Hi Mark, Mark Medici wrote: *snip* > My questions are: > > a.) Is there anyway to use AOL without opening a tunnel for unknown > and unmonitored external traffic? I.e., are all the features of > AOL (e-mail, AOL-only content, etc...) available using only a > web browser?
In other words, can you replace certain parts of AOL's functionality with programs of your own? AOL used to publish an SDK for their software many moons ago, but trashed it when they found out people were abusing it. Since then, they've jealously guarded their API's. I don't see nearly as many hacks on the actual software as I used to see, as AOL has actually made progress in patching some of their holes (it used to be much worse than it is now). Primarily, these days the wanna-be hackers usually send people fraudulent emails directing them to a faked website, which then downloads the phreak/trojan/virus/whatever to their boxen (since AOL uses IE by default, it's a lot easier to hack IE than AOL these days). > b.) Am I correct in believing that only the AOL client poses a risk, > or does the AIM instant messenger client also pose a risk? I > run AIM on my machines, and don't see any unexpected routes or > network interfaces. If it's connected to a network, there's always a potential risk. There was an AIM exploit published not that long ago on Bugtraq (sorry, don't remember the number). > c.) The CERT/CC report says it has documented incidents of CodeRed > and Nimda propagating through AOL's VPN tunnel. I assume that > this happened via http, but what other ports are open between > users (or are they ALL open!)? Between users? I don't think there are any open between users. But from what I can tell, once you're signed in to AOL, it's just as if you had a full connection to the Internet, with all the risks inherent in that. In other words, you'd damn well better have personal firewall software running when you sign on, because You're On The Net, Dude :) I'll say this though: depending on the version of AOL, there are a varying number of listening ports open on your machine, some of which include netbios ports, and in AOL 5 and up, the kernel. > I'm not entirely assured by the fact that Tyler couldn't access shares > across the AOL-VPN. I expect that AOL unbinds file and printer sharing > from the AOL Network Adapter, and hopefully blocks them with a firewall > or router filters as well. But what about other tests? For example, > can I PING through the tunnel? Can I run pcAnywhere through the tunnel? I've been able to run any TCP/IP program I like on my PC once I'm on AOL. I've also had scans hit me from everything, from netbus to nimda. AFAIK, AOL does not protect the user from the Internet. You have to do that yourself. > Has anyone tried mapping the tunnel to see what AOL lets through? I am > already concerned about the hole, but would be very concerned if it > turns out that AOL leaves the tunnel wide open to any and all traffic > between users. You have a full connection to the Internet when signed on to AOL. You have no default protection from anything on the Internet when using AOL. I've been using AOL for 8-plus years, trust me when I say that your a$$ is blowin' in the wind when you're using AOL :/ I'm going to have to read up on what this tunnel thing is, can you remind me of the link to this report? > It also doesn't seem like it would be too difficult for AOL to firewall > traffic between users. I wonder if Tyler's test failed because AOL's > already starting doing just that? I don't think so. In fact, the great majority of crack/hack scans I see come from other IP's in AOL's IP block - so either people are readily spoofing AOL's IP's, or lots of hackers use AOL to launch probes and scans. -UMus B. KidN