DoubleClick has suffered a third intrusion, this time on its DARTmail system. Earlier this week, the company confirmed reports of two other recent system intrusions. In one instance, an intruder placed a backdoor program on the server but did not activate it. Kitetoa, a Web site in France, posted documents that detail some of the problems in the DoubleClick systems.
In the most recent break-in, a Brazilian person or group using the alias "prime suspectz," defaced the Web server located at login.dartmail.com. Attrition.org archived a copy of the site defacement. According to the Attrition archives, the intruder defaced several dozen other notable Web sites in March alone, including servers that belong to Ford Motor Company, Diners Club, Honda Mexico, NASA, eBay, Compaq, and Novell.
Kitetoa reveals that DoubleClick might suffer from other security vulnerabilities, including a lack of information control. As an example, Kitetoa learned of a URL within the DoubleClick network that points to DoubleClick's administration manuals. Based on the images Kitetoa provided on its Web site, the manuals include quick reference guides for backups and storage node management.
Jason Callet, president of Junkbusters, issued an open letter to DoubleClick's chief privacy officer, Jules Polonetsky. In the letter, Callet said, "The recent series of security holes found on DoubleClick's computers is scandalous. It's intolerable that DoubleClick keeps such vast amounts of data—trillions of page-view records and billions of offline purchases on hundreds of millions of people—all secret, hidden from the people they concern, but is apparently incapable of keeping its systems secure from foreign hackers." Callet suggested a series of actions that he would like DoubleClick to take, including publishing all existing security auditor's reports, such as those developed by PricewaterhouseCoopers in February 2000. Callet has received no response since posting his open letter on the Junkbusters Web site on March 27.
After the first two break-ins made news earlier this week, DoubleClick admitted that it had not applied up-to-date security patches to its systems. The patches have been available for months and could have prevented all three break-ins. DoubleClick said it's working to update its systems, and reported that none of the intrusions led to the exposure of its internal databases.
