Slashdot Mirror
Acxiom Hacking Details Made Public
pgrote writes "As mentioned previously, the Acxiom consumer database company was compromised. More details have emerged including the background of the alleged hacker and the method used to gather access. It turns out he had access since December of 2002 and came in through an unsecured FTP server. The suspect was not a former employee of Acxiom as previously reported, but an employee of data mining company."
There aren't many details in this, it simply says that the hacker got in through an unsecured FTP server, was arrested, and they don't think he distributed the information.
Where are the details again?
Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
At first I thought maybe this guy was a DBA or Sys Admin at the company, but an outsider? This is unacceptable for a place that stores such sensitive data.
Do they know exactly what info was taken? If so, how were the victims notified? I know if it was my info in there, I'd be pretty pissed if they didn't tell me about it.
How is it hacking if you publish it on your FTP server? I'm sure no one would call it hacking if the protocol had simply been http instead. Now, this fellow may have used the information for nefarious purposes, and if there is any law he broke in doing so, go get him. But I don't see this as hacking.
If this wasn't known since December of 2002, what cause do I have not to believe it's been happening everywhere? Being a victim hasn't affected ME yet, once it does, I'll fight the bill, get a new card number, and be on my way. This is relatively meaningless to us.
Keep going at it. Eventually, people are going to be SO PISSED at their personal data being spewed forth all over the place, there will be a terrible backlash that will make the European Data-Protection and Privacy laws seem tame enough...
Some guy probably left a windows server sending out warez on the company's bandwidth. The last time I had to deal with Windows servers (BLECH!), I found that the sysadmin was afraid to run FTP for security reasons.
As Microsoft would say, "You should've firewalled off that port."
You can't judge a book by the way it wears its hair.
Would you plese stop using "hacker" word when the proper word would be "cracker"!
You should know it better, you're Slashdot!
get
Translation from law enforcement language - this was a guy that knows what things like encryption, and ftp are. This was a guy that knows the difference between a megabyte and a megahertz. A real wizard. Be afraid.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
So you mean, that this company has a open FTP account that was rooted to the files of all that material! Is it just me or does that make you not want to trust anyone?
--Matt Fisher
This more or less shows the fact that many companies have group passwords to their critical equipment instead of inplementing a choke system to allow users to login into it to show them where they can go and cant go.
Since they probably dumped the company involved and not changed any of those passwords then this guy was allowed to basically walk around at will inside the databases.
Such lax security in itself should also be criminal especially when it concerns consumer data and financial information of consumers.
As a sort of rhetorical question "once and for all", what can be done? Jeeze. You know, governance was a pretty crude endeavor in the 18th century, and the radical liberals seem to have gotten it down pretty well. Some kind of system of checks and balances has to play a role in data security (Privacy with a capital P?) just as it has done well for more than two centuries in governance, right?
Acxiom database hacked
By LINDA ROSENCRANCE
AUGUST 08, 2003
Acxiom Corp. confirmed that a computer hacker downloaded sensitive information about some of its clients' customers.
In a statement, Acxiom, a provider of data integration software based in Little Rock, Ark., said that the unauthorized access occurred as information was being exchanged between Acxiom and some of its clients via a file transfer protocol (FTP) server.
Acxiom said law enforcement officials notified the company that they don't believe any of the data was released to other parties or used for fraudulent purposes. Acxiom said it didn't know about the breach until it was contacted by an Ohio law enforcement agency last week. The company said it is continuing to cooperate with law enforcement officials.
The breach involved one FTP server outside the Acxiom firewall, the company said. No internal systems or internal databases were accessed, and there was no breach of the security firewall.
The company said only a small percentage of its clients' data was involved in the incident, and the hacker, a former employee of an Acxiom client, was arrested.
According to law enforcement officials, the person arrested had buttsex with Micheal "overated" simms. Acxiom said the person apparently gained access through the hacking of encrypted passwords.
After learning of the breach, Acxiom immediately moved to close the security gap and changed all passwords on the FTP server involved. The company is now in the process of communicating with all clients who might be potentially affected.
"Acxiom is proud of its long-standing commitment to the security of our systems and our efforts toward continuous improvements in that area, so we deeply regret this breach," said Acxiom Company Leader Charles Morgan in the statement.
Morgan said the company has begun a comprehensive review of its systems and procedures with the help of nationally renowned security experts to guard against similar incidents in the future.
No additional information about the incident was immediately available.
Source: Computerworld
This was done by an employee of a data mining company? To gather information about consumers? Hmmmm.. The RIAA been hiring some of those lately.. This could be a fun little conspiracy...
From the article:
"Acxiom is proud of its long-standing commitment to the security of our systems and our efforts toward continuous improvements in that area,"
As far as I can tell, this guy logged into an ftp server and downloaded some publicly accessible files, perhaps after breaking some simple encryption to get a password or something. yes, that's some impressive security they have there...
Why did they have a server outside their firewall?!?
I guess they were trying to keep the article under a certain word count, because they forgot the word "alleged".
