Slashdot Mirror
Continuing Security Concerns at DoubleClick
As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.
Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:
"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."
Now here's the history of DoubleClick security since last week, as far as I can tell.
Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.
The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."
Using this vulnerability, Kitetoa discovered the second security
issue, which is that someone else had compromised the
DoubleClick corporate webserver at some time in the past. The file
eeyehack.exe was left on www.doubleclick.net. This is a
backdoor written by the white-hat hackers at
eEye,
which opens port 6969 for attackers to telnet in.
DoubleClick assures us that eeyehack.exe could never
have been executed, because that directory had
script access disabled.
But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.
It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.
What concerns many people is that the eeyehack.exe
file that was visible had a modification date of 1999. We know this
date is not accurate, because the exploit that writes that file did
not exist until last November. But that odd date does raise questions
about how long DoubleClick's network has had these vulnerabilities.
The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.
DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.
The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."
Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.
Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."
Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."
Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.
That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.
But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.
As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)
DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.
Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.
And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)
Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.
I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.
I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.
And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)
And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.
Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."
It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.
This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.
This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!
I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.
"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."
"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.
When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."
Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.
And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."
How long before they declare bankruptcy and we all giggle and sing nekkid in the streets that they're now gone?
---
IMHO, of course.
May the SOURCE be with you.
the text file referenced in the article (the foodTV one) is now gone, the page points to www.doubleclick.com/us .
Brant
Brant
Argle. Bargle.
This may seem redundant but wouldnt it be a point of copywrite from an internet explorer or netscape perspective. the act is physically done with internet explorer, if you violated a javascript patent wouldnt that be an internet explorer or netscape problem. I see how violating content is wrong (e.g. cracking) but what i dont see is how somone can yell at you for manipulating with IE or NTSCP somthing you are given for free...
"If a man watches 3 football games in a row he should be declared leagaly dead" - A
With the increasing sophisitication of profiling technology (and the databases that drive it), as well as the sketchiness of existing laws on the subject, it won't be long before every major company has a detailed consumer database. We complain and complain about privacy issues, but they don't know anything that we haven't made known to them. If they send us sailing magazines, it's because we clicked something somewhere to indicate that we were interested in it. We know what happens when we click those things. Everyone knows. My grandma knows.
You are being watched. Act accordingly.
Got Rhinos?
yaaagh. Bugtraq != slashdot not even en francais.
/. community.
The notion that security through obscurity doesn't work only holds up to a point. If you focus enough distributed processing power on any security problem, like, say, through posting it to slashdot, you will overwhelm and outpace the sincere efforts to patch the problem that are being undertaken by the hapless victims.
Of course you can also claim that helpful slashdotters may lend advice to DoubleClick but er.. that is not going to happen. Slashdotters might help some open source site that was being lax and got exploited, but not DoubleClick who has copmmitted so many prior offenses against the mores of the
The unprotected consumers lose out, again.
Goat sex free since 2001
I'm not entirely sure what's so terrible about having a band of scruffy Russian hackers knowing that my last ping-pong related purchase was over six months ago, and that my operating system is "Other."
Got Rhinos?
You know there's a pretty easy way to block doubleclick. In windows edit your c:\windows\hosts file to include:
127.0.0.1 doubleclick.net
There's also the hosts file in linux that can do the same thing. No more worries about doubleclick!
My lisp instructor recently gave a keynote speech at Los Alamos entitled When are we going to get it right. The speech does a great job covering many of the security issues regarding double click and just the overall state of security on the web. Its a good watch if you have the time. You can see the whole thing in realvideo from the link above.
-gerbik
http://www.doubleclick.net:80/us/corporate/privacy /opt-out.asp?asp_object_1=&
--
I think it is necessary to regulate the harvesting and use of data related to persons or equipment persons own. It isn't fair or reasonable that any company can collect personal information (adresses, shopping habits, general whereabouts etc.) and benefit from it.
This is due to privacy concerns.
First: information is dangerous.
Second: information gives power.
Third: noone want the ad buisiness to get power over all our lives.
Forth: The ad industry has a bad track record for computer security.
Example: Think what enormous amount of information is collected in various databases for one Swedish individual. Most people shop a lot using cards of different kinds. Almost everyone uses cellular phones (GSM, that is). This means that for many persons you can follow maybe 90% of the total spending and using the cellular network you can monitor the position at any time to within a hundred feet (next generation: five to ten feet).
I'm a europeean so my views are somewhat tilted in that direction. Some dislike some of the EU's newer regulations concernign personal information (the associated person must give his or her consent for the data to be legal and there are regulations for what information that may be collected by corporations (alas, states may do as they like)).
dk_a_stacken_kth_se@foo.com Remove "@foo.com" from email, interpret the rest.
127.0.0.1 ad.doubleclick.net
DoubleClick's ad server is bound to localhost so that my browser can't view the banners. Proof that I don't care about DoubleClick. I don't really care for them, either.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Jamie, as a responsible journalist, I expect you merely forgot to mention in your article that DoubleClick is the advertiser paying most to Slashdot. Please update your article. Not everyone here knows about Slashdot's financial interest in DoubleClick.
Is it just me, or is this just another company getting hacked? So it happened to be an advertising company. Big deal. This hardly seems slashdot-worthy; web servers are compromised all the time. Most of DoubleClick's data is just IPs and lists of websites.
