Acxiom Hacking Details Made Public

pgrote writes "As mentioned previously, the Acxiom consumer database company was compromised. More details have emerged including the background of the alleged hacker and the method used to gather access. It turns out he had access since December of 2002 and came in through an unsecured FTP server. The suspect was not a former employee of Acxiom as previously reported, but an employee of data mining company."

details?

[trmj]

There aren't many details in this, it simply says that the hacker got in through an unsecured FTP server, was arrested, and they don't think he distributed the information.

Where are the details again?

No Excuse

[TedCheshireAcad]

At first I thought maybe this guy was a DBA or Sys Admin at the company, but an outsider? This is unacceptable for a place that stores such sensitive data.

Re:No Excuse

[jazir1979]

An ex-employee.

Re:No Excuse

[AstroDrabb]

Well the article I read said he was an employee of data mining company. Which means he had some inside knowlege of the systesm. He broke in through an external FTP server and did not get through their firewall. So I think Acxiom deserves a little break. There is no such thing as a 100% secure system, especially with inside knowlegde of the systems. As a programmer for a fortune 500 company, I could literally bring that company to it's knees and cause millions (USD) lost per day. However, I don't do that because I am a professional and would not use my skills to be abusive. I hope this dude get some hard time.

Re:No Excuse

[enjo13]

I'm not sure if the article mentioned it, but sources inside the company (I worked there a little over a year ago) are telling me that he simply got access to the the FTP server used to transmit data from Acxiom to the company this guy worked for. Also, the data that he obtained was completely encrypted, so it's likely he didn't get any actual useful data. Just a bunch of encrypted bits that aren't probably useful to him at all.

Re:No Excuse

[caluml]

Why would https have made a difference? The problem here was that sensitive data was on an FTP outside the firewall. That's the problem here.

Re:No Excuse

[AstroDrabb]

My point was that the guy had inside knowledge. NO amount of security is 100%. Not that Acxiom should be let off the hook, they obviously made some DUMB mistakes, however, I wonder how successful the guy would have been without that insider knowlegde.

Victims

[phyrestang]

Do they know exactly what info was taken? If so, how were the victims notified? I know if it was my info in there, I'd be pretty pissed if they didn't tell me about it.

Re:Victims

[Exiler]

No, actually you'd be like 'oooh, something shiney!' while looking at a random techy toy, because if they didn't tell you about it you wouldn't have been informed and therefore could not have been pissed.

Re:Victims

I know if it was my info in there, I'd be pretty pissed if they didn't tell me about it.

Your info was in there. And they didn't. And you are so not pissed you will never read this, never cancel your cards and start using cash, never write a congressmen, and just move on to the next slashdot story about legos and linux.

Question

[Henry+V+.009]

How is it hacking if you publish it on your FTP server? I'm sure no one would call it hacking if the protocol had simply been http instead. Now, this fellow may have used the information for nefarious purposes, and if there is any law he broke in doing so, go get him. But I don't see this as hacking.

Re:Question

[rritterson]

According to one of the the articles, he broke the encryption on the passwords used to login to the FTP server. I call that cracking, which would be labeled hacking in the general lexicon.

Re:Question

[rainer_d]

According to one of the the articles, he broke the encryption on the passwords

When was the last time you saw a FTP-server that allowed to download its own password-file ? 1990 ?
This is ridiculous - if I'd encounter one, I'd ask myself if it was a honeypot.

Also, the various journalists' view (and the subsequent picture created by them for their readers) of "hacking", "cracking", "security" etc. is sometimes so distorted, so far-off from the reality of the people closer involved with the subject that reading a mainstream-press article about it is often only marginally better than just making-up the facts from slashdot-postings !

Rainer

Re:Question

[Henry+V+.009]

Didn't read that. In the article I read, the FTP server was 'unsecured.'

Re:Question

[Vinson+Massif]

"When was the last time you saw a FTP-server that allowed to download its own password-file ? 1990 ?"

Not an admin, eh?

Many _default_ non-anonymous ftp services on unix|unix-like systems that I have dealt (recently) with allow the ftp user the same access rights to the entire tree as their uid:gid is allowed. So, on a system w/o shadow passwords, cd /etc; get passwd; is all that's needed to get started. (grr ./ eats spaces...)

BTW, shadow passwording has the achilles heel of file security. I have dealt with systems where the file security of these files had been comprimised to solve some silly need.

Re:Question

So, on a system w/o shadow passwords, cd /etc; get passwd; is all that's needed to get started.

Well if you're still running a system without shadow password support you need to get your head out of the sand and upgrade or migrate to something that isn't so obsolete. WTF are you running, SCO Unixware?

Re:Question

[Vinson+Massif]

-1, pointless SCO reference.

I quite like that, when I saw it, your comment was moderated 'funny'. You did read my entire comment, yes?