Okay, so this was probably little more than an attack against the
Now, does that mean they had all users change their passwords, or just their passwords on that server? I wonder how many of those users have the same passwords on other machines as they had on the compromised FTP server...hmm.....
Which is why their infrastructure was vulnerable to begin with? Why was their FTP server outside their firewall? Why aren't they using a Firewall proxy? How about FTP servers with jails? Without more details, it's impossible to be sure, but this smells like a successful attack due to careless configuration and insecure architecture
...is the mugshot of the guy responsible. Anyone want to start a pool on how many gallons of Bawls (and other ThinkGeek(TM) caffeinated products) this guy consumed in the 24 hours prior to his arrest??
Rate Naked People! at Fuck Meter! (Not work-safe)
Trust me, he was paid to do it.
Oh yeah? Trust me, I was paid to write this link to goatse.
You can't rule out the possibility that he's working for Al Qaeda. Think of it: if we hang him, it's one dead hacker. If we don't, he could continue working with international terrorism and kill us all! I know which option I would choose.
-- Repeat with me: "There is no right to profits".
Odd but where I come from anonymous ftp isn't hacking.. that's why it's anonymous.. if I posted confidential customer information on a website and you viewed my page did you hack me? At what point did we say anonymous web is ok, but don't try anonymous ftp even though there are plenty of anonymous ftp servers meant for public use.
Hard to hack something that is blue-screening all the time.
that have downloaded the kernel off of their ftp server.
Daniel J. Baas
-kgj
That's some incredible reporting!
When the news story first broke, we get "no personal information was released to others"
And we get that it was an insider.
And we get that "very, very little...information was compromised...", as compared to the amount of information that could have been stolen.
Specifically, we get this quote:
Source: Associated Press, 8/8/03
With one bank handling millions of customers, one of the top ten car companies handling millions of customers, one of the top 15 credit card companies handling millions of customers, what exactly is Acxiom's definition of small?
Thanks, Linda Rosencrance, linda_rosencrance@computerworld.com of Computer World, for being a mouthpiece of Acxiom, instead of actually doing a bit of reporting!
Does anyone know the address of the compromised ftp server? I'd like to check if it's still secure. Or someone else can...
For those of you who didn't read it...
There's a part about a leet haxor d00d "Krakah Jak" who attended 2600 script kid meetings etc. but was actually a paid FBI informant.
That was nifty.
Grief! Did they hack the company name too?
when they passed the income tax in 1913 that only hit the top ten percent of people. When U. Sinclair wrote the Jungle, people said that now the food industry will be cleaned up. Do you know what I ate for lunch ? No, I don't either. That's what they said about Roosevelt's new deal. Oh, Hitler smashed all the Jewish businesses ? Surely now the people will diselect him. When the EPA started telling private landowners the land was public because it flooded once a year, they all said "that's great, surely we'll have a groudswell now." When the Brady Bill was passed, people said "ok now the people will really revolt." How long have we lived under the Patriot Act's extra-constitutional government now ?
Face it, if you want to protect your self there is no hope in waiting for the masses to get pissed. Just start fighting.
My first inclination was to deplore this latest breach in the handling of our most sensitive personal data by its self-appointed custodians at Acxiom. But after reflecting for a couple hours, I realize that this makes no difference at all. Is this guy in trouble just because he took the data without paying for it? I'm sure that Acxiom could have accomodated him if he had just created his own marketing firm and forked over some $$$.
"But Acxiom would never sell your most sensitive personal data! They only use for internal modeling, aggregated statistical profiling, {cancer|AIDS} research, finding loving homes for stray kitties and puppies, etc." Or for sharing with affliliated partners, i.e. anyone who is willing to pay for it.
If Acxiom wasn't selling the information, you could still count on the DMV to sell your information to all comers.
"I wonder why do people call Outlook the best Virus Transport Protocol ever designed."
Naah... stupid people are the best protocol. Opening something that says "click me for fun" is a bit like getting ebola and going to the shops saying "oh, it's only a cold..." and infecting a truckload of people. Some people like the risk, others don't take it...
Remember, the most secure Windows installation has no modem or network card.
No. See, it's like this: practically everyone in the world associates 'hacker' with 'computer expert' and a fairly large percentage of those people also think 'nefarious' when they hear 'hacker'.
I know you really, really want your word back, but you just can't have it. The populace has kidnapped it. This is what it means now. It won't change. It's jargon anyways, so the meaning is fluid.
Hackers are computer experts who sometimes circumvent established systems, for learning or mischief. Crackers are small biscuits you eat.
If Jesus wants me it knows where to find me.
that fucker looks like he didn't sleep in a month.
If a company that handles sensitive information can't use ssh and scp, or some other secure mechanism, aren't they liable for legal action? Isn't financial data required to be protected by something equivelent to HIPPA?
