Reports allege DoubleClick has been hacked a third time, following two
admitted server break-ins earlier in the week — developments that raise the
concerns of some privacy advocates, and which come as the firm prepares new
consumer information-based initiatives.
According to French hacking site Kitetoa, which first discovered the
earlier break-ins, a portion of the New York-based company’s DARTmail system
was the target of a defacement sometime Wednesday evening or Thursday
morning.
Attrition.org, a Web site that monitors hacker activity, concurred,
reporting that machine at login.dartmail.com displayed the message “prime
suspectz owned one of doubleclick servers hohohooohhoho.”
Prime Suspectz is believed to be the culprit behind the defacing of a
Microsoft site in New Zealand, as well as foreign sites belonging to eBay
and Visa International, and a U.S. site belonging to Nasdaq.
It is not known whether the hackers were able to do anything more than
post the message on DoubleClick’s server. Spokespeople for the company,
including the chief privacy officer Jules Polonetsky, did not return
repeated calls for comment.
As of press time, however, DoubleClick displayed the following message on
the DARTmail login server:
“DoubleClick’s Ad Management system is temporarily down due to system
maintenance. Please note that during this time, ad serving will not be
affected. We sincerely apologize for the inconvenience. Should you have any
questions, please contact DoubleClick Customer Support at (212) 655-7600 or
email support@doubleclick.net.”
If the latest reports are true, then this is the third time that
DoubleClick has been the subject of a hack attempt.
On Tuesday, the company admitted to reports that machines at
www.doubleclick.net and abacusonline.doubleclick.net had both experienced
hack attempts. In the first case, hackers had placed a program that would
have given them unlimited, “backdoor” access to the server, but had been
unable to execute the file, DoubleClick said.
The abacusonline.doubleclick.net machine, which hackers gained access to
through an operating system hole, similarly thwarted attempts to gain access
to restricted data, because it was a development server that hosted no live
consumer information, according to DoubleClick.
Patches that would have secured its Windows NT-based servers had been
available since last year from Microsoft. However, DoubleClick apparently
had yet to install the fixes — though Polonetsky said that the company was
doing so following the hacks’ discovery.
French hacking site Kitetoa, which broke the story of the DoubleClick
hacks earlier this week, maintains that the company faces additional
security flaws, in the form of development servers connected to “live” Web
servers.
While DoubleClick asserted that no consumer information had been at risk
in the earlier attacks, the question does raise concerns about the company’s
own security measures.
With lists of about 40 million e-mail addresses under its control, and a
separate database owned by its Abacus subsidiary containing data from 3.5
billion transactions from more than 90 million U.S. households, DoubleClick
houses a wealth of consumer information.
And while the ad network maintains that it safeguards consumer privacy
from unethical commercial use, the new developments would appear to call
into question DoubleClick’s ability to safeguard that data from criminal
exploitation.
In an interview with Internetnews.com earlier this week, Kitetoa
suggested that the recent hacks might have been enough to allow a hacker to
secretly plant a “password-sniffer” that could capture usernames and
passwords of people logging into DoubleClick’s systems.
Kitetoa, who spoke on condition of anonymity, also alleged that hackers
could have easily gained access to DoubleClick machines other than the two
feature-limited servers reported. DoubleClick has vehemently denied that the
hackers would have had such an opportunity.
The recent developments come at an unfortunate time for DoubleClick,
which is gearing up for new product and division launches that hinge heavily
on consumer data — historically, touchy public relations areas for the
firm.
DoubleClick spent much of last year facing down a public relations
debacle that stemmed from its planned integration of Abacus data with its
own online profiling information — plans that the company abandoned
following a hailstorm of criticism from consumer and privacy advocates.
Now, with plans quietly in the works for a revamped online research unit
called Diameter, and new products that will incorporate the company’s
research and consumer data divisions, concerns about DoubleClick’s handling
of security would seem to be especially unwelcome.
Already, one privacy advocate is calling for some answers. In an open
letter to Polonetsky, Junkbusters president Jason Catlett criticized the
online ad firm and called for it to publish all existing auditors’ reports
and attestations on DoubleClick privacy and security. Those auditor records
include a quarterly study begun last year by PriceWaterhouseCoopers.
“The recent series of security holes found on DoubleClick’s computers is
scandalous,” Catlett wrote. “It is intolerable that DoubleClick keeps such
vast amounts of data — trillions of page view records and billions of
offline purchases on hundreds of millions of people — all secret, hidden
from the people they concern, but is apparently incapable of keeping its
systems secure from foreign hackers.”
On his site, Catlett also called for a specific independent investigation
of this week’s hacking incidents, and the current state of DoubleClick’s
security, and for the company to publish the report.
Catlett said he hadn’t heard “a peep” from Polonetsky since posting his
letter on Tuesday, and he still considers them “the biggest and baddest.”
Another privacy advocate said he felt the issue was less troubling, as
long as one of DoubleClick’s databases wasn’t violated.
“It’s not great for DCLK, but overall, it doesn’t look like anything bad
is going on,” said the Privacy Foundation’s Richard Smith. “As long as
[hackers] kind of stay away from any place that has any data in it, I don’t
see any problem. “But they hold information about people, in databases like
Abacus Direct. I would assume none of those are online, but you can never be
sure.”
“It would be bad if someone saw what Robert Redford had been buying for
the last three years,” he joked. “If it’s corporate stuff, it’s more of a
PR issue.”