In this case, I suspect there was a series of poor admin descisions, one of was allowing ftp access, that lead to the end comprimise.

So what?

[zifty]

If this wasn't known since December of 2002, what cause do I have not to believe it's been happening everywhere? Being a victim hasn't affected ME yet, once it does, I'll fight the bill, get a new card number, and be on my way. This is relatively meaningless to us.

Re:So what?

[wik]

You'll probably enjoy this recent Washington Post article on identify theft, then: http://www.washingtonpost.com/wp-dyn/articles/A253 58-2003Aug6.html


It may not be as simple as fighting the bill and getting on your way.

Keep going

[Pig+Hogger]

Keep going at it. Eventually, people are going to be SO PISSED at their personal data being spewed forth all over the place, there will be a terrible backlash that will make the European Data-Protection and Privacy laws seem tame enough...

ftp server?

[SHEENmaster]

Some guy probably left a windows server sending out warez on the company's bandwidth. The last time I had to deal with Windows servers (BLECH!), I found that the sysadmin was afraid to run FTP for security reasons.

As Microsoft would say, "You should've firewalled off that port."

Re:ftp server?

[jericho4.0]

Being afraid to run FTP for security reasons is valid on any platform. The list of breaches on various FTP servers is long.

Still, I'd much rather be running an open source FTP server than some of those weak Windows versions.

Re:ftp server?

[DrSkwid]

then you'd like plan9's ftp

it doesn't even use passwords

it uses a kind of public key encryption called NetKey

ftp DrSkwid@plan9ftp
Welcome DrSkwid to the plan9 ftp server
challenge : 345345
response :

And you have to run netkey locally and encrypt the challenge using your password.
The server checks to see if its encrypted version matches and if so you're in.

You can't replay it and good luck cracking it.

If you don't want to be broken into don't use insecure things, oh and "root" is considered harmful. If you there is nothing to escalate privileges to then what point that rootkit?

Makes me laugh people talking security with such a single point of failure waiting for exploitation.

HACKER?

Would you plese stop using "hacker" word when the proper word would be "cracker"!

You should know it better, you're Slashdot!

Re:HACKER?

[gclef]

Oh, please. Do you really want to swap one multi-definition word (explorer, malicious attacker) for another (malicious attacker, snack food, derogative term for caucasian)? Why bother? Every time someone mentions a cracker breaking in somewhere, all I can think of is some Nabisco saltine typing away at a keyboard and laughing manically. (of course, where it got arms and fingers I'm not as clear on.)

Look, the whole hacker/cracker thing is pointless. Lots of words, especially some of the derogatory ones for homosexuals, have changed meanings with the times, hacker is no different. Hacker is now in the popular lexicon as meaning an someone who breaks into computer systems. Get used to it.

Re:HACKER?

[alangmead]

The term hacker was both used and misused long before anyone came up with the term cracker to be someone who breaks into computer systems. It was essentially an attempt to deflect the popular press away from the word hacker, and allow it to regain the former meaning of respect.

It didn't work. The popular press hasn't let go of the word hacker to mean computer criminal. They haven't picked up on the term Cracker. Instead of trying to explain what hacker means , we need to what hacker and cracker mean and what differentiates them. Meanwhile, we are also trying to explain that we are speaking the same language, despite having different definitions for just about everything.

I think we should give up on trying to people to use the term cracker to mean computer criminal. It already has an entirely different (although no less positive) meaning. We can't just play you stole our word, so we'll steal one of yours. The term cracker is evidence that jargon can't be forced, it has to spring up naturally.

Now for why someone who reads slashdot submitted an article that uses the word hacker incorrectly. I have no explanation.

Re:HACKER?

[jafiwam]

No.

When I speak or write words mean exactly what *I* intend them to mean. No more, no less. I use them because I intend to transfer an idea in a specific way. Sometimes I make allowances for what the dictionary says, sometimes I deliberately mangle meanings to get the other person to understand. ("Press the "eject" button on the hard drive and pull out the floppy disk, then reboot.")

If some fool mis-inteprets what I say when I did not intend to say it, it's their problem, not mine. Likewise, the confusion between 'hacker' and 'cracker' is yours.

Just because some weenie decides they want to change a word, that means diddly until others decide to use it that way. If the person said "hacker" and meant "someone who accessed a computer without permission" then the word is appropriate.

Feel free to use words as you like, however when it comes to dictating the language of others, STFU.

Re:HACKER?

[idontgno]

No.
When I speak or write words mean exactly what *I* intend them to mean. No more, no less.

When I use a word," Humpty Dumpty said, in a rather scornful tone, "it means just what I choose it to mean--neither more nor less."
-- Lewis Carroll, Through the Looking Glass

On the other hand:

You keep using that word. I do not think that word means what you think it means
-- Inigo Montoya, The Princess Bride

Yup, pedantic, guilty as charged. Go ahead and mod me down; I can afford it.

