Acxiom Hacking Details Made Public 142
pgrote writes "As mentioned previously, the Acxiom consumer database company was compromised. More details have emerged including the background of the alleged hacker and the method used to gather access. It turns out he had access since December of 2002 and came in through an unsecured FTP server. The suspect was not a former employee of Acxiom as previously reported, but an employee of data mining company."
details? (Score:3, Informative)
Where are the details again?
No Excuse (Score:4, Insightful)
Re:No Excuse (Score:1)
Re:No Excuse (Score:4, Insightful)
This is in response to your sig (Score:1)
That statement was actually coined by Ben Franklin. I think his words were a little bit different, but both syntactically, intent, and meaning it was the same.
Just letting you know. The only reason I know is cause it was a good quote to use back in my debating days.
Re:No Excuse (Score:1, Offtopic)
I beg to differ. Matter of fact, I think it's absurd. Completely absurd to allow someone to gain access to sensitive data outside the firewall perimeter. How could anyone be so stupid? Damn, something as simple as https or ssh/scp would've solved that problem! Acxiom does NOT deserve a break, they deserve a group spanking from their shareholders and clients!
Re:No Excuse (Score:2)
Re:No Excuse (Score:2)
Re:No Excuse (Score:2)
Victims (Score:1)
Re:Victims (Score:3, Funny)
Re:Victims (Score:5, Insightful)
Your info was in there. And they didn't. And you are so not pissed you will never read this, never cancel your cards and start using cash, never write a congressmen, and just move on to the next slashdot story about legos and linux.
Question (Score:5, Insightful)
Re:Question (Score:5, Informative)
Re:Question (Score:1, Redundant)
Re:Question (Score:5, Interesting)
When was the last time you saw a FTP-server that allowed to download its own password-file ? 1990 ?
This is ridiculous - if I'd encounter one, I'd ask myself if it was a honeypot.
Also, the various journalists' view (and the subsequent picture created by them for their readers) of "hacking", "cracking", "security" etc. is sometimes so distorted, so far-off from the reality of the people closer involved with the subject that reading a mainstream-press article about it is often only marginally better than just making-up the facts from slashdot-postings !
Rainer
Re:Question (Score:4, Informative)
Not an admin, eh?
Many _default_ non-anonymous ftp services on unix|unix-like systems that I have dealt (recently) with allow the ftp user the same access rights to the entire tree as their uid:gid is allowed. So, on a system w/o shadow passwords, cd
BTW, shadow passwording has the achilles heel of file security. I have dealt with systems where the file security of these files had been comprimised to solve some silly need.
Re:Question (Score:1, Funny)
Well if you're still running a system without shadow password support you need to get your head out of the sand and upgrade or migrate to something that isn't so obsolete. WTF are you running, SCO Unixware?
Re:Question (Score:1)
I quite like that, when I saw it, your comment was moderated 'funny'. You did read my entire comment, yes?
In this case, I suspect there was a series of poor admin descisions, one of was allowing ftp access, that lead to the end comprimise.
Re:Question (Score:2)
So what? (Score:3, Interesting)
Re:So what? (Score:2)
It may not be as simple as fighting the bill and getting on your way.
Keep going (Score:5, Interesting)
yeah, that's what they said . . . . (Score:5, Insightful)
Face it, if you want to protect your self there is no hope in waiting for the masses to get pissed. Just start fighting.
Re:yeah, that's what they said . . . . (Score:1, Interesting)
Fight for my protection?
I'm not a stupid consumer, I always give as much false information as I can on the internet, and I sure as hell don't give personal data to stupid companies.
If stupid lusers are damaged by these, I laugh. I support the hackers 100% on this one.
ftp server? (Score:2)
As Microsoft would say, "You should've firewalled off that port."
Re:ftp server? (Score:5, Informative)
Still, I'd much rather be running an open source FTP server than some of those weak Windows versions.
Re:ftp server? (Score:5, Interesting)
it doesn't even use passwords
it uses a kind of public key encryption called NetKey
ftp DrSkwid@plan9ftp
Welcome DrSkwid to the plan9 ftp server
challenge : 345345
response
And you have to run netkey locally and encrypt the challenge using your password.
The server checks to see if its encrypted version matches and if so you're in.
