Habeeb Dihu chose the name “MacGyver” for his America Online instant messaging account because, like the TV detective, he was adept at tinkering with equipment. But on Feb. 8 the Chicago computer security consultant encountered a problem even the real MacGyver would have a hard time solving.
“I suddenly got a message saying my screen name was being logged off of AOL Instant Messenger because I’d logged in elsewhere,” he says. Two weeks had passed since AOL said it had plugged a security hole which allowed unauthorized access to AOL Instant Messenger (AIM) accounts, but someone was demonstrating that the hole was still open — and had claimed Dihu’s account.
For the next 17 days, Dihu, a senior principal at Diamond Technology Partners, confronted this fraudulent “MacGyver,” who identified himself as a teenage hacker. Dihu opened another AIM account and messaged his own MacGyver screen name, only to receive a reply moments later, which he says included the screen name of a friend whose messages the account thief had apparently received.
Dihu complains that he spent several hours on the phone with AOL support staffers trying to get his AIM identity restored — but to no avail. Making the situation worse: Dihu was consulting with major automakers on a deal for a new Web site. “It’s already causing chaos for me,” he lamented at the time, “as my business and personal associates try to reach me via my I.D., only to have the hacker politely respond.”
In late February TangentX, the hacker who first publicized the security hole, said via e-mail that the original hole that allowed people to take over others’ AIM accounts had “never stopped working.” But he declined to demonstrate it. “The AIM hack still works,” a second hacker added. Even the unauthorized holder of the MacGyver account, whom I messaged after Dihu had alerted me to his troubles, boasted of stealing other AIM identities.
The half-dozen calls I’ve made to AOL over the last month have gone unanswered. AOL spokespeople said they didn’t want to comment until they had spoken to Dihu directly. But Elias Levy, chief technology officer at SecurityFocus.Com, says that security holes often remain open after companies deploy patches. “It’s not unusual for a company to fix a problem and not fix it at its root. And then hackers find a way to go around the fix.”
Meanwhile, Dihu found that, unlike MacGyver, his technical expertise couldn’t bail him out. “I work with all sorts of organizations to assist them with their security,” he says, “but it’s irrelevant when you’re confronted with an outside force you can’t control, who won’t work with you to correct these things when they occur.” SecurityFocus’ Levy echoed his concerns. When asked what AIM users can do in a situation like this, he replied “Not much, really. It’s all in the hands of AOL to fix the software.”
Dihu even resorted to asking the thief in control of his account, “Now that you’ve proven your point, mind turning it back over?”
“Nope … Sorry,” came the reply. “Too much of a priceless name.”
Finally, after I had alerted the public relations office to the problem with all my calls seeking comment, AOL spokesman Rich D’Amato called Dihu on Feb. 25 to say the MacGyver account had been returned to him and “locked” to his e-mail address. “When I asked him if they found out what it was,” recalls Dihu, “he said they weren’t quite sure what happened, and that they were still looking into it.” Dihu is happy to have the account back, but he’s still not sure why TV’s MacGyver can disarm a missile with a paperclip, but despite his technical prowess he couldn’t hold onto his AOL Instant Messenger account.