Exclusive: Method used to gather access!

get

Translation

[Arker]

According to law enforcement officials, the person arrested was a known sophisticated hacker.

Translation from law enforcement language - this was a guy that knows what things like encryption, and ftp are. This was a guy that knows the difference between a megabyte and a megahertz. A real wizard. Be afraid.

Re:Translation

[Danse]

Wow. Sounds like getting busted can do wonders for your self-esteem. Here the guy was probably a basic loser and managed to "hack" into an unsecured FTP server. Then he gets busted for it. Suddenly he's no longer Joe Loser, he's a sophisticated hacker to be feared and respected for his mastery of such arcane skills as using a password cracking app and an FTP app. How can we ever feel safe with such diabolical people out there?

Re:Translation

[Anonymous+Custard]

It may feel cool when the police call you a sophisticated hacker now. But as soon as you enter the courtroom, you're gonna have a hard time convincing the judge and jury that you're just some kid who stumbled across the wrong ftp:// address one evening during a pr0n r0mp.

What!

[Matt_Fisher]

So you mean, that this company has a open FTP account that was rooted to the files of all that material! Is it just me or does that make you not want to trust anyone?

Disturbing

[Bruha]

This more or less shows the fact that many companies have group passwords to their critical equipment instead of inplementing a choke system to allow users to login into it to show them where they can go and cant go.

Since they probably dumped the company involved and not changed any of those passwords then this guy was allowed to basically walk around at will inside the databases.

Such lax security in itself should also be criminal especially when it concerns consumer data and financial information of consumers.

Re:Disturbing

[garett_spencley]

I disagree.

Let's say I have a single lock on the handle of my front door... with no dead bolt. Along comes someone and kicks the door open and proceeds to rob my house. While he's robbing my house he steals a cd that I borrowed from my friend. Are you saying that *I* should be arrested because I failed to install an adequate dead bolt on my front door and thus the robber stole a cd that didn't belong to me?

What's adequate? Let's say I did install a dead bolt but the robber was sophisticated enough to pick both locks? In this case I shouldn't be arrested because I had "adequate" security and was victimized by a "skilled" robber who had the proper knowledge that surpassed my own in lock technology?

The fact is that the hacker got a password. It was a weak password, but in my analogy that's the equivalent of having a single handle lock and no dead bolt. He simply kicked the door open. It's still breaking and entering. What happens if the server was "adequately" secured but the hacker managed to gain access via a remote exploit in the FTP server that he himself discovered and no one else knew about? How will the law define that they "adequately" secured the server?

--
Garett

Re:Disturbing

[arkanes]

Some problems with your analagy:

This isn't you holding a CD for your friend. This is a company that makes it's buisness the storing and compiling of this information. Say instead that you run a buisness out of your home and your buisness is the storing of CD collections. If you're broken into and those CDs stolen, you certainly would be liable - this is why people who do this sort of thing have insurance against it. The insurance company is going to be really pissed off that there was an unsecured FTP server running, too...

Re:Disturbing

[FuckMeter]

Let's say I have a single lock on the handle of my front door... with no dead bolt. Along comes someone and kicks the door open and proceeds to rob my house. While he's robbing my house he steals a cd that I borrowed from my friend. Are you saying that *I* should be arrested because I failed to install an adequate dead bolt on my front door and thus the robber stole a cd that didn't belong to me?

You're comparing apples to oranges. In fact, you're comparing apples to... zebras, or something not even closely related.

The first distinction is that in your example, your friend willingly loaned you the CD. I don't think anyone has intentionally "loaned" their personal information to Acxiom. Before the initial story was reported here, I'd never heard of Acxiom, though various articles proclaim them to be [one of] the biggest data-mining compan[y|ies] around. If they have any data on me, I sure as hell didn't loan it to them.

The second problem with your analogy is that a CD is nothing like personal data. A CD is a vanity, something worth maybe $15, less now that it's used. Acxiom has been described as serving "most top credit card companies and retail banks." What do you think the credit card or bank details of a single person - much less however many people were affected by this breach - are worth? That $15 CD pales in comparison.

What's adequate? Let's say I did install a dead bolt but the robber was sophisticated enough to pick both locks? In this case I shouldn't be arrested because I had "adequate" security and was victimized by a "skilled" robber who had the proper knowledge that surpassed my own in lock technology?

Your analogy fails here as well. You, as a private citizen, do not have any liability for the stolen items. Your friend loaned you the CD, there was no business agreement surrounding that friendly exchange. Acxiom is a business, the rules are different.

Suppose you rent a storage facility at one of those mini-storage places. Their property is surrounded by a chainlink fence complete with razorwire. The gate requires a keycode to enter. Each bay is padlocked. Now let's say some joker breaks into the place, gets into your bay and steals everything you have stored there. Surely a fence with razorwire, key-coded facility access, and padlocks are "adequate" security... But you're damn sure that the mini-storage company would be liable for your loss, unless that was covered in your contract with them.

