E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: Security Wire Digest

Posted on March 29, 2001

      Online advertising giant DoubleClick is getting some unwelcome exposure by a French hacker group, which claims it found a 2-year-old backdoor program on the company's Microsoft IIS servers.

      Kitetoa members this week announced they found files on a doubleclick.net server that suggest the box was exploited in 1999, around the same time as the discovery of an IIS buffer overflow vulnerability. If true, DoubleClick's database on Internet consumers' shopping habits may have been as available to hackers as a weekend grocery flyer, say the hackers.In published reports, DoubleClick CPO Jules Polonetsky confirmed that the company's system and that of a subsidiary -- Abacus Online -- had been attacked twice in the past week, but the attempts were unsuccessful and no data was compromised.

      In an exercise conducted March 19, Kitetoa hackers say they placed a backdoor program on an IIS 4 Web server used for the company's corporate Web site. However, the attackers could not execute the file because the folder holding the program didn't have script access. That IIS bug was exploited around the same time to view files--including source code for an active server page containing a username and password--on an Abacus server. But the Abacus machine, used for development only, did not host live customer data, according to Polonetsky.

      DoubleClick said it's undergoing a comprehensive security audit, including outside penetration tests. Authorities were not contacted to investigate, according to reports.

      Regardless of when the attacks occurred, the breaches raise questions about why the advertising company, which collects consumers' shopping data, failed to patch an old, well-known Unicode hole. Some security experts are dubious of Kitetoa's actions, which a few characterize as a penetration test without the target's permission. Others challenge DoubleClick to back its claim that no damage was done, particularly to Abacus' dummy server.

      "We see a lot of people embedding usernames and passwords in the source code with the misunderstanding that external users are not going to be able to review their source code," noted Ollie Whitehouse, managing security architect for security consulting firm @stake, in a news report. "And typically the passwords you see embedded in ASP pages are for connecting to back-end databases or systems of some kind."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.