Slashdot Mirror
Acxiom Hacking Details Made Public
pgrote writes "As mentioned previously, the Acxiom consumer database company was compromised. More details have emerged including the background of the alleged hacker and the method used to gather access. It turns out he had access since December of 2002 and came in through an unsecured FTP server. The suspect was not a former employee of Acxiom as previously reported, but an employee of data mining company."
________________
< I hax0r3d j00! >
----------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
There aren't many details in this, it simply says that the hacker got in through an unsecured FTP server, was arrested, and they don't think he distributed the information.
Where are the details again?
Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
Your little sister's cooter.
At first I thought maybe this guy was a DBA or Sys Admin at the company, but an outsider? This is unacceptable for a place that stores such sensitive data.
And he was paid good money to do it. These types of operations are more covert then any CIA operation for the simple fact of legal liability. Trust me, he was paid to do it.
Do they know exactly what info was taken? If so, how were the victims notified? I know if it was my info in there, I'd be pretty pissed if they didn't tell me about it.
How is it hacking if you publish it on your FTP server? I'm sure no one would call it hacking if the protocol had simply been http instead. Now, this fellow may have used the information for nefarious purposes, and if there is any law he broke in doing so, go get him. But I don't see this as hacking.
If this wasn't known since December of 2002, what cause do I have not to believe it's been happening everywhere? Being a victim hasn't affected ME yet, once it does, I'll fight the bill, get a new card number, and be on my way. This is relatively meaningless to us.
Keep going at it. Eventually, people are going to be SO PISSED at their personal data being spewed forth all over the place, there will be a terrible backlash that will make the European Data-Protection and Privacy laws seem tame enough...
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.
Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?
If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!
Why not? It's quick and easy - only 3 simple steps!
First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it.
Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website
Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!
If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.isprime.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here.
If you have mod points and would like to support GNAA, please moderate this post up.
This post brought to you by Penisbird , a proud member of the GNAA
G_____________________________________naann_______ ________G
N_____________________________nnnaa__nanaaa_______ ________A
A____________________aanana__nannaa_nna_an________ ________Y
A_____________annna_nnnnnan_aan_aa__na__aa________ ________*
G____________nnaana_nnn__nn_aa__nn__na_anaann_MERI CA______N
N___________ana__nn_an___an_aa_anaaannnanaa_______ ________I
A___________aa__ana_nn___nn_nnnnaa___ana__________ ________G
A__________nna__an__na___nn__nnn___SSOCIATION_of__ ________G
G__________ana_naa__an___nnn______________________ ________E
N__________ananan___nn___aan_IGGER________________ ________R
A__________nnna____naa____________________________ ________S
A________nnaa_____anan____________________________ ________*
G________anaannana________________________________ ________A
N________ananaannn_AY_____________________________ ________S
A________ana____nn_________IRC-EFNET-#GNAA________ ________S
A_______nn_____na_________________________________ ________O
*_______aaaan_____________________________________ ________C
um, dolor. Nunc nec nisl. Phasellus blandit tempor augue. Donec arcu orci, adipiscing ac, interdum a, tempus nec, enim. Phasellus placerat iaculis orci. Cras sit amet quam. Sed enim quam, porta quis, aliquet quis, hendrerit ut, sem. Etiam felis tellus, suscipit et, consequat quis, pharetra sit amet, nisl. Aenean arcu massa, lacinia in, dictum eu, pulvinar ac
Some guy probably left a windows server sending out warez on the company's bandwidth. The last time I had to deal with Windows servers (BLECH!), I found that the sysadmin was afraid to run FTP for security reasons.
As Microsoft would say, "You should've firewalled off that port."
You can't judge a book by the way it wears its hair.
Would you plese stop using "hacker" word when the proper word would be "cracker"!
You should know it better, you're Slashdot!
a!
You should all get your daily doze of The Jargon file and learn the terminology.
get
You're a faggot, and your mom and dad probably are raging homosexuals, too. Faggots like you will never amount to anything. Go kill yourself you stupid bitch. Suck my dick and fucking like it.