But, see, none of us have a contract with Acxiom.

Acxiom is liable, one way or another.

--
Rate Naked People! at Fuck Meter (not work-safe)

Re:Disturbing

[YOU+LIKEWISE+FAIL+IT]

FYI

I don't think anyone has intentionally "loaned" their personal information to Acxiom. Before the initial story was reported here, I'd never heard of Acxiom, though various articles proclaim them to be [one of] the biggest data-mining compan[y|ies] around. If they have any data on me, I sure as hell didn't loan it to them.

Acxiom collate, clean and break down client data for client companies, as far as I know they don't actually use it themselves. If you're in Acxioms db's, chances are someone you bought something from decided they wanted a point and click marketing / bulk mailing / demographics breakdown tool ( "It's NAVIGABLE!" ) and sent them the corporate accounts.

Bad news, your data might have been in that unsecured stream - address, name, purchasing history, phone #, other confidentials. Good news, your CC # is very unlikely to have been included, at least if our deployment is indicitative.

I have to deal with these guys where I work, and they mostly seem like alright people ( if a bit nontechnical ). We would have just stuck with our existing systems for demographics, but Marketing somehow outflanked us with their request for a new IT toy. ;-)

YLFI

Re:Disturbing

[Lost+Race]

1. Analogies suck.

2. If it were my CD, I'd want it back. Since the victim of the robbery is my friend, I'd be sympathetic and cut him some slack. But if he had insurance and the loss were covered, I'd expect him to fork over enough for a new CD. Obviously I'm not going to sue a friend over a lost CD in any case. But if the friend were grossly negligent -- i.e. not just having flimsy locks but, say, inviting crackheads to stay in his living room -- then I'd be pissed, and put the blame on him.

3. You can't get privacy back. Once your information has been "stolen" that's it, the privacy that the "friend" (hostile for-profit corporation) was supposed to be guarding is gone forever. They should pay somehow, or they'll have zero incentive to guard my privacy better in the future.

4. Analogies suck.

Employee of Data Mining Company?

[perimorph]

This was done by an employee of a data mining company? To gather information about consumers? Hmmmm.. The RIAA been hiring some of those lately.. This could be a fun little conspiracy...

pathetic

[Feztaa]

From the article:

"Acxiom is proud of its long-standing commitment to the security of our systems and our efforts toward continuous improvements in that area,"

As far as I can tell, this guy logged into an ftp server and downloaded some publicly accessible files, perhaps after breaking some simple encryption to get a password or something. yes, that's some impressive security they have there...

Here I was hoping for real details...

[RenQuanta]

...but let's see what we can figure out from the article:

The breach involved one FTP server outside the Acxiom firewall, the company said. No internal systems or internal databases were accessed, and there was no breach of the security firewall.

Why did they have a server outside their firewall?!?

The company said only a small percentage of its clients' data was involved in the incident, and the hacker, a former employee of an Acxiom client, was arrested.

I guess they were trying to keep the article under a certain word count, because they forgot the word "alleged".

According to law enforcement officials, the person arrested was a known sophisticated hacker. Acxiom said the person apparently gained access through the hacking of encrypted passwords.

Okay, so this was probably little more than an attack against the /etc/shadow file if it's a UNIX box, or the SAM file if it's NT. In either case, I'm guessing they brute-forced / dictionary attacked the file with John the Ripper or the like. If that's what they did, how did they get the password file to begin with? Perhaps the FTP was a bit too willing to follow instructions? (recursion anyone? ;)

After learning of the breach, Acxiom immediately moved to close the security gap and changed all passwords on the FTP server involved. The company is now in the process of communicating with all clients who might be potentially affected.

Now, does that mean they had all users change their passwords, or just their passwords on that server? I wonder how many of those users have the same passwords on other machines as they had on the compromised FTP server...hmm.....

"Acxiom is proud of its long-standing commitment to the security of our systems and our efforts toward continuous improvements in that area, so we deeply regret this breach," said Acxiom Company Leader Charles Morgan in the statement.

Which is why their infrastructure was vulnerable to begin with? Why was their FTP server outside their firewall? Why aren't they using a Firewall proxy? How about FTP servers with jails? Without more details, it's impossible to be sure, but this smells like a successful attack due to careless configuration and insecure architecture

Re:Here I was hoping for real details...

[bourne]

Why did they have a server outside their firewall?!?

I think that if you translate from Dumb Reporter to Technical you get "server on a service network or DMZ, available to the Internet but segregated from their internal network." That's standard practice, the thing has to be available to the Internet.

In either case, I'm guessing they brute-forced / dictionary attacked the file with John the Ripper or the like

Again, you need to translate here. Based on personal experience with similar organizations, I believe this translates to "He sniffed the plaintext (non-anonymous) FTP passwords off the Internet and used them to log in himself and get files."

