Doubleclick round 2: unprotected databases
| Doubleclick Round 5 Devenez un technicien chez Doubleclick Become a tech guy at Doubleclick |
| Doubleclick Round 4 Lisez mes mails, oups..., sur mes lèvres: "nous réparons" Read my mails, oops..., my lips: "we are fixing this mess" |
Doubleclick Round 3 |
| Doubleclick Round 2 Bases de données non protégées Unprotected databases... |
| Doubleclick Round 1 Hacké depuis 2 ans? Hacked for 2 years? |
| Récapitulatif
des papiers sur le monde étrange des administrateurs réseau et systèmes |
| Récapitulatif
de nos copies d'écran sur ce même monde étrange |
| It's a funky job. But Kitetoa's digital clone does it... |
| Do you know info-hack Kung-Fu? |
| La hotte du Kitetopapanoël |
| Ze Mega
Kite-Teuf! La fête de l'été de Kitetoa... Les sites les plus nazes de l'été 2000 |
| La
Loi de 78 impose aux entreprises de protéger les bases de données qu'elles constituent... |
How do you think DoubleClick officially reacted to our little previous story ?
No reaction...
A good old communication basic.
Unofficially, it seems that researches are done to fully understand what really happened. But beware : everything was OK, and nothing really happened, etc. We're hardly waiting for what they'll invent in their official press release to explain the presence of a backdoor in their servers.
Nothing really happened. Well well well... Hmmm...
Sure ?
Let's look at a server that is not connected in one way or another to the one we talked about yesterday (just kiddin', as we don't know what they'll imagine to assure their customers that everything's fine, we already imagine something like : "our website is corporate, nothing to do with our super-secured production environment"), like abacusonline.doubleclick.net
Abacus... What's that ?
It's one of the most important database regarding american citizens. On this website, Abacusonline's clients can connect and query the database. Let's see how they present themselves :
"ABACUS, a division of DoubleClick, Inc., is a world leader in targeted marketing solutions. By combining transactional data, advanced statistical modeling, and our extensive media reach, we help you target the customers most likely to buy your products or services based on who they are and what they already buy.
The Abacus database of buyer behavior is the largest in the United States. It contains over 3.5 billion transactions from more than 90 million U.S. households and includes geographic, demographic, lifestyle, and behavioral data from consumer, retail, business-to-business, and online markets. We span multiple channels (direct mail, email, market research, and Internet advertising) so you can integrate the most broadly-based yet highly targeted marketing campaigns."
No fear!
Well well well... And what did we found ? Nothing else than the login and password to connect to abacusonline's database... No fear !
A good old bug discovered at the beginning of last year which everybody can refer to on securityfocus.com. And all those servers without patches. 'cause www.doubleclick.net & www2.doubleclick.net are not patched either...
Do we have to say again that the unicode bug is present, in multiple variants, on several DoubleClick websites ? They say they own more than 1000 servers worlwide... We'll never have the time to check them all. What a pity :)
