Thread-topic: FYI: Microsoft web site compromise and partner security
;-)
Microsoft web site compromise and partner security
Published: 2007-04-29,
Last Updated: 2007-04-29 12:04:19 UTC
by Maarten Van Horenbeeck (Version: 1)
There's been a lot of discussion over the last few hours regarding a
Microsoft website that apparently got defaced. While the domain name has
been taken offline, the defacement itself was rather obvious. Users
browsing the page were shown a typical "0wn3d by" message with a picture
taken of Bill Gates during what was probably his least pleasant visit to
Belgium in 1998.
The affected site displayed a remotely hosted image and the attacker's
nickname:
body onload="document.body.innerHTML='/p align=center//font size=7/Own3d
by Cyber-Terrorist//font//img
src= align=center//font
size=7>--Cyb3rT--//font///p/';"//noscript/
The affected site was a subpage of ieak.microsoft.com where users could
select a distribution license for the Internet Explorer Administration
Kit. The server isn't, however, located on the Microsoft network, but at
a hosting partner. In addition, the source of the page mentions another
third party as being responsible for the site's development.
While the brand impact of a low-level compromise like this is
negligible, it does bring up some hard questions. In this day and age of
increasingly popular out and co-sourcing, how do you ensure your
partners are able to meet your security requirements ? Reputation is a
good starting point, while supplier audit and compliance with relevant
security standards can complete the picture. Both should be part of any
outsourcing RFP.
After all, while this may be a small time issue, web site defacements
have in the recent past often involved malicious code distribution.
Being unavailable and looking a bit silly is one thing to reflect on a
brand. Being involved in the distribution of a banking fraud trojan
quite another.