Now, does that mean they had all users change their passwords, or just their passwords on that server

Translation: "We changed all the FTP passwords, so that they will be secure until the next time someone sniffs them.

Which is why their infrastructure was vulnerable to begin with?

Note that they also state the information he got was encrypted and not believed to have been used. It is not unusual for organizations like Acxiom to accept PGP or ZIP encrypted files via FTP. Obviously, that isn't good enough - if only because of the negative publicity that comes out of an incident like this - but that's what they do.

The only sign of weak infrastructure here is FTP passing plaintext passwords over the Internet. I don't see any real evidence that anything else was compromised - except their PR shell.

Re:Here I was hoping for real details...

[RenQuanta]

I think that if you translate from Dumb Reporter to Technical you get "server on a service network or DMZ, available to the Internet but segregated from their internal network."

Quite possibly so. Let's hope.

That's standard practice, the thing has to be available to the Internet.

I'm very well aware of standard practice, but I am also aware (from my own personal experience) of certain companies whom still have Internet-facing systems which are not behind a firewall. Legacy architecture has an amazing ability to hang around.

Again, you need to translate here. Based on personal experience with similar organizations, I believe this translates to "He sniffed the plaintext (non-anonymous) FTP passwords off the Internet and used them to log in himself and get files."

That's a reasonable guess. My post was a (I think) reasonable guess. I'll bet if we sit and guess for the next thirty minutes, we can come up with another half-dozen perfectly good guesses as to what the compromise really was. There isn't enough info to be sure of anything.

Translation: "We changed all the FTP passwords, so that they will be secure until the next time someone sniffs them.

Well of course...I guess I shouldn't have left off the sarcasm tags, but I thought my quip about users synchronizing their passwords would make it obvious.

The only sign of weak infrastructure here is FTP passing plaintext passwords over the Internet. I don't see any real evidence that anything else was compromised - except their PR shell.

As I said above, one assumption is not much more valid than any other assumption, given the information available.

Re:Here I was hoping for real details...

[Cyno]

smells like a successful attack due to careless configuration and insecure architecture

Or like Acxiom pushed this data purposefully out to an insecure ftp server with a weak username and password as their security to be "hacked" by someone who wanted that info. Maybe they wanted him to have it, or carry it to some buyer, and gave them the password in some under the table deal..

But for all I know its the government going after a known hacker with planted evidence or whatever. I mean, who can you trust these days?

Re:Here I was hoping for real details...

[enjo13]

I can answer part of this (I was an employee there a little over a year ago).

The FTP server was likely one of the servers used to move data from Acxiom (who is simply a data processor) back to the client. So, the thing sits outside of the firewall. This was only done for customer data that was considered 'public record' or 'less sensitive' data. Which means that it's only the type of information that you can garner from various sources without to much trouble.

The data was more than likely encrypted, and I doubt he actually broke the encryption on the data itself.

As for how he got the actual passwords, your guess is as good as mine. Many of Acxioms customers keep internal lists of passwords in encrypted form on their servers (using one of the billion types of keychain software floating around). I can ALMOST guarantee that he didn't easily get the password file off of the FTP server itself.. instead he had access to this particular key file at his former employers shop and used that.

What's more disturbing...

[FuckMeter]

...is the mugshot of the guy responsible. Anyone want to start a pool on how many gallons of Bawls (and other ThinkGeek(TM) caffeinated products) this guy consumed in the 24 hours prior to his arrest??

Rate Naked People! at Fuck Meter! (Not work-safe)

Hacking?

Odd but where I come from anonymous ftp isn't hacking.. that's why it's anonymous.. if I posted confidential customer information on a website and you viewed my page did you hack me? At what point did we say anonymous web is ok, but don't try anonymous ftp even though there are plenty of anonymous ftp servers meant for public use.

Photo of Alleged Perp

[handy_vandal]

Daniel J. Baas

Re:Photo of Alleged Perp

[mcp33p4n75]

Looks like someone already made him their bitch.

Computer world issues Acxiom press release...

...wow!

That's some incredible reporting!

When the news story first broke, we get "no personal information was released to others"

And we get that it was an insider.

And we get that "very, very little...information was compromised...", as compared to the amount of information that could have been stolen.

Specifically, we get this quote:

She says less than ten percent of the files on a single server were affected. She says Acxiom has thousands of computer servers -- and the amount of material taken is small compared with all the information the company handles...Acxiom's Web site says the company serves 14 of the top 15 credit card companies, seven of the top ten auto manufacturers, and five of the top six retail banks.

Source: Associated Press, 8/8/03

With one bank handling millions of customers, one of the top ten car companies handling millions of customers, one of the top 15 credit card companies handling millions of customers, what exactly is Acxiom's definition of small?

