Information Security News mailing list archives
Microsoft Admits Hack Attacks
From: InfoSec News <isn () C4I ORG>
Date: Fri, 26 Jan 2001 00:29:33 -0600
http://www.pcworld.com/news/article/0,aid,39322,00.asp Cameron Crouch, PCWorld.com Thursday, January 25, 2001 Poor network operation may be the source of Microsoft's initial site failures this week, but a denial-of-service attack by outsiders caused a resurgence Thursday in site blackouts. Domain name system (DNS) errors caused Microsoft sites such as BCentral, Expedia, Hotmail, Microsoft.com, MSN, and MSNBC to be inaccessible Tuesday night and throughout Wednesday. But after many Microsoft sites remained inaccessible throughout Thursday, Microsoft acknowledged hacker attacks caused the subsequent problems. Microsoft "was the target of a denial-of-service attack against the routers that direct traffic to the company's Web sites," the company says in a statement. "As a result, access to some of the Microsoft Internet properties, including Microsoft.com and MSN.com, was intermittent for many customers throughout this morning." Microsoft says the sites are now available and the attack is separate from its site problems earlier this week. "Microsoft's global networking team quickly determined that today's issue was completely separate from yesterday's outage and has taken a number of steps to address the issue," the company states. Microsoft is working with the FBI and is taking immediate steps to ensure its networks offer "improved protection from this type of attack," according to the company. Suspicions Raised The disclosure is no surprise to some security experts. One of them anticipated the denial-of-service possibility with Thursday's resurgence of Microsoft site blackouts. It's unlikely Microsoft technicians would make continuing DNS configuration mistakes, says William Knowles, associate faculty at New Dimensions International, a computer security training firm. Even for Wednesday's outages, "My suspicion leans towards a denial-of-service attack," says Knowles, referring to a procedure that overloads servers to the point they cannot respond to requests. He points to recent events, including the continued instability of Microsoft's sites, and recent reports that Microsoft New Zealand was down prior to the other site problems. Other suspicions were raised by anti-Microsoft slogans that appeared with a Whois search for Microsoft.com Wednesday. Whois tells you the owner of any second-level domain name registered with Network Solutions, the most widely used Internet registrar for .com names. A search under Microsoft.com returns clearly invalid domains such as: microsoft.com.is.secretly.run.by.illumaniti.terrorists.net. Microsoft sustained a hack attack in October, when intruders entered Microsoft's corporate network and accessed product information. Although Microsoft downplayed the incident, security experts said the company would be wise to evaluate its security. A Weak Link Microsoft had admitted late Wednesday that an internal error caused the domain name problems. The company says a Microsoft technician changed the configuration of routers on the edge of Microsoft's DNS network. The change limited communication between DNS servers on the Internet and Microsoft's DNS servers, causing many of Microsoft's sites to be unreachable. Experts promptly began questioning the security and stability of Microsoft's DNS operation, which apparently leaves the network vulnerable to such an internal error as well as third-party hacker attack. Although Microsoft contends the initial problem was an internal error, the fact that it happened at all points to the vulnerability of Microsoft's DNS network, and possibly to the DNS of the entire Internet. The way Microsoft's DNS network is designed could be partly to blame for the outages, say some security experts. The company appears to have all four of its DNS servers located on a single network, making them more vulnerable to failure. Microsoft did not respond to repeated requests for comment but has said its DNS is fully fault tolerant with built-in redundancies. But distributing DNS servers across networks wouldn't necessarily help, suggests Martin Fong, a senior software engineer at research institute SRI. "The problem is, domain name servers tend to be hierarchical," Fong says. "One server has to act as the authoritative distribution point; this is a historical deficiency of DNS, not just a problem with Microsoft." "The whole Internet is structured this way. It's a lot more fragile than people realize," he adds. Preventive Measures Urged Still, Fong suggests Microsoft could have done more to prevent such an error from taking hold in the network. The company apparently failed to perform the right checks and balances. Microsoft should have validated any configuration change by testing the domain names from outside the corporate network, Fong suggests. "If you check [DNS changes] only from inside accounts, you can never tell what's wrong," he says. A DNS expert points out that DNS management is no small task. Failures in DNS networks at large corporations are frequently difficult to diagnose because of the complexity of the system, says Stewart Bailey, cofounder and chief technology officer at InfoBlox, which sells DNS appliance servers to businesses. "What you'll find a lot is that when a DNS error occurs, because it's at a very low level and affects so many subsystems, people aren't sure it's a DNS problem. It's hard to diagnose," Bailey says. "The networking people look at the routers, the systems people look at the servers, and the DNS guys look at their part, and sometimes it takes a while to figure out what's going on." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Microsoft Admits Hack Attacks InfoSec News (Jan 25)
- <Possible follow-ups>
- Re: Microsoft Admits Hack Attacks InfoSec News (Jan 29)