Slashdot Mirror
Acxiom Hacking Details Made Public
pgrote writes "As mentioned previously, the Acxiom consumer database company was compromised. More details have emerged including the background of the alleged hacker and the method used to gather access. It turns out he had access since December of 2002 and came in through an unsecured FTP server. The suspect was not a former employee of Acxiom as previously reported, but an employee of data mining company."
There aren't many details in this, it simply says that the hacker got in through an unsecured FTP server, was arrested, and they don't think he distributed the information.
Where are the details again?
Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
At first I thought maybe this guy was a DBA or Sys Admin at the company, but an outsider? This is unacceptable for a place that stores such sensitive data.
How is it hacking if you publish it on your FTP server? I'm sure no one would call it hacking if the protocol had simply been http instead. Now, this fellow may have used the information for nefarious purposes, and if there is any law he broke in doing so, go get him. But I don't see this as hacking.
If this wasn't known since December of 2002, what cause do I have not to believe it's been happening everywhere? Being a victim hasn't affected ME yet, once it does, I'll fight the bill, get a new card number, and be on my way. This is relatively meaningless to us.
Keep going at it. Eventually, people are going to be SO PISSED at their personal data being spewed forth all over the place, there will be a terrible backlash that will make the European Data-Protection and Privacy laws seem tame enough...
No, actually you'd be like 'oooh, something shiney!' while looking at a random techy toy, because if they didn't tell you about it you wouldn't have been informed and therefore could not have been pissed.
Banaaaana!
get
Translation from law enforcement language - this was a guy that knows what things like encryption, and ftp are. This was a guy that knows the difference between a megabyte and a megahertz. A real wizard. Be afraid.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
So you mean, that this company has a open FTP account that was rooted to the files of all that material! Is it just me or does that make you not want to trust anyone?
--Matt Fisher
This more or less shows the fact that many companies have group passwords to their critical equipment instead of inplementing a choke system to allow users to login into it to show them where they can go and cant go.
Since they probably dumped the company involved and not changed any of those passwords then this guy was allowed to basically walk around at will inside the databases.
Such lax security in itself should also be criminal especially when it concerns consumer data and financial information of consumers.
Still, I'd much rather be running an open source FTP server than some of those weak Windows versions.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
This was done by an employee of a data mining company? To gather information about consumers? Hmmmm.. The RIAA been hiring some of those lately.. This could be a fun little conspiracy...
From the article:
"Acxiom is proud of its long-standing commitment to the security of our systems and our efforts toward continuous improvements in that area,"
As far as I can tell, this guy logged into an ftp server and downloaded some publicly accessible files, perhaps after breaking some simple encryption to get a password or something. yes, that's some impressive security they have there...
Why did they have a server outside their firewall?!?
I guess they were trying to keep the article under a certain word count, because they forgot the word "alleged".
Okay, so this was probably little more than an attack against the
Now, does that mean they had all users change their passwords, or just their passwords on that server? I wonder how many of those users have the same passwords on other machines as they had on the compromised FTP server...hmm.....
Which is why their infrastructure was vulnerable to begin with? Why was their FTP server outside their firewall? Why aren't they using a Firewall proxy? How about FTP servers with jails? Without more details, it's impossible to be sure, but this smells like a successful attack due to careless configuration and insecure architecture
...is the mugshot of the guy responsible. Anyone want to start a pool on how many gallons of Bawls (and other ThinkGeek(TM) caffeinated products) this guy consumed in the 24 hours prior to his arrest??
Rate Naked People! at Fuck Meter! (Not work-safe)
Odd but where I come from anonymous ftp isn't hacking.. that's why it's anonymous.. if I posted confidential customer information on a website and you viewed my page did you hack me? At what point did we say anonymous web is ok, but don't try anonymous ftp even though there are plenty of anonymous ftp servers meant for public use.
Does anyone know the address of the compromised ftp server? I'd like to check if it's still secure. Or someone else can...
when they passed the income tax in 1913 that only hit the top ten percent of people. When U. Sinclair wrote the Jungle, people said that now the food industry will be cleaned up. Do you know what I ate for lunch ? No, I don't either. That's what they said about Roosevelt's new deal. Oh, Hitler smashed all the Jewish businesses ? Surely now the people will diselect him. When the EPA started telling private landowners the land was public because it flooded once a year, they all said "that's great, surely we'll have a groudswell now." When the Brady Bill was passed, people said "ok now the people will really revolt." How long have we lived under the Patriot Act's extra-constitutional government now ?
Face it, if you want to protect your self there is no hope in waiting for the masses to get pissed. Just start fighting.
