Continuing Security Concerns at DoubleClick 69
As I write, I'm aware of two security holes in their network, which is an improvement over last night, when the number was three. Unfortunately, this does not mean they are now 33% more secure. I don't have the background to be sure exactly how significant the remaining problems are, but I'll share what I know.
Unfortunately, DoubleClick's Chief Privacy Officer was not available by press time to respond to questions. We have offered the company a chance to respond, and we hope they'll take that opportunity to clear up some questions. Meanwhile, here's their official statement on the matter as of today:
"Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected," said Jules Polonetsky, Chief Privacy Officer, DoubleClick. "DoubleClick is now undergoing a comprehensive security audit, including the expertise of external security professionals and engineers, to fully ensure the continued integrity of our servers."
Now here's the history of DoubleClick security since last week, as far as I can tell.
Kitetoa ("KITE-a-toe-a") is a group of white-hat hackers who publish together under that pseudonym. They broke the news on their website simultaneously with transfert.net, and spoke with someone at DoubleClick to make sure the company knew to patch the holes. (I left several messages to this same contact, but he did not return my calls.) They continue to update their site with more DoubleClick security news.
The first IIS vulnerability is the commonly-known unicode bug, which lets you read and write files with the same permissions as the webserver, typically "IUSR."
Using this vulnerability, Kitetoa discovered the second security
issue, which is that someone else had compromised the
DoubleClick corporate webserver at some time in the past. The file
eeyehack.exe was left on www.doubleclick.net. This is a
backdoor written by the white-hat hackers at
eEye,
which opens port 6969 for attackers to telnet in.
DoubleClick assures us that eeyehack.exe could never
have been executed, because that directory had
script access disabled.
But I spoke with Marc Maiffret, Chief Hacking Officer of eEye (the people who brought you this port of nmap to Windows NT, by the way). He points out that the same backdoor could have been copied elsewhere, too, possibly into directories that allowed execution. I've asked DoubleClick whether they checked this; no answer at press time.
It's a separate question whether a cracker could have gotten SYSTEM level access through some other hole. With just IUSR level access, probably not much could have been done. There's no evidence that higher-level access was obtained ... but absence of evidence is not evidence of absence.
What concerns many people is that the eeyehack.exe
file that was visible had a modification date of 1999. We know this
date is not accurate, because the exploit that writes that file did
not exist until last November. But that odd date does raise questions
about how long DoubleClick's network has had these vulnerabilities.
The nightmare hypothetical is that a cracker has had access to DoubleClick's networks for the last couple of months or years, and has been reading the data they have been collecting about banner ad clicks. Or, worse, has had access to the Abacus database. Let me emphasize that I know of zero evidence that this has actually happened. But the potential for enormous privacy violations, with this company more than almost any other, is very serious.
DoubleClick assures me there is a good reason for the 1999 date on the backdoor program, but my question about it goes unanswered at press time.
The third hole is almost exactly one year old, and it allows ASP source code to be read. This alarms people because the server named AbacusOnline.DoubleClick.net was shown to be vulnerable. I verified this myself and learned the SQL passwords that go with two usernames, "gcolon" and "aowebuser."
Asked to estimate whether a determined cracker could have made use of those SQL passwords, Kitetoa guessed it was "85% certain" - for whatever that's worth.
Not that SQL should have been stored in the ASP code anyway. Marc Maiffret comments, "One of the better ways to secure SQL login information, within an ASP file, would be to store all of the login information and functionality within a COM object. This is not a silver bullet solution but it does provide you with much better security than storing things in plain text in a .asp file."
Was that database accessible from outside DoubleClick's network? Not that I could tell, but I didn't try very hard. What data was in that database? Considering the wealth of data that Abacus has collected on our purchasing habits, we might justifiably be concerned about a machine named "AbacusDirect."
Again, DoubleClick denies that this is a problem, saying it was a programmer's machine which "was not connected to consumer or production data in any way." We have to trust them on that.
That's what was known as of Monday, and you may have seen that in the MSNBC story, InternetNews story, or the ZDNet story.
But the problems continue. Kitetoa has continued scanning DoubleClick's networks, and continues to turn up vulnerable servers. A half-dozen servers of unknown significance are still Unicode-able. And - let me check - yes, I can still read ASP source code on travel.doubleclick.net.
As well as www.doubleclick.net. The company said Monday that the holes had been fixed on that, their main corporate website. But as of five minutes ago, I was still able to read ASP source code on that server using the year-old exploit. (I did not see any more SQL passwords, for whatever that's worth.)
