Subj: Supid Guides Date: 95-09-20 20:07:12 EDT From: XBurN OuTx To: LatexSperm, O viVid O, ClifJmpr, CMDialog22 To: BlooodKlot, Rad Luvs U, KiLLJ0Y 69, Zz ZeR0 zZ To: XBurN OuTx, NOODLES282, SMurphy917, AAtrumpet1 To: J M BEVAN, BassWalker, HeyItsForm, Phuzzz6275 To: LThomas165, KWagner125, Temp 5000 Date: Mon, Sep 4, 1995 1:01 EST From: Rhbehrenst Subj: Hacking of TOSAdvisor 95-09-03 To: PHYPOLITE cc: Rhbehrenst, CBlackmore Posted on: America Online (using WAOL 2.5) Pete, The situation started at 18:16 when I recieved mail from Guide Fox at Zen Tos which stated: "We have a guide with a possible hacked account, that was just signed online, and now it is the guide online (I know, he's sitting behind me) He is being IM'd by an screenname "Security" Is this name legit?" I looked up the Security account and saw that it was internal and IMed guide fox asking for more info. The following is that conversation: Guide FOX: Here's what happened...Derek tried to sign on and his account was already signed on and in a private room....I IM'd him to see if I got an answer and boom the guy signed off...Derek got on on his name and the Security guy IM'd him to ask what happened... Guide FOX: Now I'm getting pagers about someone hacking a guide account & being in private room "MacWarez" :/ Zen TOS: what is the guides screen name? Guide FOX: Guide WOW Zen TOS: is guide wow signed on now ? Guide FOX: Yes. Zen TOS: has he changed the passwords? Guide FOX: Not yet. Zen TOS: make sure that he does or i will have to can the account .... Guide FOX: Yeah, he will.... Zen TOS: were there any screen names mentioned in the pager from macwarez? Guide FOX: Guide WOW & Security, the pager was sent from DHacker2 Zen TOS: Was security in macwarez? Guide FOX: That's what I understood. Zen TOS: Did guide wow see security in mac warez? Guide FOX: No, he was just IMing him. He was in a private room but not in there....he's offline now. Zen TOS: does he have a log of the chat ? Guide FOX: No, it happened right as he signed online. :( I did see it happen tho ;/ Zen TOS: what did security say to the best of your recollection? Guide FOX: Exactly what he said is "What happened? Where'd you go?" Derek thought it was a legit name, he said "I just got my account hacked" Security said "Oh, I see." and he never IM'd back Zen TOS: okk thanks i will be in touch :) Guide FOX: Okie. Man, I don't need this :/ During this conversation we began to look into the histories of TOSAdvisor, Security, and Guidewow. This is when we noticed that all accounts had their password info accessed by Tosadvisor. The times the accounts were accessed are: Steve Case-1500, GuideWow-1603 and Security-1609. We asked Jack if he had been on Tosadvisor and he said he had been on it from 14:30-16:30 and had only signed off for a short time to switch computers and had not taken any breaks so no one else had access to the account during this time. At this piont I called NOC and talked with Pete Silva and told him everything that we knew, he said he would look into it. I then tried to call Kim and also paged her. There was no answer at her house and she did not call us. Pam then called Charles and he came in (he arrived around 19:30). When Charles came in he changed all the TOS accounts passwords. We talked with Pete at NOC a few more times but found nothing else out about who had done this or for sure how it was accomplished. Things settled down a bit and then Jack(who was signed on to TOSAvisor) recieved an Im from TOSAdvisor which stated: TOSAdvisor: nevermind i'm going to warez or something This Im was recieved sometime between 20:30 and 21:00. I promptly called NOC and talked with Pete, I told him what was going on and we also called Charles over to look at it also. Pete hung up to see what he could find out and in a few minutes called back and setup a conference call with several other people that had been working on the cloaking and morphing problems. This call lasted for almost an hour and during this call at 21:31 I sent them a copy of the IM. I explained in detail both situations and near the end of the converstion was asked for your phone number which I looked up on your account and gave to them. This is basically what happened to the best of my recollection. I am also sending you all the mail and IM's regarding this situation. If you have any further questions or comments you will see me at work or you can call me at home or page me at 703-612-2409. Regards, Rob Behrenst