You can't replay it and good luck cracking it.
If you don't want to be broken into don't use insecure things, oh and "root" is considered harmful. If you there is nothing to escalate privileges to then what point that rootkit?
Makes me laugh people talking security with such a single point of failure waiting for exploitation.
guildFTPd (Score:2)
Ben
SFTP (Score:1)
HACKER? (Score:1, Informative)
You should know it better, you're Slashdot!
Relax. (Score:5, Insightful)
No. See, it's like this: practically everyone in the world associates 'hacker' with 'computer expert' and a fairly large percentage of those people also think 'nefarious' when they hear 'hacker'.
I know you really, really want your word back, but you just can't have it. The populace has kidnapped it. This is what it means now. It won't change. It's jargon anyways, so the meaning is fluid.
Hackers are computer experts who sometimes circumvent established systems, for learning or mischief. Crackers are small biscuits you eat.
Re:HACKER? (Score:2)
Look, the whole hacker/cracker thing is pointless. Lots of words, especially some of the derogatory on
Re:HACKER? (Score:3, Informative)
The term hacker was both used and misused long before anyone came up with the term cracker to be someone who breaks into computer systems. It was essentially an attempt to deflect the popular press away from the word hacker, and allow it to regain the former meaning of respect.
It didn't work. The popular press hasn't let go of the word hacker to mean computer criminal. They haven't picked up on the term Cracker. Instead of trying to explain what hacker means [syndetic.org], we need to what hacker and cracker mean [ibm.com]
Re:HACKER? (Score:2)
When I speak or write words mean exactly what *I* intend them to mean. No more, no less. I use them because I intend to transfer an idea in a specific way. Sometimes I make allowances for what the dictionary says, sometimes I deliberately mangle meanings to get the other person to understand. ("Press the "eject" button on the hard drive and pull out the floppy disk, then reboot.")
If some fool mis-inteprets what I say when I did not intend to say it, it's their problem, not mine. Likewise, the confus
Re:HACKER? (Score:2)
When I speak or write words mean exactly what *I* intend them to mean. No more, no less.
When I use a word," Humpty Dumpty said, in a rather scornful tone, "it means just what I choose it to mean--neither more nor less."
-- Lewis Carroll, Through the Looking Glass
On the other hand:
You keep using that word. I do not think that word means what you think it means
-- Inigo Montoya, The Princess Bride
Yup, pedantic, guilty as charged. Go ahead and mod me down; I can afford it.
Exclusive: Method used to gather access! (Score:5, Funny)
Translation (Score:5, Funny)
Translation from law enforcement language - this was a guy that knows what things like encryption, and ftp are. This was a guy that knows the difference between a megabyte and a megahertz. A real wizard. Be afraid.
Re:Translation (Score:5, Funny)
Wow. Sounds like getting busted can do wonders for your self-esteem. Here the guy was probably a basic loser and managed to "hack" into an unsecured FTP server. Then he gets busted for it. Suddenly he's no longer Joe Loser, he's a sophisticated hacker to be feared and respected for his mastery of such arcane skills as using a password cracking app and an FTP app. How can we ever feel safe with such diabolical people out there?
Re:Translation (Score:2)
What! (Score:2, Insightful)
Disturbing (Score:5, Informative)
Since they probably dumped the company involved and not changed any of those passwords then this guy was allowed to basically walk around at will inside the databases.
Such lax security in itself should also be criminal especially when it concerns consumer data and financial information of consumers.
What's more disturbing... (Score:5, Funny)
Rate Naked People! [fuckmeter.com] at Fuck Meter! (Not work-safe)
Looks like all the other "terrorist" photos... (Score:2)
Cruel and Inhumane? You Bet!!!
Re:Looks like all the other "terrorist" photos... (Score:2)
When I was arrested for bank robbery, I was held first for a few days in the San Francisco Country Jail - you do NOT sleep there unless you are unconscious because somebody knocked you out.
Then I was moved to Alameda Country Jail because the Federal Detention Center at Dublin was overcrowded. There you could turn off the light and get some sleep at night IF you had a cellie who didn't want to stay up all night. During th
Re:Disturbing (Score:2, Interesting)
Let's say I have a single lock on the handle of my front door... with no dead bolt. Along comes someone and kicks the door open and proceeds to rob my house. While he's robbing my house he steals a cd that I borrowed from my friend. Are you saying that *I* should be arrested because I failed to install an adequate dead bolt on my front door and thus the robber stole a cd that didn't belong to me?