DoubleClick's Chief Privacy Officer Jules Polonetsky claimed on Monday that "Even a partial breach of a noncritical server is unusual," a claim which looks more dubious every day.
Maybe none of these servers has any valuable data on them. But to a serious cracker, breaking into them could easily have provided the necessary opportunity to reach further into DoubleClick's systems. Being inside the firewall, setting up trojans, sniffing network traffic from other machines - these are all reasons why unauthorized access of any machine must be taken very seriously.
And there's more. A security writer from transfert.net - a sort of French "Wired" - was able to snoop around one of DoubleClick's internal mail systems, webmail.doubleclick.net. It's fixed today, but he sent me a partial list of employees whose mail files were in a directory. (He could not read the mail itself, and DoubleClick denies that mail could have been, at any point, read.)
Here's the big picture. Where long-term security is concerned, process is always more important than the individual problems. We can learn more about DoubleClick's security by observing their response to security reports.
I would have hoped to see servers taken down. As Kitetoa remarked to me, "I think they should have closed all the servers for an hour or two while they fixed the problem." Or, if necessary, longer. Tough decision, but better than possibly exposing data.
I would have hoped that DoubleClick would not announce to the media that everything was fine until they actually knew that this was true. At this point, we have to trust them when they say that attackers could not have seriously compromised their data.
And I would have hoped that they would start tackling problems sooner than they did. Vulnerabilities about which they were informed last Thursday were not fixed until Monday. (The vulnerabilities themselves, of course, are not new, and some of them are a year old.)
And more vulnerabilities continue to crop up. Paranos (based in Paris) found one just by using search engines. The funny thing they found was a database of DoubleClick employees in the U.K. who attended last year's Christmas party.
Less funny is the list of people Paranos found who apparently filled out a form in conjunction with FoodTV, the "Outfit Your Kitchen Sweepstakes."
It took about two hours after I notified their PR contact of the URL before it was removed. It was stored in what appears to be a directory of backup data which was never intended to be public: http://www2.doubleclick.net/live2/chefs/ foodtv-bak/form/chefs.txt.
This isn't a vulnerability, but it is indicative of the company's security process. DoubleClick should have policies in place to prohibit posting backup data on public websites; it should enforce those policies; and when it was done anyway, it should have found the leak with by internal audit.
This promotion ran in 1999. Remember, kids, data you give to corporations never goes away, and may pop back up at any time!
I picked one of the phone numbers for my state and gave it a call. Kathy Bankes, the wife of one of the people on the list, answered the phone. She said she was "very leery with the computer," and then proceeded to give me a common-sense understanding of the state of security on the internet.
"They say things are supposed to be secure," she said, "but I don't care how secure anything is - if somebody knows how to get in, they're going to get in if they have the technology."
"Should we worry about it or not?" she asks. I would say yes, especially when the company that owns an enormous customer purchasing database has problem after problem with its security. Maybe I'm naive to think that privacy promises mean anything in the real world, or that crackers can be fended off by a big corporation.
When I'd expressed my surprise at all this to Kitetoa, he'd just chuckled and said, "You'd be surprised what you can find on the internet. It's all like this."
Kathy, too, was pretty sure that there were people who have all this private information anyway. She very sensibly pointed out that credit card and other personal data can be stolen in the real world just as easily as the internet.
And she answered her own question for me: "There's really nothing you can do. I don't feel secure anyways."
DC days #'ed (Score:1)
How long before they declare bankruptcy and we all giggle and sing nekkid in the streets that they're now gone?
Doubleclick may read /. (Score:1)
Brant
double click? (Score:1)
Way of the Future (Score:4)
With the increasing sophisitication of profiling technology (and the databases that drive it), as well as the sketchiness of existing laws on the subject, it won't be long before every major company has a detailed consumer database. We complain and complain about privacy issues, but they don't know anything that we haven't made known to them. If they send us sailing magazines, it's because we clicked something somewhere to indicate that we were interested in it. We know what happens when we click those things. Everyone knows. My grandma knows.
You are being watched. Act accordingly.
security through obscurity (Score:2)
The notion that security through obscurity doesn't work only holds up to a point. If you focus enough distributed processing power on any security problem, like, say, through posting it to slashdot, you will overwhelm and outpace the sincere efforts to patch the problem that are being undertaken by the hapless victims.
Of course you can also claim that helpful slashdotters may lend advice to DoubleClick but er.. that is not going to happen. Slashdotters might help some open source site that was being lax and got exploited, but not DoubleClick who has copmmitted so many prior offenses against the mores of the
The unprotected consumers lose out, again.
