Slashdot Mirror

← Back to Stories (view on slashdot.org)

Acxiom Hacking Details Made Public

Posted by michael on from the may-not-need-new-credit-cards-after-all dept.

pgrote writes "As mentioned previously, the Acxiom consumer database company was compromised. More details have emerged including the background of the alleged hacker and the method used to gather access. It turns out he had access since December of 2002 and came in through an unsecured FTP server. The suspect was not a former employee of Acxiom as previously reported, but an employee of data mining company."

4 of 142 comments (clear)

  1. Re:Question by rritterson · · Score: 4, Informative

    According to one of the the articles, he broke the encryption on the passwords used to login to the FTP server. I call that cracking, which would be labeled hacking in the general lexicon.

    --
    -Ryan
    AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
  2. Disturbing by Bruha · · Score: 5, Informative

    This more or less shows the fact that many companies have group passwords to their critical equipment instead of inplementing a choke system to allow users to login into it to show them where they can go and cant go.

    Since they probably dumped the company involved and not changed any of those passwords then this guy was allowed to basically walk around at will inside the databases.

    Such lax security in itself should also be criminal especially when it concerns consumer data and financial information of consumers.

  3. Re:ftp server? by jericho4.0 · · Score: 4, Informative
    Being afraid to run FTP for security reasons is valid on any platform. The list of breaches on various FTP servers is long.

    Still, I'd much rather be running an open source FTP server than some of those weak Windows versions.

    --
    "A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
  4. Re:Question by Vinson+Massif · · Score: 3, Informative

    "When was the last time you saw a FTP-server that allowed to download its own password-file ? 1990 ?"

    Not an admin, eh?

    Many _default_ non-anonymous ftp services on unix|unix-like systems that I have dealt (recently) with allow the ftp user the same access rights to the entire tree as their uid:gid is allowed. So, on a system w/o shadow passwords, cd /etc; get passwd; is all that's needed to get started. (grr ./ eats spaces...)

    BTW, shadow passwording has the achilles heel of file security. I have dealt with systems where the file security of these files had been comprimised to solve some silly need.

    --
    "Remember, any tool can be the right tool." -- Red Green