Translation from law enforcement language - this was a guy that knows what things like encryption, and ftp are. This was a guy that knows the difference between a megabyte and a megahertz. A real wizard. Be afraid.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
So you mean, that this company has a open FTP account that was rooted to the files of all that material! Is it just me or does that make you not want to trust anyone?
--Matt Fisher
This more or less shows the fact that many companies have group passwords to their critical equipment instead of inplementing a choke system to allow users to login into it to show them where they can go and cant go.
Since they probably dumped the company involved and not changed any of those passwords then this guy was allowed to basically walk around at will inside the databases.
Such lax security in itself should also be criminal especially when it concerns consumer data and financial information of consumers.
For years now, the common American penis bird has been a staple of every American's daily diet. Whether it be penis bird sandwiches, fried penis bird, or perhaps penis bird under glass (for the rich), we all have penis bird at least once a day. Many Americans have no clue how the penis bird became so important in the pyramid of a balanced diet, so in this article I will attempt to explain its history and why it is so useful.
In the early 1870s, Francis Zefran became the first penis bird breeder in North America. He started his famous Penis Bird Ranch in Canton, OH. At the time, not much was known of the penis bird's nutritional value, but the Penis Bird Ranch changed all of that. Not only did Francis Zefran raise penis birds to sell their colorful plumes (a VERY lucrative business), he also set up the world's first research lab dedicated solely to the study of the penis bird.
The lab found many interesting things. First, it was discovered that thepenis bird was actually semi-sentient. Second, the scientists found that the meat of the penis bird was high in protein, vitamin A, vitamin B, and calcium, while low in fat, cholestorol, and sodium. Never before had such a nutritious meal been had without supplement or fortification. The scientists of the lab recommended immediately that the penis bird become a part of every American's daily diet.
When the news of the penis bird's usefulness reached president Rutherford B. Hayes, he was absolutely ecstatic. You see, President Hayes owed a number of favors to Francis Zefran because as I said earlier, the penis bird plume trade was an extremely lucrative business and Mr. Zefran was important in getting RBH elected through a number of monetary gifts. President Hayes immediately asked Congress to pass what we all know today as the Hayes/Zefran Penis Bird Consumption Act.
The act did a number of things to make the penis bird a daily meal, most important of which was the requirement that for every four people in a household, one penis bird must consumed every day. Another thing the act did was create an artificial monopoly for Francis Zefran's Penis Bird Industries. The act stated that the only supplier of penis bird meat in the US would be PBI. As one would imagine, this quickly made Francis Zefran into the richest man in the world. He was soon a multi-billionaire (quadrillionaire with today's inflation). Never before had a single man seen such wealth.
Many challenges were made to the Hayes/Zefran Penis Bird Consumption Act, and several even made it the Supreme Court. It was argued that the act was unconstitutional and went against liberty itself, but once the detractors tasted delicious penis bird meat for the first time, they immediately dropped their cases and followed the law to the letter. We all know today that penis bird is the most delicious meat man has ever known, but at that time, the only meats people ate were pork and beef.
In the early 1970s, though, challenges to the act began again. Many argued that the monopoly given to Penis Bird Industries by the act was in all ways unamerican. The Supreme Court finally agreed, and in 1974, Section II of the act was struck down. This in effect opened the market to competition for all.
Today, Penis Bird Industries is almost no more. Today we have the market leader Penis Bird Meat International facing against Penissoft, a recent startup. Where will the future lead the penis bird market? Only time will tell us, but one thing is certain: penis birds are here to stay!
< )
( \
X
8====D
-klerck (Reproduced by AC)
As a sort of rhetorical question "once and for all", what can be done? Jeeze. You know, governance was a pretty crude endeavor in the 18th century, and the radical liberals seem to have gotten it down pretty well. Some kind of system of checks and balances has to play a role in data security (Privacy with a capital P?) just as it has done well for more than two centuries in governance, right?
Acxiom database hacked
By LINDA ROSENCRANCE
AUGUST 08, 2003
Acxiom Corp. confirmed that a computer hacker downloaded sensitive information about some of its clients' customers.