Thanks, Linda Rosencrance, linda_rosencrance@computerworld.com of Computer World, for being a mouthpiece of Acxiom, instead of actually doing a bit of reporting!

ftp server

[bucketoftruth]

Does anyone know the address of the compromised ftp server? I'd like to check if it's still secure. Or someone else can...

FBI Informant

For those of you who didn't read it...

There's a part about a leet haxor d00d "Krakah Jak" who attended 2600 script kid meetings etc. but was actually a paid FBI informant.

That was nifty.

Acxiom?

Grief! Did they hack the company name too?

yeah, that's what they said . . . .

when they passed the income tax in 1913 that only hit the top ten percent of people. When U. Sinclair wrote the Jungle, people said that now the food industry will be cleaned up. Do you know what I ate for lunch ? No, I don't either. That's what they said about Roosevelt's new deal. Oh, Hitler smashed all the Jewish businesses ? Surely now the people will diselect him. When the EPA started telling private landowners the land was public because it flooded once a year, they all said "that's great, surely we'll have a groudswell now." When the Brady Bill was passed, people said "ok now the people will really revolt." How long have we lived under the Patriot Act's extra-constitutional government now ?

Face it, if you want to protect your self there is no hope in waiting for the masses to get pissed. Just start fighting.

Re:yeah, that's what they said . . . .

What is this: anarchist capitalist neo-nazi samuray ninja rebel yapi hippy fighter?

Fight for my protection?
I'm not a stupid consumer, I always give as much false information as I can on the internet, and I sure as hell don't give personal data to stupid companies.

If stupid lusers are damaged by these, I laugh. I support the hackers 100% on this one.

jaded

[dpletche]

My first inclination was to deplore this latest breach in the handling of our most sensitive personal data by its self-appointed custodians at Acxiom. But after reflecting for a couple hours, I realize that this makes no difference at all. Is this guy in trouble just because he took the data without paying for it? I'm sure that Acxiom could have accomodated him if he had just created his own marketing firm and forked over some $$$.

"But Acxiom would never sell your most sensitive personal data! They only use for internal modeling, aggregated statistical profiling, {cancer|AIDS} research, finding loving homes for stray kitties and puppies, etc." Or for sharing with affliliated partners, i.e. anyone who is willing to pay for it.

If Acxiom wasn't selling the information, you could still count on the DMV to sell your information to all comers.

Re:jaded

If Acxiom wasn't selling the information, you could still count on the DMV to sell your information to all comers.

I don't know about other states, but here in Tennessee, when you fill out a drivers license application/renewal, there is an option to opt out of datasharing by initialing a few boxes on the form. The same option is present on the license plate renewal form they send each year.

Granted, most people probably skip over it, but if you read the fine print and initial in the right places, the DMV is prohibited from sharing your information with anyone but law enforcement agencies.

Read those forms! This is especially true with banks and credit cards. All of them are required to give you the option to opt-out of datasharing, though the process usually involves sending an extra letter to a special address. It's worth it, doing so will majorly cut back on your financial related postal junk mail, and also keep you out of a few databases.

Re:jaded

[YOU+LIKEWISE+FAIL+IT]

I think a little more research would do some good before raining the fire down on Acxiom.

I have to deal with Acxiom occasionally where I work, and while I don't necessarily get along real well with them, they're not the avatars of evil that most people envision when they think 'data miners'.

They specialise ( at least in my part of the world ) in cleaning up customer data, addresses, name casing, etc - checking it against national do-not-mail lists and providing a GUI marketing tool to independant companies without the IT/Marketing manpower to cook something up for themselves. They don't to my knowledge resell the customer data and are in fact bound by heinous contract clauses not to do so.

I can understand you're cross about the usual mindless data accumulation and resale that goes on in the industry, but I don't think Acxiom falls into that basket. They're more like tool outsourcers.

Hth, YLFI

Re:What OS?

"I wonder why do people call Outlook the best Virus Transport Protocol ever designed."

Naah... stupid people are the best protocol. Opening something that says "click me for fun" is a bit like getting ebola and going to the shops saying "oh, it's only a cold..." and infecting a truckload of people. Some people like the risk, others don't take it...

Remember, the most secure Windows installation has no modem or network card.

Relax.

[thatguywhoiam]

Would you plese stop using "hacker" word when the proper word would be "cracker"!

No. See, it's like this: practically everyone in the world associates 'hacker' with 'computer expert' and a fairly large percentage of those people also think 'nefarious' when they hear 'hacker'.

I know you really, really want your word back, but you just can't have it. The populace has kidnapped it. This is what it means now. It won't change. It's jargon anyways, so the meaning is fluid.

Hackers are computer experts who sometimes circumvent established systems, for learning or mischief. Crackers are small biscuits you eat.

IT Malpractice Suit?

[PSaltyDS]

If a company that handles sensitive information can't use ssh and scp, or some other secure mechanism, aren't they liable for legal action? Isn't financial data required to be protected by something equivelent to HIPPA?

