Slashdot Mirror
Korean MSN Site Hacked
An anonymous reader writes "CNN is reporting that MSN's Korean website was hacked in order to allow usernames and passwords to be stolen. Microsoft is initially blaming unpatched, outsourced servers. Just another embarrassment to Microsoft's security push."
We all know microsoft doesn't trust windows to run its webservers!
Untold number of "In korea, only old people..." bad jokes are on their way.
I assume they weren't using *nix? =)
"I cannot think of any need in childhood as strong as the need for a father's protection." -- Sigmund Freud
Anyone got a mirror of the defacement?
We as voters have given up essential liberty. We hoped to purchase a little temporary safety. We in fact deserve neither
Yet another security issue related to microsoft. Since when is that news?
They might steal all the old peoples' email passwords!
In korea only old people use MSN.
So the server was also old (unpatched)
~Aha~
Hopefully, this incident will remind MSN of the importance of always making sure they have applied the latest patches, updates, and service packs from Microsoft's Windows Update site.
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
It's not really an embarrassment to Microsoft. It's an embarrassment to Koreans who have long been the leaders in wide-spread broadband and internet usage. You'd have expected that they, of all nationalities, would have their act together when it came to running servers. Unfortunately, it seems that even they are not immune to hacks.
Which is all for the better, of course. The more these systems are attacked, the harder they become. Kind of like how the SR-71's outer plating would become harder each time it took to the skies, or like how the samurai's katana becomes harder each time it is thrust into the forge. Systems become stronger by trial.
So next time there won't be this problem. That there was a problem this time is unfortunate, but like the lessons of history, this experience will make the victims Better. Stronger. Faster than before.
Please slashdot, you're not doing any justice by harping on Microsoft. Your bias is just disgusting. Why don't you post one of the 1,000,000 Linux defacements or break-ins that happen monthly?
And I know I'm posting Anonymously. I don't have an account nor do I care to create one at your site until you stop being the Fox Network equivalent for Tech News.
Microsoft is initially blaming unpatched, outsourced servers.
Looks like they didn't install SP2, enabled the firewall, and have automatic download of Windows Updates enabled. I guess Microsoft forgot to pay extra for having "secured" servers when they signed the outsource contract. It's a shame that they have to eat their own dogs... uh, food.
>>> The Korean site, unlike U.S. versions, was operated by another company, which Microsoft did not identify. Microsoft's own experts and Korean police were investigating, but Microsoft believes the computers were vulnerable because operators failed to apply necessary software patches, said Sohn, an MSN director.
Don't trust other companies to apply security patches for your site.
Don't try to use the force. Do or do not, there is no try.
From Netcraft:
/ /www.msn.co.kr
Windows Server 2003
Microsoft-IIS/6.0 9-Dec-2004
http://toolbar.netcraft.com/site_report?url=http:
http://www.thebricktestament.com/the_law/when_to_
"CNN is reporting that MSN's Korean website was hacked in order to allow usernames and passwords to be stolen. Microsoft is initially blaming unpatched, outsourced servers. Just another embarrassment to Microsoft's security push."
Yes, Microsoft has a good deal of well-deserved bad karma. That you could consider this to be a failing of their software is ridiculous, though. If this is an embarassment to Microsoft, many Free, Open software packages of every sort, from Apache to Linux to OpenBSD to OpenSSH have been so embarassed.
I'm all for calling out Microsoft when they're (a) full of marketing bullshit, (b) way behind everyone else technically, and (c) playing dirty politics. They deserve to be criticized then. But this is simply a non-event. They had a website get cracked. Big deal. Heck, Sourceforge, the largest repository of Open Source software, has been cracked multiple times, if you want an Open Source counterpart.
Blame Microsoft when they deserve it, and your words will get more weight. If Oracle had run out and said that "Our database is hacker-proof", and the next day their website had been broken into and their database cracked, that would be a fair point to criticize someone. But simply "you had a website cracked" is no longer a big deal for most companies.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Not that this is very important, but they wouldn't be running their servers with SP2.