It isn't automatically a big conspiracy, spying on you. Do you really think that, if hackers compromised doubleclick's servers they'd be looking for your information? Well, let me tell you this: They won't. To think that they are is paranoia taken to it's extremes.
So a website has a security bug or two.Why not just inform the site owners, and give them a chance to fix it, instead of proclaiming it loud and clear to the world? It seems helpful to no-one.
Just my $0.02
Michael
...another comment from Michael Tandy.
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
Why not just give me the money, for a significant amount of money I could accept to stop posting forever, and you'll save yourself the criminal trouble. Make an offer.
--
Je t'aime Stéphanie
There's one thing to say "all this information is available if you've got 5 hours to go searching for it" and it is a completely different thing to say "we've got a database full of this information on just about everyone". If it's all been compiled and stored somewhere that is worth stealing simply because it takes 5 hours to collect this information on one person. So the doubleclick database is worth a few gazillion man hours of searching and they know things that I couldn't find out even if I tried (like stuff you answered on a survey or your answers to the purity test on TheSpark). This database is a web stalker's dream. People would pay hard cash for a breakdown of potential dating partner's interests and the like. Imagine a searchable database keyed on dress size.
How we know is more important than what we know.
I thought information was supposed to be free.
I am actually quite impressed with the journalisitic merits of this article, and I'm happy that Slashdot has started putting more research into their stories.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
I'm continually amazed at all the parties "investigating" this problem. There's a line between checking for evidence of a vulnerability, and actually exploiting it. I'm seeing any number of people in thes story going over the line, and actually compromising DoubleClick.
The first anti-profiling law we need is one that states that no company or govenment can make submitting a profile a condition of employment or contract. There are two many jobs now where you must submit to a personality, financial, or even a LIFESTYLE profile (security jobs often require you to submit to a lifestyle profile to ensure you a good upperclass christian gentleman). Just about any time you do so much as request information from a company these days you have to submit to a minor financial or employment profile.
Submitting to profiling should not be a precondition to engaging in any activity common in our society.
Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected
What, so they called the crackers and showed them how to do it right?
Sound like the end-users aren't the only ones getting the shaft...
--SC
You read fiction? I write it! Lemme know what you th
I know, some people don't prefer the cool, crisp taste of menthol cigarettes. That's their choice. But to say it's a disability? I've smoke menthols before, and I can use an editor just fine.
I'm really beginning to doubt the level of intelligence displayed here on Slashdot.
--SC
You read fiction? I write it! Lemme know what you th
Yes, and once you do this, any number of sites stop working for you and all of your users, depending on how the site is coded.
I wish there a nice, free way to block ads that is transparent to end users and doesn't break everything. I used to use junkbuster, but it broke so many sites that people who use my computer (roommates) that I just stopped using it. Steve Gibson at GRC had a registry patch that added a bunck of web buggers to the "hostile" zone of internet explorer which worked pretty well, but then I don't use IE either.
Wishful thinking...
+++ ATH0 +++
is on the Board of Directors at Internet Security Systems (ISS) .... You would think that they would have thought to at least run ISS Internet Scanner against their websites or had a third party PenTest of their site in the past 2 years. It would have surely found that backdoor.
c7five
Webwasher (www.webwasher.com) does a pretty decent job. And hey, it's free!!
That, along with a cookie filter to rid the doubleclick garbage, works pretty well...
as far as i know, press time means whenever the story was (in printed media) sent off to the presses, as far as web media goes it means whenever the story was submitted. so saying someone hadn't responded by press time means he hadn't heard from them before he submitted the story.
even faster not found if you use nonexistant host on nonexistant subnet: 127.0.0.2 doubleclick doubleclick.net
Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick.
If the attempts were unsuccessful, what needed to be corrected. If my firewall is blocking ports, people will be unsuccessful at hitting my site, and nothing needs to be corrected. I don't get it.
creation science book
You can't stop the technology. Moore's Law works for everybody. If they can see it, they can database it.
Setup a caching name server on your lan, which will improve performance anyway. Then just use dns magic to make doubleclick sites not work.
Where do you want to be, What are you doing to get there.
Just my tiny contribution to the cause...
"Rub her feet." -- L.L.
right now, one of their servers http://dartanalyzer.doubleclick.net is editable with frontpage 2000, so if you have it laying around, you can feel free to make whatever changes you want...
axe me about phat 32....
If you are only beginning to doubt, then I question your mental state... ;)
ipchains was invented for?
something like:
ipchains -A output -i eth0 -d doubleclick.net/16 -j REJECT
kind of sorts the problem out #-)
"i'm here to chew ass and kick bubble-gum. and i'm all out of bubble gum..."
Guidescope is a blocking proxy similar to Junkbuster. In fact Junkbuster recommends Guidescope in preference to their own product. It has a web interface for changing your ad and cookie blocking settings.
Guidescope uses a central database. This lets you benefit from other users' blocking choices, but then your web activity goes into another database. Hopefully they manage it better than Doubleclick does theirs. They say they reshuffle the userids frequently.
It runs on both Linux and Windows, but it isn't open source yet. They say they'll open it 8 months after the 1.0 release.