Re:IT Malpractice Suit?

[bourne]

Isn't financial data required to be protected by something equivelent to HIPPA?

HIPAA (Health Insurance Portability and Accountability Act) mostly revolves around (suprise) health related personal information. Financial organizations need to pay attention to it for their own employee's information, and for any health-related organizations they provide services for, but it's not the biggest IT driver for financial companies.

The Gramm-Leach-Bliley Act of 1999 is more closely targeted on financial organizations. Also, the Office of the Comptroller of the Currency (OCC) issues a lot of regulations that financial institutions need to pay close attention to. Insofar as Acxiom acts (acxts?) as a third-party vendor for financial institutions, they are also expected to meet those regulations when dealing with financial customer data.

If, as the first article states, "All of the information was encrypted," then they were probably not in violation of any of these rules or regulations. It sounds like all the guy did was pull encrypted files off a publicly accessible FTP dropoff point, probably after sniffing plaintext authentication credentials on the network. Stupid move by Acxiom, but not fatal; bad PR but no real impact.

Re:IT Malpractice Suit?

[enjo13]

The article didn't seem to indicate the nature of the data. I know that as a general rule any data exposed outside of Acxioms firewall is encrypted as a matter of policy. The data he obtained may have been nothing but encrypted bits that he couldn't DO anything with (unless he stole the key from his former employer).

Re:IT Malpractice Suit?

[rootX]

You can't buy this kind of publicity. To paraphrase an earlier poster...'I didn't know who Acxiom was until this attack...' pretty much sums it up.

A vast audience now knows who Acxiom is, and what they do, and how they respond to a "crisis".

unclear!

[sniggly]

Does anyone know if he tried to hide his trail or that he just logged in from his home puter to their ftp server? Given the speed with which they found him, seems like he did the latter.

As a former employee of one of Axciom's customers maybe he had access to this FTP server for his work using an account that wasn't then removed. Or maybe he put a trace on FTP traffic so that he could glean the passwords of other people accessing that server. I find the use of the term "FTP" in the article confusing because it implies Acxiom has plain password access there. If Axciom was lax with our customer data profiles they deserve a good slap on the fingers as well. Even though the FTP is on the outside of their firewall it is for use of their customers and it's probably a place where they store stuff for their clients to download.

It will be interesting to see to what extent he tried to gain access, what he did to hide his trail and what data he might have thus had access to. And in light of that what the severity of the penalty will be.

Re:unclear!

[buss_error]

I find the use of the term "FTP" in the article confusing because it implies Acxiom has plain password access there.

If they are using FTP, then they deserve a rap in the mouth. SSH is easy and available for just about anything.

So when do we see it?

[/dev/trash]

The IT I am referring to is of course the obligatory: Free Daniel J. Baas websites.

holy moly

[Beowulf_Boy]

I found out today that this guy is my dads fiance's nephew.

I've never met him, and apparently he has prior marijuana charges (just look at his pic), but from what I heard from his family, he's absolutely fucked, and is looking at spending the rest of his life in a "federal pound you in the ass prison"

Re:holy moly

[Beowulf_Boy]

correction, for the poster below mine.
I heard this 2nd hand, from my dad.
And it was 60 years, not life.

And the prison joke was just that, a joke.

Just wanted to clear this up, before I made anyone mad.

Re:holy moly

[Synithium]

Most likely not 60 years.

Most likely not a whole lot of real time at all, more likely parole for the rest of his natural life.

Re:holy moly

[Vyce]

What is your dad's fiance's name?

Re:holy moly

[Beowulf_Boy]

Terry, I'm not sure on the last name.

Its fucked up there's 2 guys claiming him as cousin plus me...

Re:holy moly

[Vyce]

Hah, I know Terry. Mostly from funerals, mind you. Our family is very large and I think I have about 2 dozen cousins, so I dunno.

That guy is my cousin

[Synithium]

The guy they arrested, Dan Baas, is my cousin. This is super funny and not the first time he's been involved in stuff like this.

Re:That guy is my cousin

[mcknation]

I don't think I would admit that on a public forum.

mck

Re:That guy is my cousin

[marko123]

Unless he/she did it...
a) To surreptitiously get known to the press and when they knock on your door to offer money for the story, you pretend to your parents that you don't know how they knew you.
b) To be famously associated with a world renowned hacker.

Re:That guy is my cousin

[hesiod]

> The guy they arrested, Dan Baas, is my cousin.

Your cousin and some other dude's (Beowulf_Boy) dad's fiance's nephew. Strange how both of those posts were right next to each other. Maybe you guys can meet each other through slashdot!

Re:That guy is my cousin

[Synithium]

You're right, it's not funny. It's actually very sad. To think he didn't even use obfuscating methods..oy.

