Slashdot Mirror

← Back to Stories (view on slashdot.org)

Acxiom Hacking Details Made Public

Posted by michael on from the may-not-need-new-credit-cards-after-all dept.

pgrote writes "As mentioned previously, the Acxiom consumer database company was compromised. More details have emerged including the background of the alleged hacker and the method used to gather access. It turns out he had access since December of 2002 and came in through an unsecured FTP server. The suspect was not a former employee of Acxiom as previously reported, but an employee of data mining company."

25 of 142 comments (clear)

  1. No Excuse by TedCheshireAcad · · Score: 3, Insightful

    At first I thought maybe this guy was a DBA or Sys Admin at the company, but an outsider? This is unacceptable for a place that stores such sensitive data.

    1. Re:No Excuse by AstroDrabb · · Score: 3, Insightful

      Well the article I read said he was an employee of data mining company. Which means he had some inside knowlege of the systesm. He broke in through an external FTP server and did not get through their firewall. So I think Acxiom deserves a little break. There is no such thing as a 100% secure system, especially with inside knowlegde of the systems. As a programmer for a fortune 500 company, I could literally bring that company to it's knees and cause millions (USD) lost per day. However, I don't do that because I am a professional and would not use my skills to be abusive. I hope this dude get some hard time.

      --
      If Tyranny and Oppression come to this land,
      it will be in the guise of fighting a foreign enemy. -James Madison
  2. Question by Henry+V+.009 · · Score: 4, Insightful

    How is it hacking if you publish it on your FTP server? I'm sure no one would call it hacking if the protocol had simply been http instead. Now, this fellow may have used the information for nefarious purposes, and if there is any law he broke in doing so, go get him. But I don't see this as hacking.

    1. Re:Question by rritterson · · Score: 4, Informative

      According to one of the the articles, he broke the encryption on the passwords used to login to the FTP server. I call that cracking, which would be labeled hacking in the general lexicon.

      --
      -Ryan
      AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
    2. Re:Question by rainer_d · · Score: 5, Interesting
      According to one of the the articles, he broke the encryption on the passwords

      When was the last time you saw a FTP-server that allowed to download its own password-file ? 1990 ?
      This is ridiculous - if I'd encounter one, I'd ask myself if it was a honeypot.

      Also, the various journalists' view (and the subsequent picture created by them for their readers) of "hacking", "cracking", "security" etc. is sometimes so distorted, so far-off from the reality of the people closer involved with the subject that reading a mainstream-press article about it is often only marginally better than just making-up the facts from slashdot-postings !

      Rainer

      --
      Windows 2000 - from the guys who brought us edlin
    3. Re:Question by Vinson+Massif · · Score: 3, Informative

      "When was the last time you saw a FTP-server that allowed to download its own password-file ? 1990 ?"

      Not an admin, eh?

      Many _default_ non-anonymous ftp services on unix|unix-like systems that I have dealt (recently) with allow the ftp user the same access rights to the entire tree as their uid:gid is allowed. So, on a system w/o shadow passwords, cd /etc; get passwd; is all that's needed to get started. (grr ./ eats spaces...)

      BTW, shadow passwording has the achilles heel of file security. I have dealt with systems where the file security of these files had been comprimised to solve some silly need.

      --
      "Remember, any tool can be the right tool." -- Red Green
  3. So what? by zifty · · Score: 3, Interesting

    If this wasn't known since December of 2002, what cause do I have not to believe it's been happening everywhere? Being a victim hasn't affected ME yet, once it does, I'll fight the bill, get a new card number, and be on my way. This is relatively meaningless to us.

  4. Keep going by Pig+Hogger · · Score: 5, Interesting

    Keep going at it. Eventually, people are going to be SO PISSED at their personal data being spewed forth all over the place, there will be a terrible backlash that will make the European Data-Protection and Privacy laws seem tame enough...

  5. Exclusive: Method used to gather access! by Anonymous Coward · · Score: 5, Funny

    get

  6. Translation by Arker · · Score: 5, Funny

    According to law enforcement officials, the person arrested was a known sophisticated hacker.

    Translation from law enforcement language - this was a guy that knows what things like encryption, and ftp are. This was a guy that knows the difference between a megabyte and a megahertz. A real wizard. Be afraid.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
    1. Re:Translation by Danse · · Score: 4, Funny

      Wow. Sounds like getting busted can do wonders for your self-esteem. Here the guy was probably a basic loser and managed to "hack" into an unsecured FTP server. Then he gets busted for it. Suddenly he's no longer Joe Loser, he's a sophisticated hacker to be feared and respected for his mastery of such arcane skills as using a password cracking app and an FTP app. How can we ever feel safe with such diabolical people out there?

      --
      It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
  7. Disturbing by Bruha · · Score: 5, Informative

    This more or less shows the fact that many companies have group passwords to their critical equipment instead of inplementing a choke system to allow users to login into it to show them where they can go and cant go.

    Since they probably dumped the company involved and not changed any of those passwords then this guy was allowed to basically walk around at will inside the databases.