Hacking DoubleClick (Score:2)
Poof! (Score:3)
127.0.0.1 doubleclick.net
There's also the hosts file in linux that can do the same thing. No more worries about doubleclick!
Re:Doubleclick may read /. (Score:2)
Jamie McCarthy
When are we going to get it right. (Score:4)
-gerbik
Re:security through obscurity (Score:2)
However, to quote DoubleClick's Chief Privacy Officer (as listed in the story above), "Over the last week there have been unsuccessful attempts made to hack into DoubleClick's servers. Those situations were immediately corrected,". So everything's fine and good.
Besides, one could make the argument that leaving a known insecure system on the Net is at least mildly irresponsible. Leaving a known insecure system on the Net that contains all kinds of personal information about a lot of "customers" (which may or may not be the case; weeding through PR garbage is useless) is downright moronic and deserves to get them as much negative attention as necessary to convince them to correct the problem.
For the love of god, opt out (Score:4)
http://www.doubleclick.net:80/us/corporate/privacy /opt-out.asp?asp_object_1=& [doubleclick.net]
--
Re:security through obscurity (Score:3)
The company has now known about the problem for 5.5 days. I had debated how long to give the company to fix stuff before posting this, but since it was already picked up by MSNBC and other media two days ago, I don't really feel it's an issue anymore.
Jamie McCarthy
Regulations are necessary (Score:2)
This is due to privacy concerns.
First: information is dangerous.
Second: information gives power.
Third: noone want the ad buisiness to get power over all our lives.
Forth: The ad industry has a bad track record for computer security.
Example: Think what enormous amount of information is collected in various databases for one Swedish individual. Most people shop a lot using cards of different kinds. Almost everyone uses cellular phones (GSM, that is). This means that for many persons you can follow maybe 90% of the total spending and using the cellular network you can monitor the position at any time to within a hundred feet (next generation: five to ten feet).
I'm a europeean so my views are somewhat tilted in that direction. Some dislike some of the EU's newer regulations concernign personal information (the associated person must give his or her consent for the data to be legal and there are regulations for what information that may be collected by corporations (alas, states may do as they like)).
I don't care about DoubleClick. (Score:1)
127.0.0.1 ad.doubleclick.net
DoubleClick's ad server is bound to localhost so that my browser can't view the banners. Proof that I don't care about DoubleClick. I don't really care for them, either.
Disclaimer and Conflict of Interest (Score:1)
Jamie, as a responsible journalist, I expect you merely forgot to mention in your article that DoubleClick is the advertiser paying most to Slashdot. Please update your article. Not everyone here knows about Slashdot's financial interest in DoubleClick.
...and the big deal is? (Score:5)
Is it just me, or is this just another company getting hacked? So it happened to be an advertising company. Big deal. This hardly seems slashdot-worthy; web servers are compromised all the time. Most of DoubleClick's data is just IPs and lists of websites.
It isn't automatically a big conspiracy, spying on you. Do you really think that, if hackers compromised doubleclick's servers they'd be looking for your information? Well, let me tell you this: They won't. To think that they are is paranoia taken to it's extremes.
So a website has a security bug or two.Why not just inform the site owners, and give them a chance to fix it, instead of proclaiming it loud and clear to the world? It seems helpful to no-one.
Just my $0.02
Michael
...another comment from Michael Tandy.
Re:Poof! (Score:2)
Re:When are we going to get it right. (Score:1)
Re:Doubleclick may read /. (Score:1)
Re:Doubleclick may read /. (Score:2)
Re:Triple click! (Score:1)
--
Re:security through obscurity (Score:2)
Other media ran the story because they have deemed that readers would be interested and would read the story, therefore increasing banner revenue. Their primary motivation in promoting the story was purely monetary.
I would like to think that Slashdot should be held in higher regards than mainstream commercial news services. Slashdot, by focusing on "geek" news and stories that focus on a more technical aspect, should hold a bit more journalistic integrity than others, and it's authors should hold some restraint in posting stories that could possible cause harm or privacy invasions to it's "geek" readership.
In short, I understand your motivations, but do not agree with them.
Timebombs (Score:2)
Ummm... (Score:1)
Re:...and the big deal is? (Score:1)
Just IP's and websites?!?!!! Are you kidding!
Do you really think that, if hackers compromised doubleclick's servers they'd be looking for your information?