Re:That guy is my cousin

[Vyce]

He's my cousin too. And it's not that funny. My sister called and told me, and one of his ex girlfriends called and told me too.

Looks like all the other "terrorist" photos...

[Dareth]

He probably hasn't had any sleep for the few days they held him in a bright ass cell with blaring Britney Spears music!
Cruel and Inhumane? You Bet!!!

Re:Looks like all the other "terrorist" photos...

[Master+of+Transhuman]

You're joking but depending on where he is being held that is exactly his condition.

When I was arrested for bank robbery, I was held first for a few days in the San Francisco Country Jail - you do NOT sleep there unless you are unconscious because somebody knocked you out.

Then I was moved to Alameda Country Jail because the Federal Detention Center at Dublin was overcrowded. There you could turn off the light and get some sleep at night IF you had a cellie who didn't want to stay up all night. During the day you had to listen to a blaring radio that played only two stations - rap music and Top 40 - 1965 Top 40. Both genres drive me fucking nuts.

When I was first arrested, I was told by every inmate that I did not look like a bank robber. After ten months, I was told I very definitely looked like a bank robber.

They do this to you DELIBERATELY to make you look like hell in your court appearances so that judge and jury will throw the book at you. Unless you have outside family to provide you with decent court clothes for your court appearances (or like Winona Ryder you are out on bail and have a fashion designer working for you), you are hit.

And on the prosecution...

[It's+the+tripnaut!]

Prosecutor Mike Allen said...

"Businesses have to feel secure that their information stays confidential. You just can't have someone hacking into a business's confidential information," he said. "It's really no different than someone breaking into an office and stealing files."

Somebody should tell Prosecutor Mike Allen that...

Businesses have to make their information secure so that it stays confidential. You just can't leave your business' confidential information. It's really no different than someone leaving an office open to burglars who steal files.

Framed Up!

[kerb]

THe real hacker is onel de guzman of philippines.

Re:Framed Up!

[name773]

someone want to design a rendition of clue based on this thing?

Difference between Business & individual

[Jaeger-]

He was charged with the same crime against an unnamed company on June 3, also for another April 10 offense, records show. In that case, Baas is accused of hacking into the computer database of an unnamed company and providing "personal information regarding a subject's name and home address and telephone number without the consent or permission of the owner," records show.

If a business provides (sells) this information, its legal and considered "good business".

If an individual does the same thing, he's a criminal.

Glad we cleared that one up. Hacking is illegal, but we definitely need better laws that protect our private information here in the USA!

guildFTPd

[KalvinB]

I run guildFTPd on my server and havn't had any problems with it even with free anonymous FTP. I recently changed the anonymous FTP so it was write only (there's now a PHP file browser pointed at it for downloading) to prevent people from linking directly to ftp://www.icarusindie.com rather than http://www.icarusindie.com/ftp/ but even before it wasn't really an issue. Most people read and play by the rules.

Ben

What good would a firewall have done?

[KalvinB]

If that FTP server was meant to be accessible to the outside then putting it behind a firewall would have accomplished exactly nothing. The ports to it would be open anyway and he got in through the standard FTP port.

"because they forgot the word "alleged"."

If he admitted to the crime then "alledged" is no longer needed. He just needs to try to convince people he shouldn't be punished much.

Ben

how?

[upt1me]

How did the police find out about the hacking before the company? He must have been bragging about it to some government informant.

Re:how?

[hesiod]

> How did the police find out about the hacking before the company?

It was insinuated that the idiot turned himself in. He must have been smoking some extra-good pot that day.

This is in response to your sig

[fiftyvolts]

That statement was actually coined by Ben Franklin. I think his words were a little bit different, but both syntactically, intent, and meaning it was the same.

Just letting you know. The only reason I know is cause it was a good quote to use back in my debating days.

Re:What OS?

[avrincianu]

Off topic ? It was about SECURITY. It was about the fact that you are more likely get cracked while running Windows than Linux. And it was at 5 o'clock in the morning.

SFTP

[wrax]

seems most of the problems can be solved by using the sftp server that comes with ssh.

Re:Whenever someone says, "Trust me,"

[finallyHasANickname]

Kind words. Hmm. Strange. Thanks. :-) ::::typing::::

$ cd /
$ find . | grep nice
/dev/altrui
Segmentation fault (core dumped)
$

Re:What OS?

[hesiod]

> my clients, and they all are running Win2003 server with IIS 6.0 and MSSQL2000, and not a SINLE ONE has ever been hacked.

So what, I've run plenty of e-commerce sites on NT4 with thoroughly shitty patching (read: none) and have never had them hacked into. Maybe it's because it wasn't worth the time or notice for a cracker to break into the sites. Could be the same for you.

(note: I am no longer a Win admin, nor do I ever want to be one again)

How did the attack work?

[mh_cryptonomicon]

Cryptonomicon.Net has this story that proposes a mode of attack...