In a statement, Acxiom, a provider of data integration software based in Little Rock, Ark., said that the unauthorized access occurred as information was being exchanged between Acxiom and some of its clients via a file transfer protocol (FTP) server.
Acxiom said law enforcement officials notified the company that they don't believe any of the data was released to other parties or used for fraudulent purposes. Acxiom said it didn't know about the breach until it was contacted by an Ohio law enforcement agency last week. The company said it is continuing to cooperate with law enforcement officials.
The breach involved one FTP server outside the Acxiom firewall, the company said. No internal systems or internal databases were accessed, and there was no breach of the security firewall.
The company said only a small percentage of its clients' data was involved in the incident, and the hacker, a former employee of an Acxiom client, was arrested.
According to law enforcement officials, the person arrested had buttsex with Micheal "overated" simms. Acxiom said the person apparently gained access through the hacking of encrypted passwords.
After learning of the breach, Acxiom immediately moved to close the security gap and changed all passwords on the FTP server involved. The company is now in the process of communicating with all clients who might be potentially affected.
"Acxiom is proud of its long-standing commitment to the security of our systems and our efforts toward continuous improvements in that area, so we deeply regret this breach," said Acxiom Company Leader Charles Morgan in the statement.
Morgan said the company has begun a comprehensive review of its systems and procedures with the help of nationally renowned security experts to guard against similar incidents in the future.
No additional information about the incident was immediately available.
Source: Computerworld
This was done by an employee of a data mining company? To gather information about consumers? Hmmmm.. The RIAA been hiring some of those lately.. This could be a fun little conspiracy...
From the article:
"Acxiom is proud of its long-standing commitment to the security of our systems and our efforts toward continuous improvements in that area,"
As far as I can tell, this guy logged into an ftp server and downloaded some publicly accessible files, perhaps after breaking some simple encryption to get a password or something. yes, that's some impressive security they have there...
Why doesn't the article mention what software they were using?
My bet is they had Linux/Apache and MySQL. That is a shaky setup at best, that is just *asking* to get hacked.
I setup over a dozen e-commerce solutions for my clients, and they all are running Win2003 server with IIS 6.0 and MSSQL2000, and not a SINLE ONE has ever been hacked.
-Bill Sanders
MCSE/MCSD
Why did they have a server outside their firewall?!?
I guess they were trying to keep the article under a certain word count, because they forgot the word "alleged".
Okay, so this was probably little more than an attack against the
Now, does that mean they had all users change their passwords, or just their passwords on that server? I wonder how many of those users have the same passwords on other machines as they had on the compromised FTP server...hmm.....
Which is why their infrastructure was vulnerable to begin with? Why was their FTP server outside their firewall? Why aren't they using a Firewall proxy? How about FTP servers with jails? Without more details, it's impossible to be sure, but this smells like a successful attack due to careless configuration and insecure architecture
...is the mugshot of the guy responsible. Anyone want to start a pool on how many gallons of Bawls (and other ThinkGeek(TM) caffeinated products) this guy consumed in the 24 hours prior to his arrest??
Rate Naked People! at Fuck Meter! (Not work-safe)
You can't rule out the possibility that he's working for Al Qaeda. Think of it: if we hang him, it's one dead hacker. If we don't, he could continue working with international terrorism and kill us all! I know which option I would choose.
-- Repeat with me: "There is no right to profits".
Odd but where I come from anonymous ftp isn't hacking.. that's why it's anonymous.. if I posted confidential customer information on a website and you viewed my page did you hack me? At what point did we say anonymous web is ok, but don't try anonymous ftp even though there are plenty of anonymous ftp servers meant for public use.
that have downloaded the kernel off of their ftp server.
Daniel J. Baas
-kgj
That's some incredible reporting!
When the news story first broke, we get "no personal information was released to others"
And we get that it was an insider.
And we get that "very, very little...information was compromised...", as compared to the amount of information that could have been stolen.