They are likely running Windows Server 2003 and the latest service pack for WS2K3 is SP1. SP1 for WS2k3 came out after SP2 for XP so it should contain everything that SP2 contains.
The Internet is full. Go Away!!!
Only old servers are unpatched.
503 Sig Unavailable
The Signature could not be accessed. Please try again later or contact the administrator
Microsoft's software security push likes to be tied in a chair with a gag in its mouth, while its boyfriend makes love to another man in front of it. It is embarassed when it finds another blackened spoon in the bathroom after he promised to quit. But Koreans stealing its passwords is not embarassing.
"Korean Windows Update Site Hacked"
I am sorry, Microsoft, but I don't give a damn that you outsourced your servers. The customer is buying your name and reputation when they buy your product. So, you may have saved money on the bottom line, but you have squandered trust the consumer had for you. At some point in the future, you will realize what a valuable commodity this was and how expensive it is to re-acquire.
"To those who are overly cautious, everything is impossible. "
Aww how cute! Look at all the Anti-Corprate Gates haters. Maybe if there were as many Linux haters you would see the same happen to Linux systems.
Security researchers noticed the suspicious programming added to the Korean site Tuesday and contacted the company.
Microsoft/its hosting company didn't even notice the problem. Sombody had to tell them their own site was hacked. Security Through Good Luck(TM).
Microsoft said it was trying to decide whether to issue a broad public warning to recent visitors of the Korean site...
Thats good; keep users ignorant. Way to go.
In other Korean news, Jeon Ji Hyun is still a very Sassy Girl.
"Microsoft said it cleaned the Web site, www.msn.co.kr, and removed the dangerous software code... "
I got $5 that says this translates to "formatted and reinstalled the OS..."
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
Microsoft is initially blaming unpatched, outsourced servers.
Outsourced your MS jobs to Asia, and now outsourced servers are taking revenge.
MS: 0
Offshored U.S. Techies: 0
Globalization: 2
(Relax, itsa half joke)
Table-ized A.I.
They don't do all of their development inhouse either. A bit of their minor product and web development is also outsourced. But Microsoft is still gets the blame when their software is found to be insecure, no matter who they contracted to maintain it. They won't even identify the other company. As far as users could tell, Microsoft was hosting the web site, because they were given no reason to believe otherwise. They trusted a Microsoft web site and their passwords got stolen.
^_____________^
I, for one, bow to our Master Control Program overlords!
Yup sure sounds sounds like the appropriate people to bash. Who says there is no bias here?
"The Korean site, unlike U.S. versions, was operated by another company, which Microsoft did not identify. Microsoft's own experts and Korean police were investigating, but Microsoft believes the computers were vulnerable because operators failed to apply necessary software patches, said Sohn, an MSN director."
RTFA
nuff said
At least not that I've seen in my limited Windows admin experience. They always seem to be manual hotfixes and service packs.
Just another embarrassment to Microsoft's security push.
No, this is a classic case of why outsourcing mission critical systems and/or data is wrong. It also goes to show that it's NECESSARY to patch mission critical hardware (hell, even non-mission critical Spider Solitaire machines).
We all have issues with MS, but this time it isn't directly their fault.
This wouldn't have been that big of a deal if Microsoft's security push came w/ Trust in a Bottle...
[o]_O
I've been getting "SSL certificate couldn't be verified" messages when logging into Hotmail for the past few days. I'm in the US. The article says nothing about US sites, but it sure seems like a big coincidence that Hotmail has been acting up for me around the same time that this was going on.
hello dear sirs my name is jamesh i are india (bihar) can u guide me install red had linux 9?
Remember, Debian's servers were hacked a while back. People who live in glass houses shouldn't throw stones.
The hackers used the Zerg rush.
Bill Gates: Chairman Il, I'm calling in regards to your proposal to develop MSN-orthKorea.