What's adequate? Let's say I did install a dead bolt but the robber was sophisticated enough to pick
Re:Disturbing (Score:2)
This isn't you holding a CD for your friend. This is a company that makes it's buisness the storing and compiling of this information. Say instead that you run a buisness out of your home and your buisness is the storing of CD collections. If you're broken into and those CDs stolen, you certainly would be liable - this is why people who do this sort of thing have insurance against it. The insurance company is going to be really pissed off that there was an unsecured FTP serv
Re:Disturbing (Score:5, Insightful)
The first distinction is that in your example, your friend willingly loaned you the CD. I don't think anyone has intentionally "loaned" their personal information to Acxiom. Before the initial story was reported here, I'd never heard of Acxiom, though various articles proclaim them to be [one of] the biggest data-mining compan[y|ies] around. If they have any data on me, I sure as hell didn't loan it to them.
The second problem with your analogy is that a CD is nothing like personal data. A CD is a vanity, something worth maybe $15, less now that it's used. Acxiom has been described as serving "most top credit card companies and retail banks." What do you think the credit card or bank details of a single person - much less however many people were affected by this breach - are worth? That $15 CD pales in comparison.Your analogy fails here as well. You, as a private citizen, do not have any liability for the stolen items. Your friend loaned you the CD, there was no business agreement surrounding that friendly exchange. Acxiom is a business, the rules are different.
Suppose you rent a storage facility at one of those mini-storage places. Their property is surrounded by a chainlink fence complete with razorwire. The gate requires a keycode to enter. Each bay is padlocked. Now let's say some joker breaks into the place, gets into your bay and steals everything you have stored there. Surely a fence with razorwire, key-coded facility access, and padlocks are "adequate" security... But you're damn sure that the mini-storage company would be liable for your loss, unless that was covered in your contract with them.
But, see, none of us have a contract with Acxiom.
Acxiom is liable, one way or another.
--
Rate Naked People! [fuckmeter.com] at Fuck Meter (not work-safe)
Re:Disturbing (Score:2, Informative)
FYI
I don't think anyone has intentionally "loaned" their personal information to Acxiom. Before the initial story was reported here, I'd never heard of Acxiom, though various articles proclaim them to be [one of] the biggest data-mining compan[y|ies] around. If they have any data on me, I sure as hell didn't loan it to them.
Acxiom collate, clean and break down client data for client companies, as far as I know they don't actually use it themselves. If you're in Acxioms db's, chances are someone you boug
Re:Disturbing (Score:1)
2. If it were my CD, I'd want it back. Since the victim of the robbery is my friend, I'd be sympathetic and cut him some slack. But if he had insurance and the loss were covered, I'd expect him to fork over enough for a new CD. Obviously I'm not going to sue a friend over a lost CD in any case. But if the friend were grossly negligent -- i.e. not just having flimsy locks but, say, inviting crackheads to stay in his living room -- then I'd be pissed, and put the blame on him.
3. You
Re:Whenever someone says, "Trust me," (Score:1)
$ cd
$ find . | grep nice
/dev/altrui
Segmentation fault (core dumped)
$
Employee of Data Mining Company? (Score:2, Interesting)
pathetic (Score:5, Funny)
"Acxiom is proud of its long-standing commitment to the security of our systems and our efforts toward continuous improvements in that area,"
As far as I can tell, this guy logged into an ftp server and downloaded some publicly accessible files, perhaps after breaking some simple encryption to get a password or something. yes, that's some impressive security they have there...
Here I was hoping for real details... (Score:5, Insightful)
Why did they have a server outside their firewall?!?
I guess they were trying to keep the article under a certain word count, because they forgot the word "alleged".
Okay, so this was probably little more than an attack against the
Now, does that mean they had all users change their passwords, or just their passwords on that server? I wonder how many of those users have the same passwords on other machines as they had on the compromised FTP server...hmm.....