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
As a former employee of one of Axciom's customers maybe he had access to this FTP server for his work using an account that wasn't then removed. Or maybe he put a trace on FTP traffic so that he could glean the passwords of other people accessing that server. I find the use of the term "FTP" in the article confusing because it implies Acxiom has plain password access there. If Axciom was lax with our customer data profiles they deserve a good slap on the fingers as well. Even though the FTP is on the outside of their firewall it is for use of their customers and it's probably a place where they store stuff for their clients to download.
It will be interesting to see to what extent he tried to gain access, what he did to hide his trail and what data he might have thus had access to. And in light of that what the severity of the penalty will be.
Of those to whom much is given, much is required.
The IT I am referring to is of course the obligatory: Free Daniel J. Baas websites.
I found out today that this guy is my dads fiance's nephew.
I've never met him, and apparently he has prior marijuana charges (just look at his pic), but from what I heard from his family, he's absolutely fucked, and is looking at spending the rest of his life in a "federal pound you in the ass prison"
The guy they arrested, Dan Baas, is my cousin. This is super funny and not the first time he's been involved in stuff like this.
But as far as confidential information goes, one of the new analysts I was training once uncovered a public FTP server with confidential reports accessible via anonymous login. This is a company that provided a service for parents with children with learning disabilities, and the letters to the parents about the children, full names, addresses, and of course the report of progress all up there for the world to see. Needless to say, this particular company was phoned immediately and told to fix that before we did the formal results report.
He probably hasn't had any sleep for the few days they held him in a bright ass cell with blaring Britney Spears music!
Cruel and Inhumane? You Bet!!!
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Acxiom and its ilk usually store their databases in ridiculously freakin' huge mainframes which are often not even directly connected to the internet. It sounds to me like someone inside the company set up an FTP server, put part of the database into it, then gave the usernames/passwords out to a bunch of companies...such as the one our friend Baas worked for. All he would have had to do is ask a co-worker for the password.
Remember, clients of data companies basically just pay to buy a small part of the database.
Prosecutor Mike Allen said...
"Businesses have to feel secure that their information stays confidential. You just can't have someone hacking into a business's confidential information," he said. "It's really no different than someone breaking into an office and stealing files."
Somebody should tell Prosecutor Mike Allen that...
Businesses have to make their information secure so that it stays confidential. You just can't leave your business' confidential information. It's really no different than someone leaving an office open to burglars who steal files.
THe real hacker is onel de guzman of philippines.
He was charged with the same crime against an unnamed company on June 3, also for another April 10 offense, records show. In that case, Baas is accused of hacking into the computer database of an unnamed company and providing "personal information regarding a subject's name and home address and telephone number without the consent or permission of the owner," records show.
If a business provides (sells) this information, its legal and considered "good business".
If an individual does the same thing, he's a criminal.
Glad we cleared that one up. Hacking is illegal, but we definitely need better laws that protect our private information here in the USA!
E V E R Y T H I N G I W R I T E I S F A L S E
I'm sorry to say it, but Americans as a group are a bunch of lazy retards. They will maybe complain about this over a beer but I bet that would be it.
I mean, non-stop telemarketing calls should be annoying enough, in my opinion.
Please, don't take this as a flame. My comrades and I aren't much different, just a little bit luckier (until we get annexed). I'm saying this as a Canadian, of course.
I run guildFTPd on my server and havn't had any problems with it even with free anonymous FTP. I recently changed the anonymous FTP so it was write only (there's now a PHP file browser pointed at it for downloading) to prevent people from linking directly to ftp://www.icarusindie.com rather than http://www.icarusindie.com/ftp/ but even before it wasn't really an issue. Most people read and play by the rules.
Ben
Work Safe Porn
If that FTP server was meant to be accessible to the outside then putting it behind a firewall would have accomplished exactly nothing. The ports to it would be open anyway and he got in through the standard FTP port.
"because they forgot the word "alleged"."
If he admitted to the crime then "alledged" is no longer needed. He just needs to try to convince people he shouldn't be punished much.
Ben
Work Safe Porn
How did the police find out about the hacking before the company? He must have been bragging about it to some government informant.
That statement was actually coined by Ben Franklin. I think his words were a little bit different, but both syntactically, intent, and meaning it was the same.
Just letting you know. The only reason I know is cause it was a good quote to use back in my debating days.
100% Crunchier
Off topic ? It was about SECURITY. It was about the fact that you are more likely get cracked while running Windows than Linux. And it was at 5 o'clock in the morning.
seems most of the problems can be solved by using the sftp server that comes with ssh.
> my clients, and they all are running Win2003 server with IIS 6.0 and MSSQL2000, and not a SINLE ONE has ever been hacked.
So what, I've run plenty of e-commerce sites on NT4 with thoroughly shitty patching (read: none) and have never had them hacked into. Maybe it's because it wasn't worth the time or notice for a cracker to break into the sites. Could be the same for you.
(note: I am no longer a Win admin, nor do I ever want to be one again)
Obviously you've never put them out on the 'net before, otherwise you would have been raped by now with a setup like that. Bwhwhhahha!!!
You're an idiot. You suck at life. Quit.
Cryptonomicon.Net has this story that proposes a mode of attack...