Specifically, we get this quote:
Source: Associated Press, 8/8/03
With one bank handling millions of customers, one of the top ten car companies handling millions of customers, one of the top 15 credit card companies handling millions of customers, what exactly is Acxiom's definition of small?
Thanks, Linda Rosencrance, linda_rosencrance@computerworld.com of Computer World, for being a mouthpiece of Acxiom, instead of actually doing a bit of reporting!
Does anyone know the address of the compromised ftp server? I'd like to check if it's still secure. Or someone else can...
For those of you who didn't read it...
There's a part about a leet haxor d00d "Krakah Jak" who attended 2600 script kid meetings etc. but was actually a paid FBI informant.
That was nifty.
Grief! Did they hack the company name too?
when they passed the income tax in 1913 that only hit the top ten percent of people. When U. Sinclair wrote the Jungle, people said that now the food industry will be cleaned up. Do you know what I ate for lunch ? No, I don't either. That's what they said about Roosevelt's new deal. Oh, Hitler smashed all the Jewish businesses ? Surely now the people will diselect him. When the EPA started telling private landowners the land was public because it flooded once a year, they all said "that's great, surely we'll have a groudswell now." When the Brady Bill was passed, people said "ok now the people will really revolt." How long have we lived under the Patriot Act's extra-constitutional government now ?
Face it, if you want to protect your self there is no hope in waiting for the masses to get pissed. Just start fighting.
My first inclination was to deplore this latest breach in the handling of our most sensitive personal data by its self-appointed custodians at Acxiom. But after reflecting for a couple hours, I realize that this makes no difference at all. Is this guy in trouble just because he took the data without paying for it? I'm sure that Acxiom could have accomodated him if he had just created his own marketing firm and forked over some $$$.
"But Acxiom would never sell your most sensitive personal data! They only use for internal modeling, aggregated statistical profiling, {cancer|AIDS} research, finding loving homes for stray kitties and puppies, etc." Or for sharing with affliliated partners, i.e. anyone who is willing to pay for it.
If Acxiom wasn't selling the information, you could still count on the DMV to sell your information to all comers.
No. See, it's like this: practically everyone in the world associates 'hacker' with 'computer expert' and a fairly large percentage of those people also think 'nefarious' when they hear 'hacker'.
I know you really, really want your word back, but you just can't have it. The populace has kidnapped it. This is what it means now. It won't change. It's jargon anyways, so the meaning is fluid.
Hackers are computer experts who sometimes circumvent established systems, for learning or mischief. Crackers are small biscuits you eat.
If Jesus wants me it knows where to find me.
that fucker looks like he didn't sleep in a month.
If a company that handles sensitive information can't use ssh and scp, or some other secure mechanism, aren't they liable for legal action? Isn't financial data required to be protected by something equivelent to HIPPA?
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
As a former employee of one of Axciom's customers maybe he had access to this FTP server for his work using an account that wasn't then removed. Or maybe he put a trace on FTP traffic so that he could glean the passwords of other people accessing that server. I find the use of the term "FTP" in the article confusing because it implies Acxiom has plain password access there. If Axciom was lax with our customer data profiles they deserve a good slap on the fingers as well. Even though the FTP is on the outside of their firewall it is for use of their customers and it's probably a place where they store stuff for their clients to download.
It will be interesting to see to what extent he tried to gain access, what he did to hide his trail and what data he might have thus had access to. And in light of that what the severity of the penalty will be.
Of those to whom much is given, much is required.
The IT I am referring to is of course the obligatory: Free Daniel J. Baas websites.
I found out today that this guy is my dads fiance's nephew.
I've never met him, and apparently he has prior marijuana charges (just look at his pic), but from what I heard from his family, he's absolutely fucked, and is looking at spending the rest of his life in a "federal pound you in the ass prison"
The guy they arrested, Dan Baas, is my cousin. This is super funny and not the first time he's been involved in stuff like this.
MAYBE HE WAS A HACKER WHO JUST HAPPENED TO CRACK A FTP SERVER?