Which is why their infrastructure was vulnerable to begin with? Why was their FTP server outside their firewall? Why aren't they using a Firewall proxy? How about FTP servers with jails? Without more details, it's impossible to be sure, but this smells like a successful attack due to careless configuration and insecure architecture
Re:Here I was hoping for real details... (Score:5, Insightful)
Why did they have a server outside their firewall?!?
I think that if you translate from Dumb Reporter to Technical you get "server on a service network or DMZ, available to the Internet but segregated from their internal network." That's standard practice, the thing has to be available to the Internet.
In either case, I'm guessing they brute-forced / dictionary attacked the file with John the Ripper or the like
Again, you need to translate here. Based on personal experience with similar organizations, I believe this translates to "He sniffed the plaintext (non-anonymous) FTP passwords off the Internet and used them to log in himself and get files."
Now, does that mean they had all users change their passwords, or just their passwords on that server
Translation: "We changed all the FTP passwords, so that they will be secure until the next time someone sniffs them.
Which is why their infrastructure was vulnerable to begin with?
Note that they also state the information he got was encrypted and not believed to have been used. It is not unusual for organizations like Acxiom to accept PGP or ZIP encrypted files via FTP. Obviously, that isn't good enough - if only because of the negative publicity that comes out of an incident like this - but that's what they do.
The only sign of weak infrastructure here is FTP passing plaintext passwords over the Internet. I don't see any real evidence that anything else was compromised - except their PR shell.
Re:Here I was hoping for real details... (Score:2)
Quite possibly so. Let's hope.
I'm very well aware of standard practice, but I am also aware (from my own personal experience) of certain companies whom still have Internet-facing systems which are not behind a firewall. Legacy architecture has an amazing
Re:Here I was hoping for real details... (Score:2)
Or like Acxiom pushed this data purposefully out to an insecure ftp server with a weak username and password as their security to be "hacked" by someone who wanted that info. Maybe they wanted him to have it, or carry it to some buyer, and gave them the password in some under the table deal..
But for all I know its the government going after a known hacker with planted evidence or whatever. I mean, who can you trust t
Re:Here I was hoping for real details... (Score:3, Informative)
The FTP server was likely one of the servers used to move data from Acxiom (who is simply a data processor) back to the client. So, the thing sits outside of the firewall. This was only done for customer data that was considered 'public record' or 'less sensitive' data. Which means that it's only the type of information that you can garner from various sources without to much trouble.
The data was more than likely encrypted, and I
What good would a firewall have done? (Score:3, Insightful)
"because they forgot the word "alleged"."
If he admitted to the crime then "alledged" is no longer needed. He just needs to try to convince people he shouldn't be punished much.
Ben
Hacking? (Score:2, Insightful)
Photo of Alleged Perp (Score:2)
Re:Photo of Alleged Perp (Score:1)
Computer world issues Acxiom press release... (Score:1, Insightful)
That's some incredible reporting!
When the news story first broke, we get "no personal information was released to others"
And we get that it was an insider.
And we get that "very, very little...information was compromised...", as compared to the amount of information that could have been stolen.
Specifically, we get this quote:
ftp server (Score:4, Funny)
FBI Informant (Score:1, Informative)
There's a part about a leet haxor d00d "Krakah Jak" who attended 2600 script kid meetings etc. but was actually a paid FBI informant.
That was nifty.
Acxiom? (Score:1, Funny)
jaded (Score:5, Interesting)
"But Acxiom would never sell your most sensitive personal data! They only use for internal modeling, aggregated statistical profiling, {cancer|AIDS} research, finding loving homes for stray kitties and puppies, etc." Or for sharing with affliliated partners, i.e. anyone who is willing to pay for it.
If Acxiom wasn't selling the information, you could still count on the DMV to sell your information to all comers.
Re:jaded (Score:2, Interesting)
I don't know about other states, but here in Tennessee, when you fill out a drivers license application/renewal, there is an option to opt out of datasharing by initialing a few boxes on the form. The same option is present on the license plate renewal form they send each year.
Granted, most people probably skip over it, but if you read the fine print and initial in the right places, the DMV is
Re:jaded (Score:1)
I think a little more research would do some good before raining the fire down on Acxiom.
I have to deal with Acxiom occasionally where I work, and while I don't necessarily get along real well with them, they're not the avatars of evil that most people envision when they think 'data miners'.