Yes they will! Lots of crackers out there are looking out for unsuspecting users' boxes that they can crack into to obtain just enough SSN and credit card info to use to do the infamous identity theft crime! Can't you imagine the havoc they could wreak with a whole list of people who took part in contests on a website?! There is a prime target for cracking individuals without the fear of alerting someone at a big corporation. All they have to do is grab your IP, jump into your unsecured Windows machine (as most M$ Windows machines are), and start grabbin' info. And the unsuspecting average Joe doesn't even know the cracker was there, because the identity theft cracker was not brain dead and remembered not to leave insulting messages or delete files in order to keep up the appearance of your computer being just fine. You had better rethink your security focus on your own machine if you truly believe what you just posted.
He acted responsibly (Score:3)
I am actually quite impressed with the journalisitic merits of this article, and I'm happy that Slashdot has started putting more research into their stories.
Crossing the line (Score:2)
First Law (Score:1)
The first anti-profiling law we need is one that states that no company or govenment can make submitting a profile a condition of employment or contract. There are two many jobs now where you must submit to a personality, financial, or even a LIFESTYLE profile (security jobs often require you to submit to a lifestyle profile to ensure you a good upperclass christian gentleman). Just about any time you do so much as request information from a company these days you have to submit to a minor financial or employment profile.
Submitting to profiling should not be a precondition to engaging in any activity common in our society.
Err.. (Score:2)
What, so they called the crackers and showed them how to do it right?
Beyond End Users (Score:1)
Sound like the end-users aren't the only ones getting the shaft...
--SC
Re:security through obscurity (Score:1)
Re:...and the big deal is? (Score:2)
--
Re: Menthol is not a disability! (Score:3)
I know, some people don't prefer the cool, crisp taste of menthol cigarettes. That's their choice. But to say it's a disability? I've smoke menthols before, and I can use an editor just fine.
I'm really beginning to doubt the level of intelligence displayed here on Slashdot.
--SC
Re:Doubleclick may read /. (Score:1)
Hmph! I tried to visit the link and got there! Guess I forgot to add www2.doubleclick.net to my blockfile.
Funny, now I can't go to the link anymore. Shucks.
Re:Poof! stuff breaks! (Score:2)
I wish there a nice, free way to block ads that is transparent to end users and doesn't break everything. I used to use junkbuster, but it broke so many sites that people who use my computer (roommates) that I just stopped using it. Steve Gibson at GRC [grc.com] had a registry patch that added a bunck of web buggers to the "hostile" zone of internet explorer which worked pretty well, but then I don't use IE either.
Wishful thinking...
Re:For the love of god, opt out (Score:1)
A director at DoubleClick.... (Score:2)
Re:For the love of god, opt out (Score:2)
If you value not being tracked, you probably don't trust Doubleclick. Why, then, would you use an opt-out method that requires that you trust Doubleclick's word that they'll no longer track you?
Blocking Doubleclick and the other tracking firms at the router, on the firewall, in /etc/hosts or HOSTS, or with a proxy, are just as effective as a means of "opting out", and they don't require you to trust your adversary.
Re:A director at DoubleClick.... (Score:1)
"In 1995, O'Connor helped fund and build ISS Group (Nasdaq: ISSX) an Internet security software company in Atlanta, GA. O'Connor continues to serve on the Board of Directors for ISS Group."
Re:Poof! stuff breaks! (Score:2)
That, along with a cookie filter to rid the doubleclick garbage, works pretty well...
Re:Crossing the line (Score:2)
Re:First Law (Score:2)
The reasoning behind the lifestyle profiles for security clearances is very simple. If you, say, have a large collection of kiddie porn on your system at home, that's a huge security risk, because somebody else could discover it and blackmail you into handing over secrets.
This was the reason that the CIA still has a prohibition on employing closeted homosexuals.
Of course, if you're fully out in the open about having the kiddie porn, then there's no reason to deny the clearance.
Re:Way of the Future (Score:2)
The RIAA isnt a company it's a trade group and the only reason copyright holders have their "interests" is because we the people choose to sacrifice our right to copy their work because we believe it encourages more artistic works (via economic incentive). If we the people decide we no longer want to honour this agreement then it will take a massive political uprising to sweep them away, specifically because of trade groups like the RIAA. That is what the "silly napster logos" are about.
Re:Press time? (Score:1)
Re:Way of the Future (Score:1)
You get spam about laser toner recycling
A discoutn reseller sends you an email about a new router that you're interested in.
I think everyone is pretty much fed up with the first option, but with GOOD market analysis, unwanted spam can be eliminated.
