ICQ hack raises security concerns By Evan Hansen Staff Writer, CNET News.com

February 24, 2000, 4:00 a.m. PT

In the latest security breach affecting the popular ICQ instant messaging service, a Web consultant says his account was held hostage this week by a hacker who took over his user number and tried to pry a ransom out of the deal.

America Online, which purchased ICQ last year, confirmed that an unauthorized person this week made off with a long-time customer's password and user identification number (UIN). The company returned the UIN to the original owner today.

"I stood to lose four years' worth of business contacts," said Dale Ficken, a Webcasting consultant, who was locked out of his account for two days.

AOL spokesman Rich D'Amato said the company is investigating the incident. He said AOL does not yet know how Ficken's account was compromised. But he said this week's attack appeared to be an isolated incident and probably involved a so-called Trojan horse virus that was used to steal Ficken's password and take control of the account.

ICQ is the instant messaging Quote Snapshot AOL 59.50 +1.19

Enter symbol: 7 Symbol Lookup

More from CNET Investor Quotes delayed 20+ minutes leader, having signed up more than 60 million registered users since its launch. The service, which lets people know when friends and colleagues are available for online chats and enables a kind of electronic conversation, has inspired numerous competitors--including Microsoft, Yahoo and AOL--to create similar services.

Despite ICQ's success, the software remains highly unsecure, according to Net security experts. Just last month, for example, the security mailing list Bugtraq reported that using a link to a Web site embedded in an ICQ message creates a glitch, called a "buffer overflow," that can be used by a malicious programmer to gain control of a computer.

"There have been a number of exploits involving ICQ," said Alfred Huger, vice president of engineering at the security firm SecurityFocus.com, which lists three known ICQ exploits on its Web site, including the buffer overflow identified on Bugtraq.

In a buffer overflow, the attacker floods a field, typically an address bar, with more characters than it can accommodate. The excess characters in some cases can be run as "executable" code, effectively giving the attacker control of the computer without being constrained by security measures.

D'Amato said AOL is working to fix the buffer overflow problem. "The security of ICQ customers is a top priority," he said. He added that AOL routinely warns customers to use precautions against such security breaches, advising them to avoid downloading files from unknown sources, for example.

But according to Huger, many instant messaging users don't exercise enough caution. As a result, he said, ICQ and other instant messaging services, such as AOL Instant Messenger (AIM), are extremely vulnerable to Trojan horse viruses, so called because the virus is concealed inside an innocent-looking file that people are encouraged to download onto their computers. Once on a hard drive, the virus is free to cause any number of problems, from stealing passwords to destroying files.

Six-digit UINs like Ficken's, which were handed out in ICQ's early days, are considered hip by some hackers and have been hijacked repeatedly. Six months ago, for example, a Trojan horse virus was blamed in the theft of hundreds of ICQ passwords.

"It's pretty prevalent," Huger said.

Still, this week's heist may have been the cheekiest yet: According to Ficken, the hijacker demanded $100 to fork over the UIN.

"You want your UIN back, I want your 100 dollars," reads part of an ICQ exchange with the hijacker forwarded to CNET News.com by Ficken. "This looks like a deal. I've no reason to return your UIN you back (sic) for free."

In other messages, Ficken said, the hijacker claimed to be from Russia and to have hijacked other ICQ accounts in the past.

At one point the hacker appeared to be preparing to arrange a wire transfer for the $100 through Western Union.

Ficken said he believes this week's hijack is part of a concerted effort by a group of Russian hackers to gain control of early ICQ UINs, which started in the 100,000 set. He said ICQ's white page directory shows long strings of early UINs registered to members who appear to be the same people, all in Russia.

For example, according to the directory, a person registered in Russia going only by the first name "Alexander" and using the handles "SkyStranger," "SkyS" and "Sky" controls entries for at least seven such UINs--including the series 100,026 through 100,029.

AOL's D'Amato said the company is "aware of some attempts (to hijack UINs) coming from what appear to be Russian (Internet Protocol) addresses."

Nevertheless, he said, "This appears to be an isolated case."

http://news.cnet.com/news/0-1005-200-1556634.html?dtn.head

-- Jen Bunker (jen@bunkergroup.com), February 24, 2000