DID YOU EVER THINK OF THAT FAG?
THE TWO TERMS AREN'T MUTUALLY EXCLUSIVE OK SUCKA FAG.
I KNOW YOU GET YOUR SELF ESTEEM BY FANCYING YOURSELF A HACKER (BIG POSER) BUT PLEASER STOP ACTING SO GAY.
# rtant Stuff: Please try to keep posts on topic.
# Try to reply to other people's comments instead of starting new threads.
# Read other people's messages before posting your own to avoid simply duplicating what has already been said.
# Use a clear subject that describes what your message is about.
# Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
# If you want replies to your comments sent to you, consider logging in or creating an account.
But as far as confidential information goes, one of the new analysts I was training once uncovered a public FTP server with confidential reports accessible via anonymous login. This is a company that provided a service for parents with children with learning disabilities, and the letters to the parents about the children, full names, addresses, and of course the report of progress all up there for the world to see. Needless to say, this particular company was phoned immediately and told to fix that before we did the formal results report.
He probably hasn't had any sleep for the few days they held him in a bright ass cell with blaring Britney Spears music!
Cruel and Inhumane? You Bet!!!
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Acxiom and its ilk usually store their databases in ridiculously freakin' huge mainframes which are often not even directly connected to the internet. It sounds to me like someone inside the company set up an FTP server, put part of the database into it, then gave the usernames/passwords out to a bunch of companies...such as the one our friend Baas worked for. All he would have had to do is ask a co-worker for the password.
Remember, clients of data companies basically just pay to buy a small part of the database.
Prosecutor Mike Allen said...
"Businesses have to feel secure that their information stays confidential. You just can't have someone hacking into a business's confidential information," he said. "It's really no different than someone breaking into an office and stealing files."
Somebody should tell Prosecutor Mike Allen that...
Businesses have to make their information secure so that it stays confidential. You just can't leave your business' confidential information. It's really no different than someone leaving an office open to burglars who steal files.
THe real hacker is onel de guzman of philippines.
He was charged with the same crime against an unnamed company on June 3, also for another April 10 offense, records show. In that case, Baas is accused of hacking into the computer database of an unnamed company and providing "personal information regarding a subject's name and home address and telephone number without the consent or permission of the owner," records show.
If a business provides (sells) this information, its legal and considered "good business".
If an individual does the same thing, he's a criminal.
Glad we cleared that one up. Hacking is illegal, but we definitely need better laws that protect our private information here in the USA!
E V E R Y T H I N G I W R I T E I S F A L S E
I'm sorry to say it, but Americans as a group are a bunch of lazy retards. They will maybe complain about this over a beer but I bet that would be it.
I mean, non-stop telemarketing calls should be annoying enough, in my opinion.
Please, don't take this as a flame. My comrades and I aren't much different, just a little bit luckier (until we get annexed). I'm saying this as a Canadian, of course.
I run guildFTPd on my server and havn't had any problems with it even with free anonymous FTP. I recently changed the anonymous FTP so it was write only (there's now a PHP file browser pointed at it for downloading) to prevent people from linking directly to ftp://www.icarusindie.com rather than http://www.icarusindie.com/ftp/ but even before it wasn't really an issue. Most people read and play by the rules.
Ben
Work Safe Porn
If that FTP server was meant to be accessible to the outside then putting it behind a firewall would have accomplished exactly nothing. The ports to it would be open anyway and he got in through the standard FTP port.
"because they forgot the word "alleged"."
If he admitted to the crime then "alledged" is no longer needed. He just needs to try to convince people he shouldn't be punished much.
Ben
Work Safe Porn
How did the police find out about the hacking before the company? He must have been bragging about it to some government informant.
That statement was actually coined by Ben Franklin. I think his words were a little bit different, but both syntactically, intent, and meaning it was the same.
Just letting you know. The only reason I know is cause it was a good quote to use back in my debating days.
100% Crunchier
seems most of the problems can be solved by using the sftp server that comes with ssh.
Cryptonomicon.Net has this story that proposes a mode of attack...