Microsoft web site compromise and partner security

Published: 2007-04-29
Last Updated: 2007-04-29 12:04:19 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

There’s been a lot of discussion over the last few hours regarding a Microsoft website that apparently got defaced. While the domain name has been taken offline, the defacement itself was rather obvious. Users browsing the page were shown a typical “0wn3d by” message with a picture taken of Bill Gates during what was probably his least pleasant visit to Belgium in 1998.

The affected site displayed a remotely hosted image and the attacker’s nickname:

body onload="document.body.innerHTML='/p align=center//font size=7/Own3d by Cyber-Terrorist//font//img src=!/billgates.jpg//p align=center//font size=7>--Cyb3rT--//font///p/';"//noscript/

The affected site was a subpage of where users could select a distribution license for the Internet Explorer Administration Kit. The server isn’t, however, located on the Microsoft network, but at a hosting partner. In addition, the source of the page mentions another third party as being responsible for the site’s development.

While the brand impact of a low-level compromise like this is negligible, it does bring up some hard questions. In this day and age of increasingly popular out and co-sourcing, how do you ensure your partners are able to meet your security requirements ? Reputation is a good starting point, while supplier audit and compliance with relevant security standards can complete the picture. Both should be part of any outsourcing RFP.

After all, while this may be a small time issue, web site defacements have in the recent past often involved malicious code distribution. Being unavailable and looking a bit silly is one thing to reflect on a brand. Being involved in the distribution of a banking fraud trojan quite another.

Maarten Van Horenbeeck

0 comment(s)


Diary Archives