    Such lax security in itself should also be criminal especially when it concerns consumer data and financial information of consumers.

    1. Re:Disturbing by FuckMeter · · Score: 5, Insightful
      Let's say I have a single lock on the handle of my front door... with no dead bolt. Along comes someone and kicks the door open and proceeds to rob my house. While he's robbing my house he steals a cd that I borrowed from my friend. Are you saying that *I* should be arrested because I failed to install an adequate dead bolt on my front door and thus the robber stole a cd that didn't belong to me?
      You're comparing apples to oranges. In fact, you're comparing apples to... zebras, or something not even closely related.

      The first distinction is that in your example, your friend willingly loaned you the CD. I don't think anyone has intentionally "loaned" their personal information to Acxiom. Before the initial story was reported here, I'd never heard of Acxiom, though various articles proclaim them to be [one of] the biggest data-mining compan[y|ies] around. If they have any data on me, I sure as hell didn't loan it to them.

      The second problem with your analogy is that a CD is nothing like personal data. A CD is a vanity, something worth maybe $15, less now that it's used. Acxiom has been described as serving "most top credit card companies and retail banks." What do you think the credit card or bank details of a single person - much less however many people were affected by this breach - are worth? That $15 CD pales in comparison.
      What's adequate? Let's say I did install a dead bolt but the robber was sophisticated enough to pick both locks? In this case I shouldn't be arrested because I had "adequate" security and was victimized by a "skilled" robber who had the proper knowledge that surpassed my own in lock technology?
      Your analogy fails here as well. You, as a private citizen, do not have any liability for the stolen items. Your friend loaned you the CD, there was no business agreement surrounding that friendly exchange. Acxiom is a business, the rules are different.

      Suppose you rent a storage facility at one of those mini-storage places. Their property is surrounded by a chainlink fence complete with razorwire. The gate requires a keycode to enter. Each bay is padlocked. Now let's say some joker breaks into the place, gets into your bay and steals everything you have stored there. Surely a fence with razorwire, key-coded facility access, and padlocks are "adequate" security... But you're damn sure that the mini-storage company would be liable for your loss, unless that was covered in your contract with them.

      But, see, none of us have a contract with Acxiom.

      Acxiom is liable, one way or another.

      --
      Rate Naked People! at Fuck Meter (not work-safe)
  8. Re:ftp server? by jericho4.0 · · Score: 4, Informative
    Being afraid to run FTP for security reasons is valid on any platform. The list of breaches on various FTP servers is long.

    Still, I'd much rather be running an open source FTP server than some of those weak Windows versions.

    --
    "A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
  9. pathetic by Feztaa · · Score: 4, Funny

    From the article:

    "Acxiom is proud of its long-standing commitment to the security of our systems and our efforts toward continuous improvements in that area,"

    As far as I can tell, this guy logged into an ftp server and downloaded some publicly accessible files, perhaps after breaking some simple encryption to get a password or something. yes, that's some impressive security they have there...

  10. Here I was hoping for real details... by RenQuanta · · Score: 5, Insightful
    ...but let's see what we can figure out from the article:

    The breach involved one FTP server outside the Acxiom firewall, the company said. No internal systems or internal databases were accessed, and there was no breach of the security firewall.

    Why did they have a server outside their firewall?!?

    The company said only a small percentage of its clients' data was involved in the incident, and the hacker, a former employee of an Acxiom client, was arrested.

    I guess they were trying to keep the article under a certain word count, because they forgot the word "alleged".

    According to law enforcement officials, the person arrested was a known sophisticated hacker. Acxiom said the person apparently gained access through the hacking of encrypted passwords.

    Okay, so this was probably little more than an attack against the /etc/shadow file if it's a UNIX box, or the SAM file if it's NT. In either case, I'm guessing they brute-forced / dictionary attacked the file with John the Ripper or the like. If that's what they did, how did they get the password file to begin with? Perhaps the FTP was a bit too willing to follow instructions? (recursion anyone? ;)

    After learning of the breach, Acxiom immediately moved to close the security gap and changed all passwords on the FTP server involved. The company is now in the process of communicating with all clients who might be potentially affected.

    Now, does that mean they had all users change their passwords, or just their passwords on that server? I wonder how many of those users have the same passwords on other machines as they had on the compromised FTP server...hmm.....

    "Acxiom is proud of its long-standing commitment to the security of our systems and our efforts toward continuous improvements in that area, so we deeply regret this breach," said Acxiom Company Leader Charles Morgan in the statement.
    Which is why their infrastructure was vulnerable to begin with? Why was their FTP server outside their firewall? Why aren't they using a Firewall proxy? How about FTP servers with jails? Without more details, it's impossible to be sure, but this smells like a successful attack due to careless configuration and insecure architecture
    1. Re:Here I was hoping for real details... by bourne · · Score: 4, Insightful

      Why did they have a server outside their firewall?!?

      I think that if you translate from Dumb Reporter to Technical you get "server on a service network or DMZ, available to the Internet but segregated from their internal network." That's standard practice, the thing has to be available to the Internet.