They specialise ( at least in my part of the world ) in cleaning up customer data, addresses, name casing, etc - checking it against national do-not-mail lists and providing a GUI marketing tool to independant companie
IT Malpractice Suit? (Score:3, Insightful)
Re:IT Malpractice Suit? (Score:3, Informative)
Isn't financial data required to be protected by something equivelent to HIPPA?
HIPAA (Health Insurance Portability and Accountability Act) [hhs.gov] mostly revolves around (suprise) health related personal information. Financial organizations need to pay attention to it for their own employee's information, and for any health-related organizations they provide services for, but it's not the biggest IT driver for financial companies.
The Gramm-Leach-Bliley Act of 1999 [senate.gov] is more closely targeted on financial organ
Re:IT Malpractice Suit? (Score:1)
A vast audience now knows who Acxiom is, and what they do, and how they respond to a "crisis".
Re:IT Malpractice Suit? (Score:2)
unclear! (Score:2)
As a former employee of one of Axciom's customers maybe he had access to this FTP server for his work using an account that wasn't then removed. Or maybe he put a trace on FTP traffic so that he could glean the passwords of other people accessing that server. I find the use of the term "FTP" in the article confusing becaus
Re:unclear! (Score:2)
If they are using FTP, then they deserve a rap in the mouth. SSH is easy and available for just about anything.
So when do we see it? (Score:3, Funny)
holy moly (Score:5, Funny)
I've never met him, and apparently he has prior marijuana charges (just look at his pic), but from what I heard from his family, he's absolutely fucked, and is looking at spending the rest of his life in a "federal pound you in the ass prison"
Re:holy moly (Score:2)
I heard this 2nd hand, from my dad.
And it was 60 years, not life.
And the prison joke was just that, a joke.
Just wanted to clear this up, before I made anyone mad.
Re:holy moly (Score:2)
Most likely not a whole lot of real time at all, more likely parole for the rest of his natural life.
Re:holy moly (Score:1)
Re:holy moly (Score:2)
Its fucked up there's 2 guys claiming him as cousin plus me...
Re:holy moly (Score:1)
That guy is my cousin (Score:3, Interesting)
Re:That guy is my cousin (Score:1)
I don't think I would admit that on a public forum.
mck
Re:That guy is my cousin (Score:2)
a) To surreptitiously get known to the press and when they knock on your door to offer money for the story, you pretend to your parents that you don't know how they knew you.
b) To be famously associated with a world renowned hacker.
Re:That guy is my cousin (Score:2)
Your cousin and some other dude's (Beowulf_Boy) dad's fiance's nephew. Strange how both of those posts were right next to each other. Maybe you guys can meet each other through slashdot!
Re:That guy is my cousin (Score:1)
Re:That guy is my cousin (Score:2)
And on the prosecution... (Score:2, Insightful)
"Businesses have to feel secure that their information stays confidential. You just can't have someone hacking into a business's confidential information," he said. "It's really no different than someone breaking into an office and stealing files."
Somebody should tell Prosecutor Mike Allen that...
Businesses have to make their information secure so that it stays confidential. You just can't leave your business' confidential information. It's really no different than someo
Framed Up! (Score:1)
Re:Framed Up! (Score:1)
Difference between Business & individual (Score:2, Insightful)
If a business provides (sells) this information, its legal and considered "good business".
If an individual does the same thing, he's
how? (Score:1)
Re:how? (Score:2)
It was insinuated that the idiot turned himself in. He must have been smoking some extra-good pot that day.
How did the attack work? (Score:1)
Re:What OS? (Score:2)
So what, I've run plenty of e-commerce sites on NT4 with thoroughly shitty patching (read: none) and have never had them hacked into. Maybe it's because it wasn't worth the time or notice for a cracker to break into the sites. Could be the same for you.
(note: I am no longer a Win admin, nor do I ever want to be one again)
Re:What OS? (Score:1, Insightful)
Naah... stupid people are the best protocol. Opening something that says "click me for fun" is a bit like getting ebola and going to the shops saying "oh, it's only a cold..." and infecting a truckload of people. Some people like the risk, others don't take it...
Remember, the most secure Windows installation has no modem or network card.
Re:What OS? (Score:1)