Another Hacker Hits Microsoft

[InfoSec News <isn () C4I ORG>]

http://www.thestandard.com/article/display/0,1151,19948,00.html

November 3, 2000, 5:35 PM PST
By George A. Chidi Jr.

One week after Microsoft (MSFT) reported an intrusion into its
corporate networks, another hacker claimed to have penetrated the
company's Web servers Friday.

The Dutch hacker, using the alias "Dimitri," said Microsoft failed to
install a patch for a known bug in its Internet information server
software and has not sufficiently secured its Web servers, he said in
an interview with the IDG News Service.

He gained access to several of Microsoft's Web servers and was able to
upload a short text file, "Hack the planet," boasting of the hack to
Microsoft, Dimitri said. He said he could also alter files on
Microsoft's download site.

"I could add Trojan horses to software that MS customers download,"
Dimitri said.

Dimitri also said that he downloaded files containing administrative
user names and passwords to the server. The encrypted files could be
decoded with a tool called the L0ft crack, he said, but added that he
had not and would not decode them.

Dimitri said he got a "pretty good look" at Microsoft's server
structure. He said that the server domain is called Houston and that
all of Microsoft's Web servers are set up the same way with the same
disk image.

A Microsoft spokesman confirmed that the hacker reached at least one
server, but said that Microsoft security personnel were re-checking
their servers for holes to patch.

"We investigated this report," Microsoft spokesman Adam Sohn said. "He
was able to exploit a known security flaw that we were able to patch.
The patch had not yet applied to the server." He could not confirm
that all servers in Microsoft's network had the hole patched.

The server was in semi-retirement, redirecting visitors to another
area of the network with more updated content, he said. "The whole
purpose of it was a redirect server. Before, it hosted events content.
It had recently been retired from its former uses. ... It wasn't
really hosting any content at all.

"We are very focused on securing and maintaining the servers on our
network," Sohn said. "From a security standpoint, there should be no
difference between servers."

He conceded that the size of Microsoft's network and the allure to
hackers of breaching Microsoft's security make defending its systems
an ongoing challenge. "Microsoft is a high-priority target. There is
always a possibility that hackers can get into any network. ... There
are bad people out there that will try to do bad things."

Sohn added, "Would we prefer that our people put patches in on the
same day they come out? Sure. It's hard to give you an absolute
certainty that the patch had been applied across the board. Given
today's incident, our security teams are going back to check out the
systems."

Dimitri said he used the so-called Unicode bug to get access to
Microsoft's systems. Microsoft first patched this security hole Aug.
10 and issued a security bulletin Oct. 17, pointing customers to the
same software patch. On its TechNet Web site, Microsoft refers to the
bug as the "Web Server Folder Traversal" vulnerability.

"It is extremely sloppy for Microsoft not to install its own patches,"
Dimitri said.

Sohn said the security flaw was unrelated to the intrusion Microsoft
reported to the FBI on Oct. 26. In that case, hackers gained access to
source code for an unidentified future product under development. The
team patching the security hole in the server is different from the
one working on the October intrusion, which was achieved using an
attack program hidden in e-mail, said Rick Miller, another Microsoft
spokesman. "They had nothing to do with each other. It's like
comparing apples and oranges."

However, two hack attacks revealed in one week have raised questions
about the extent of the weaknesses in Microsoft's computer defenses.
Security experts who have been able to confirm the intrusion through
access logs provided by Dmitri said Microsoft must tighten its
defenses.

"It's bad enough that we can browse the contents of their server. They
shouldn't be vulnerable to this," said Ryan Russell, technical editor
of SecurityFocus.com, a computer security Web site. "If they had
anything interesting on the server, he could have gotten into it."

The damage to customer confidence may outweigh the actual security
damage to Microsoft.

Dimitri "didn't have to be a rocket scientist" to get into Microsoft's
server using a known security bug, and theoretically he had the
opportunity to do damage once achieving access, said Paul Zimski, a
security researcher at Internet security firm Finjan.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".