant's Social Security Number (SSN) as an identifier.

The workstations were using IE and auto-complete was turned on, so that once you typed the first number of your SSN, everyone else's SSN who used that workstation appeared in a drop-down.  Same with name, address, and phone number.

When I first applied, I asked the HR manager to correct that breach of other people's privacy, but I checked on it the day that I left the company and nothing had changed.

The second issue deals with the fact that in many cases the Merlin software automatically generates an email to the member with whom you are speaking.  The software automatically attaches the CCC's screen name as the FROM: address.  I didn't realize this until after I left the company, but if you were interested in gathering up a bunch of internal account screen names, from low-level worker bees who might be easily fooled, simply sign up for a free trial of AOL.

During the trial, make several calls to the retention department, citing different cancellation reasons.  It is a long process, but if you let each CCC talk you into staying with AOL, you will get an email from them - instant internal account username for each call you make!

Well, I hope this has given you an interesting picture of the way things work inside AOL.

Maybe some other people who have perhaps more or different experiences with the company would care to write a companion article illustrating some specifics about network layout or other aspects of the company's operation.

Shout outs to all the worker bees slaving away under AOL's giant iron fist.  Don't give up, there is life after AOL!