Opinari - Latin term for Opinion. Opinari.net is just what it seems: a cornucopia of rants, raves and poignant soliloquy.
Saturday, May 28, 2005
Lexis-Nexis was compromised by a group of "hackers" recently, exposing over 300,000 user accounts (including Social Security numbers) to the outside world. Wired magazine has an interview with the misfits detailing how they accomplished the feat:
According to the hackers, none of them knew about LexisNexis or Seisint until they stumbled upon a Florida police officer's Seisint account.
A friend of Krazed masqueraded as a 14-year-old girl online and engaged a Florida police officer in a chat session, the hackers said. The friend sent the officer an attachment, which he said was a slideshow containing naked pictures of the girl he was pretending to be. When the officer clicked on it, a Trojan horse downloaded silently to his computer, which gave Krazed complete access to the computer's files.
A law enforcement agent confirmed this general account of the breach.
Among the data Krazed found on the computer was a password file with information for accessing an Accurint account. Krazed said he gave the account info to several people who searched celebrity names like Ben Affleck, Matt Damon and Arnold Schwarzenegger to obtain Social Security numbers and other data.
In the meantime, a 19-year-old hacker who lives near Cam0 in Massachusetts searched for other active Accurint accounts using a Java script. He found an account named Null, which he later learned belonged to a Texas police department. The hacker asked to be identified as "Null" for this story.
Posing as a LexisNexis tech administrator, he called Seisint under the guise of running diagnostic tests on the Null account and convinced someone at Seisint to reset the account's password to "Null." Then he used the account to create new accounts under the auspices of the police department.
"A whole bunch of user names were made and people were trading them and passing them around like candy," Null said. "It was getting real bad."
First of all, a cop scouring the Internet for child porn should have had two separate boxes - one for his online work, and another for his database searches and secure applications. Secondly, the Seisint administrator that reset the password should find another line of work. Either that or Seisint's procedures for resetting passwords should be much more stringent. From where I sit, that's not hacking. That's stupidity.
.: posted by