Neowin.net

My good buddy Neobond informed me of this...

Looks like the LiveWire page on Creative's site has been changed, thus not allowing users to download the drivers for LiveWire. You have to "pay" for the Live! CD.... So it looks like Creative are being not too pleasant towards their users!!!

On their site it says...

For Sound Blaster Live! users, the latest updates and coolest software applications previously offered in the Live!Ware program are now conveniently packaged for you on the Sound Blaster Live! Software CD.

Driver updates will continue to be available for free download under the drivers section. However, but to obtain the latest software applications and updates, you will need to order the Sound Blaster Live! Software CD for a nominal shipping and handling fee. This CD will soon be available worldwide. Should you wish to be informed of its availability, please select your region and click the `Notify Me' button above.

The Sound Blaster Live! Software CD will contain the latest applications and drivers equivalent to Live!Ware 3.0, as detailed here. Users who already have Live!Ware 3.0 installed will not need to order this CD.

View: Creative's SoundBlaster - which used to be the LiveWire site!!!

Further investigation revealed postings to online bulletin boards regarding the incident. According to WhiteHat Security CEO and founder Jeremiah Grossman, 'site' hackers often accumulate cracked accounts. One such account obtained by the hackers had Rainman overhead -- meaning it had the ability to edit associated content. Once logged in, all that was needed for editing rights was a group ID and password. Group IDs are exposed in a URL when an attempt is made to access Rainman, making the password the only roadblock to unfettered access.

Apparently, when a hacker was signed into the compromised account, an AOL employee sent an instant message mistaking the individual for a co-worker. With slight of hand and some misdirection, the AOL employee offered up the password to Rainman, as well as the password to his wife's account. In each instance, the login for the AOL account itself was identical to the Rainman password.

The alleged hacker summed up the experience in a bulletin board posting. "I hopped on it the other day and got a message from a coworker telling me about how he uploaded the new version of the economist and found out that he also used 'my' account. To make a long story short...I told him I was locked out of my account and he gave up the password. The next day I figured I could extort the rainman password out of him and I later found out...He also gave me the rainman password for his wifes account who also has rights to those keywords. It turned out that her logon password was also the same as here Rainman password but was bound to a Securid key." (sic)

Reports indicate that a brute force style program dubbed "Rainstorm" may have been used in the attack as well. However, all indications BetaNews has received point to human error as being a principal and deciding factor.

According to Grossman, "AOL and its staff require increased enforcement of security guidelines and policies when it comes to user account security. Whether it be an internal AOL account or a user account. These types of employee disclosure incidents should be allowed to take place. If employee accounts can be compromised through such modest means, what assurances do normal users have that they won't be targeted next?"

He continued on, "Apparently, AOL account passwords, whether belonging to employees and/or users need stricter requirements. Requirements such as, password length and sophistication have been implemented in security for quite some time. Its clear AOL has a big job and should be doing a better job in protecting accounts from this style of attack," said Grossman.

Despite repeated attempts to notify AOL and obtain comment, AOL did not respond by press time.