Personally, I think DoubleClick should be watching what sites people can go to, so they can target ads to what the browser may be interested in. I'm fed up of trying to fry the damned monkey with a cattleprod (take that as you will) and I want to see a banner ad that I may just be interested in. Any method which can help my browsing experience is welcomed, even if it does mean a company knows what my interests are, and can recommend a product/site I'm actually interested in (THE HORROR!)
Re:I don't care about DoubleClick. (Score:1)
My advice is run Mozilla and use this [nottingham.ac.uk] cookperm.txt file. (Based on the list of advert servers from here [csuchico.edu])
--
Re:/etc/hosts (Score:1)
Why were they corrected? (Score:2)
If the attempts were unsuccessful, what needed to be corrected. If my firewall is blocking ports, people will be unsuccessful at hitting my site, and nothing needs to be corrected. I don't get it.
Information wants to be free (Score:1)
You can't stop the technology. Moore's Law works for everybody. If they can see it, they can database it.
Re:security through obscurity (Score:1)
First of all, DAMN. That was almost as long as a JonKatz rant!
But I have to agree with the others here, including you. It's one thing to break the story first without warning doubleclick, it's another to wait for other people to cover it, and yet another to ask them for more info and not get any response.
No matter what anyone says, this was well done with a great deal of integrity. Hopefully they'll read slashdot and pick up some positive ideas from us, and if possible moderate the trolls.
For once, however, it would be nice to see the results of an internal security audit after they fix the "holes." I'm somewhat guessing they keep doing these audits, finding the exploits, then saying "Ha. no biggie." Hrmm..
Re:security through obscurity (Score:2)
Sorry, but DoubleClick
Caution: Now approaching the (technological) singularity.
just block the traffic (Score:1)
Re:Disclaimer and Conflict of Interest (Score:2)
Lying as good netizenship (Score:2)
Just my tiny contribution to the cause...
Re:First Law (Score:2)
However, why should a company not be able to impose what conditions of employment it sees fit? I know this is not a popular idea, but damn man, go get another job if you don't like the conditions at one company. Or start your own company with conditions you do like.
heck.... (Score:1)
Re:DC days #'ed (Score:1)
Re:Doubleclick may read /. (Score:1)
Re:For the love of god, opt out (Score:1)
Re:First Law (Score:2)
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Re:Lying as good netizenship (Score:1)
Re:Information wants to be free (Score:1)
Re:...and the big deal is? (Score:2)
Hey, is it just me or is it really tired and trite to accuse all who value privacy of being paranoid?
Here's something fun you can do with someone's doubleclick profile; use it to assist trashing someone's credit. It's no secret that credit card fraud detection works largely by identifying purchases in unusual places or types. So if I'm running a credit card ring, and I know what type of purchases you make, I can probably multiply by a factor of 5 or more the amount I can extract from your stolen credit card before any fraud detection kicks in.
Not to mention corporate espionage; it's assumed that DoubleClick doesn't sell certain kinds of information in their database to all their customers. I wonder how much Bezos would pay to find out what B&N customers are up to? Bet he can't find out legally. Sure would be really tempting if some mysterious party offered a stolen report, wouldn't it?
There are lots of nasty things that can come out of this kind of hack, and not all of it is about finding your preferred vendor for butt plugs. That being said, it may still be easier to get this information by bribing DoubleClick employees than via hackery.
Oh, and RTFArticle; they did give doubleclick lead time before breaking the story.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Re: Menthol is not a disability! (Score:1)
Re:First Law (Score:2)
Re:First Law (Score:1)
isn't doubleclick what (Score:1)
something like:
ipchains -A output -i eth0 -d doubleclick.net/16 -j REJECT
kind of sorts the problem out #-)
Try Guidescope (Score:1)
Guidescope [guidescope.com] is a blocking proxy similar to Junkbuster. In fact Junkbuster recommends Guidescope [junkbuster.com] in preference to their own product. It has a web interface for changing your ad and cookie blocking settings.
Guidescope uses a central database. This lets you benefit from other users' blocking choices, but then your web activity goes into another database. Hopefully they manage it better than Doubleclick does theirs. They say they reshuffle the userids frequently.
It runs on both Linux and Windows, but it isn't open source yet. They say they'll open it 8 months after the 1.0 release.
Re:Information wants to be free (Score:1)
The anti-piracy technology being developed today is often a significant threat to the personal integrity! To kill small bugs you can use nuclear weapons, but you kill other important lifeforms...