      In either case, I'm guessing they brute-forced / dictionary attacked the file with John the Ripper or the like

      Again, you need to translate here. Based on personal experience with similar organizations, I believe this translates to "He sniffed the plaintext (non-anonymous) FTP passwords off the Internet and used them to log in himself and get files."

      Now, does that mean they had all users change their passwords, or just their passwords on that server

      Translation: "We changed all the FTP passwords, so that they will be secure until the next time someone sniffs them.

      Which is why their infrastructure was vulnerable to begin with?

      Note that they also state the information he got was encrypted and not believed to have been used. It is not unusual for organizations like Acxiom to accept PGP or ZIP encrypted files via FTP. Obviously, that isn't good enough - if only because of the negative publicity that comes out of an incident like this - but that's what they do.

      The only sign of weak infrastructure here is FTP passing plaintext passwords over the Internet. I don't see any real evidence that anything else was compromised - except their PR shell.

  11. What's more disturbing... by FuckMeter · · Score: 5, Funny

    ...is the mugshot of the guy responsible. Anyone want to start a pool on how many gallons of Bawls (and other ThinkGeek(TM) caffeinated products) this guy consumed in the 24 hours prior to his arrest??

    Rate Naked People! at Fuck Meter! (Not work-safe)

  12. ftp server by bucketoftruth · · Score: 4, Funny

    Does anyone know the address of the compromised ftp server? I'd like to check if it's still secure. Or someone else can...

  13. yeah, that's what they said . . . . by Anonymous Coward · · Score: 5, Insightful

    when they passed the income tax in 1913 that only hit the top ten percent of people. When U. Sinclair wrote the Jungle, people said that now the food industry will be cleaned up. Do you know what I ate for lunch ? No, I don't either. That's what they said about Roosevelt's new deal. Oh, Hitler smashed all the Jewish businesses ? Surely now the people will diselect him. When the EPA started telling private landowners the land was public because it flooded once a year, they all said "that's great, surely we'll have a groudswell now." When the Brady Bill was passed, people said "ok now the people will really revolt." How long have we lived under the Patriot Act's extra-constitutional government now ?

    Face it, if you want to protect your self there is no hope in waiting for the masses to get pissed. Just start fighting.

  14. Re:Victims by Anonymous Coward · · Score: 5, Insightful
    I know if it was my info in there, I'd be pretty pissed if they didn't tell me about it.

    Your info was in there. And they didn't. And you are so not pissed you will never read this, never cancel your cards and start using cash, never write a congressmen, and just move on to the next slashdot story about legos and linux.

  15. jaded by dpletche · · Score: 4, Interesting

    My first inclination was to deplore this latest breach in the handling of our most sensitive personal data by its self-appointed custodians at Acxiom. But after reflecting for a couple hours, I realize that this makes no difference at all. Is this guy in trouble just because he took the data without paying for it? I'm sure that Acxiom could have accomodated him if he had just created his own marketing firm and forked over some $$$.

    "But Acxiom would never sell your most sensitive personal data! They only use for internal modeling, aggregated statistical profiling, {cancer|AIDS} research, finding loving homes for stray kitties and puppies, etc." Or for sharing with affliliated partners, i.e. anyone who is willing to pay for it.

    If Acxiom wasn't selling the information, you could still count on the DMV to sell your information to all comers.

  16. Relax. by thatguywhoiam · · Score: 5, Insightful
    Would you plese stop using "hacker" word when the proper word would be "cracker"!

    No. See, it's like this: practically everyone in the world associates 'hacker' with 'computer expert' and a fairly large percentage of those people also think 'nefarious' when they hear 'hacker'.

    I know you really, really want your word back, but you just can't have it. The populace has kidnapped it. This is what it means now. It won't change. It's jargon anyways, so the meaning is fluid.

    Hackers are computer experts who sometimes circumvent established systems, for learning or mischief. Crackers are small biscuits you eat.

    --
    If Jesus wants me it knows where to find me.
  17. Re:ftp server? by DrSkwid · · Score: 4, Interesting

    then you'd like plan9's ftp

    it doesn't even use passwords

    it uses a kind of public key encryption called NetKey

    ftp DrSkwid@plan9ftp
    Welcome DrSkwid to the plan9 ftp server
    challenge : 345345
    response :

    And you have to run netkey locally and encrypt the challenge using your password.
    The server checks to see if its encrypted version matches and if so you're in.

    You can't replay it and good luck cracking it.

    If you don't want to be broken into don't use insecure things, oh and "root" is considered harmful. If you there is nothing to escalate privileges to then what point that rootkit?

    Makes me laugh people talking security with such a single point of failure waiting for exploitation.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  18. holy moly by Beowulf_Boy · · Score: 4, Funny

    I found out today that this guy is my dads fiance's nephew.

    I've never met him, and apparently he has prior marijuana charges (just look at his pic), but from what I heard from his family, he's absolutely fucked, and is looking at spending the rest of his life in a "federal pound you in the ass prison"