ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: Microsoft web site compromise and partner security



;-)

http://isc.sans.org/diary.html?n&storyid=2699

 Microsoft web site compromise and partner security
Published: 2007-04-29,
Last Updated: 2007-04-29 12:04:19 UTC
by Maarten Van Horenbeeck (Version: 1)

There's been a lot of discussion over the last few hours regarding a
Microsoft website that apparently got defaced. While the domain name has
been taken offline, the defacement itself was rather obvious. Users
browsing the page were shown a typical "0wn3d by" message with a picture
taken of Bill Gates during what was probably his least pleasant visit to
Belgium in 1998.

The affected site displayed a remotely hosted image and the attacker's
nickname:

body onload="document.body.innerHTML='/p align=center//font size=7/Own3d
by Cyber-Terrorist//font//img
src=http://c2000.com/gifs!/billgates.jpg//p align=center//font
size=7>--Cyb3rT--//font///p/';"//noscript/

The affected site was a subpage of ieak.microsoft.com where users could
select a distribution license for the Internet Explorer Administration
Kit. The server isn't, however, located on the Microsoft network, but at
a hosting partner. In addition, the source of the page mentions another
third party as being responsible for the site's development.

While the brand impact of a low-level compromise like this is
negligible, it does bring up some hard questions. In this day and age of
increasingly popular out and co-sourcing, how do you ensure your
partners are able to meet your security requirements ? Reputation is a
good starting point, while supplier audit and compliance with relevant
security standards can complete the picture. Both should be part of any
outsourcing RFP.

After all, while this may be a small time issue, web site defacements
have in the recent past often involved malicious code distribution.
Being unavailable and looking a bit silly is one thing to reflect on a
brand. Being involved in the distribution of a banking fraud trojan
quite another.



 




Copyright © Lexa Software, 1996-2009.