---

Mitnick’s abilities spooked the judge assigned to his case. The judge’s move to physically separate him from any person he could “influence” is a tremendous validation for the threat of social engineering, or the ability to prey on people’s trust of others. Mitnick had used social engineering to hack into computer systems as valuable as those housed at the U.S. National Security Council. Simply put, social engineering encompasses varied methods a hacker uses to pretend to be an authorized user of the network. Social engineering can occur through many methods, including online, telephone and even by physically impersonating an individual in the office.



The hack involves tricking an AOL employee into accepting a file using Instant Messenger or uploading a Trojan horse to an AOL file library. When the file is executed, the Trojan horse connects the user who launched it to an Internet relay chat server, which the hacker can use to issue commands on the targeted machine. This allows the hacker to enter the internal AOL network and the Merlin application.

Merlin requires a user ID, two passwords and a SecurID code, all of which hackers obtain by spamming the AOL employee database with phony security updates, through online password trades, or by "social engineering" attacks over IM or the telephone.

The hacker who first used this exploit is said to be a 14-year-old boy. (He could not be reached for comment.)

Another recent exploit reportedly allowed anyone to log in to any account with a password, using a hole in AOL's Japanese Webmail portal. That flaw has since been repaired.

Yet another hole has allowed hackers to steal AOL Instant Messenger screen names, even those of AOL staff members and executives.

Most at risk are screen names that hackers covet, like Graffiti, or single-word names like Steve. Also at risk are internal AOL accounts like TOSGeneral, which is used to monitor abuse reports.

While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone.

These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user's password reset. Logging in with the new password gives the intruder full access to the account.

In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling.

A third hacker, using the name hakrobatik, confirmed the mumbling method.

"I kept calling and pretending I just had jaw surgery and mumbling gibberish," hakrobatik said. "At first I had no info except the screen name, then I called and got the first name and last name by saying, 'Could you repeat what I just said?' Then each time that I got information I called back making the real information understandable, and everything else I just mumbled."

In the end, hakrobatik said, service reps he talked to got so frustrated having to ask him to repeat information that they'd give up and reset the password. Hakrobatik later proved he could compromise any AOL account armed only with its screen name.