Your info was in there. And they didn't. And you are so not pissed you will never read this, never cancel your cards and start using cash, never write a congressmen, and just move on to the next slashdot story about legos and linux.
My first inclination was to deplore this latest breach in the handling of our most sensitive personal data by its self-appointed custodians at Acxiom. But after reflecting for a couple hours, I realize that this makes no difference at all. Is this guy in trouble just because he took the data without paying for it? I'm sure that Acxiom could have accomodated him if he had just created his own marketing firm and forked over some $$$.
"But Acxiom would never sell your most sensitive personal data! They only use for internal modeling, aggregated statistical profiling, {cancer|AIDS} research, finding loving homes for stray kitties and puppies, etc." Or for sharing with affliliated partners, i.e. anyone who is willing to pay for it.
If Acxiom wasn't selling the information, you could still count on the DMV to sell your information to all comers.
No. See, it's like this: practically everyone in the world associates 'hacker' with 'computer expert' and a fairly large percentage of those people also think 'nefarious' when they hear 'hacker'.
I know you really, really want your word back, but you just can't have it. The populace has kidnapped it. This is what it means now. It won't change. It's jargon anyways, so the meaning is fluid.
Hackers are computer experts who sometimes circumvent established systems, for learning or mischief. Crackers are small biscuits you eat.
If Jesus wants me it knows where to find me.
The term hacker was both used and misused long before anyone came up with the term cracker to be someone who breaks into computer systems. It was essentially an attempt to deflect the popular press away from the word hacker, and allow it to regain the former meaning of respect.
It didn't work. The popular press hasn't let go of the word hacker to mean computer criminal. They haven't picked up on the term Cracker. Instead of trying to explain what hacker means , we need to what hacker and cracker mean and what differentiates them. Meanwhile, we are also trying to explain that we are speaking the same language, despite having different definitions for just about everything.
I think we should give up on trying to people to use the term cracker to mean computer criminal. It already has an entirely different (although no less positive) meaning. We can't just play you stole our word, so we'll steal one of yours. The term cracker is evidence that jargon can't be forced, it has to spring up naturally.
Now for why someone who reads slashdot submitted an article that uses the word hacker incorrectly. I have no explanation.
If a company that handles sensitive information can't use ssh and scp, or some other secure mechanism, aren't they liable for legal action? Isn't financial data required to be protected by something equivelent to HIPPA?
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
The IT I am referring to is of course the obligatory: Free Daniel J. Baas websites.
then you'd like plan9's ftp
:
it doesn't even use passwords
it uses a kind of public key encryption called NetKey
ftp DrSkwid@plan9ftp
Welcome DrSkwid to the plan9 ftp server
challenge : 345345
response
And you have to run netkey locally and encrypt the challenge using your password.
The server checks to see if its encrypted version matches and if so you're in.
You can't replay it and good luck cracking it.
If you don't want to be broken into don't use insecure things, oh and "root" is considered harmful. If you there is nothing to escalate privileges to then what point that rootkit?
Makes me laugh people talking security with such a single point of failure waiting for exploitation.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I found out today that this guy is my dads fiance's nephew.
I've never met him, and apparently he has prior marijuana charges (just look at his pic), but from what I heard from his family, he's absolutely fucked, and is looking at spending the rest of his life in a "federal pound you in the ass prison"
The guy they arrested, Dan Baas, is my cousin. This is super funny and not the first time he's been involved in stuff like this.
Prosecutor Mike Allen said...
"Businesses have to feel secure that their information stays confidential. You just can't have someone hacking into a business's confidential information," he said. "It's really no different than someone breaking into an office and stealing files."
Somebody should tell Prosecutor Mike Allen that...
Businesses have to make their information secure so that it stays confidential. You just can't leave your business' confidential information. It's really no different than someone leaving an office open to burglars who steal files.
He was charged with the same crime against an unnamed company on June 3, also for another April 10 offense, records show. In that case, Baas is accused of hacking into the computer database of an unnamed company and providing "personal information regarding a subject's name and home address and telephone number without the consent or permission of the owner," records show.
If a business provides (sells) this information, its legal and considered "good business".
If an individual does the same thing, he's a criminal.
Glad we cleared that one up. Hacking is illegal, but we definitely need better laws that protect our private information here in the USA!
E V E R Y T H I N G I W R I T E I S F A L S E
If that FTP server was meant to be accessible to the outside then putting it behind a firewall would have accomplished exactly nothing. The ports to it would be open anyway and he got in through the standard FTP port.
"because they forgot the word "alleged"."
If he admitted to the crime then "alledged" is no longer needed. He just needs to try to convince people he shouldn't be punished much.
Ben
Work Safe Porn