Kim Jong Il: Ahh, yes. I would like all searches to return two results--the party's web page and Western blondes. And the butterfly is too free. Can you change it to a moth made from gray wool and the sorrows of my people?
Bill Gates: I think we can do that. MothXP (formerly My Moth) enables you to go that place today.
Kim Jong Il: Excellent... Can you make the moths old?
So next time there won't be this problem. That there was a problem this time is unfortunate, but like the lessons of history, this experience will make the victims Better. Stronger. Faster than before.
Not always. Sometimes the experience leaves the victim Dead. Extinct. Irrelevant. (cf : Dinosaurs)
My next sig will be ready soon, but subscribers can beat the rush
You're forgetting that you can't just compare raw numbers like that.
Apache runs a lot more web servers than IIS. Despite BSD being way more secure than Linux it is also used much less frequently.
Statistics like these are probably the most useless in determining security in terms of safety. I can't say for certain, but more than anything they probably say more about the commonality of the respective programs and operating systems.
Especially when looking at most of these "hacks" they are really just web site defacements, most of which don't count against specific operating systems or web servers.
A lot of attacks like those are done by taking advantage of holes in web software, ie SQL injections, or exploiting other flaws in script logic.
Oh well... I'm wasting my time.
If Microsoft's specialty isn't insecure code, what is it?
Really, if the problem was that the servers were unpatched, why is that supposed to be something embarrassing to Microsoft?, I say that the ones who should be embarrassed are the systems administrators who are mediocre enough to not patch their systems knowing how much risk was and is at stake!
This type of problem would have been likely to happen in just about any other unpatched operating system... be it UNIX or not UNIX, it would' have not made any difference whatsoever.
Insanity: doing the same thing over and over again and expecting different results.
SP2?
Windows 2003 has only just received SP1. SP2 is for Windows XP.
Ever get the feeling that a lot of people on Slashdot that comment on servers have never had to run any?
>
That must qualify as informative - it's not often that slashdotters see pictures of an oriental girl with her clothes on.
Sheesh, evil *and* a jerk. -- Jade
MS has been cracked before. Just 2 years ago, they had russians crawling throughout their network.
In addition, when has MS ever taken responsibility for their actions?
At this point, if MS says that the other company did not stay up on patches, I am not inclined to believe them. I think that something else happened, and MS just wishes to blame them. And the korean company will take the blame just to keep the business.
But I do have to say that I am a bit surprised that MSN would use an outsourced company for this since they have a large operation in Korea.
I prefer the "u" in honour as it seems to be missing these days.
Don't you mean our old Korean overlords?
Microsoft's virtual monopoly for the desktop OS means that security vulnerabilities are profitable. People buy a new computer when they find the old one has become slow. The don't realize they are infected, and that their computer became imperceptibly slower each time it got infected.
oh, they happen to be excellent at "beginning hacker training". but now these beginners have moved on to more difficult *NIX servers to hack... :)
only old people....
And why should I trust that list?
I do not misunderstand why people feel the need to defend Bill Gates and company, unfortunately.
"Just another embarrassment to Microsoft's security push."
Another embarassment for who "Nerds" who read the popular "News for Nerds. Stuff that matters. -- A popular technology news website"?
That's like having a Christian missionary meeting in a city that only allows Christians to live there.
Do you actually think wind of this news about Microsoft will reach real news sources such as MSNBC, FOX, and others? Yes, this article is on cnn's website, but I'm talking about newspaper and TV.
The amount of people who have power (e.g. corporate types who make decisions) are more likley to be reading the Wallstreet Journal than logging on at night to http://cnn.com/
So after all, this isn't an embarassment to Microsoft at all, as nobody important will ever see this article.
You wouldn't trust them beyond $5 to do the right thing?
I don't gamble, but I'd give close to half odds that the first thing they did was use symantec. I'd even give better than one in ten that they might not even yet have wiped the system. And I'd even give close to 1 in 2 that they have not yet pulled the raid, restored from last week's backup, and started scrubbing executables from the the off-line db raid so they can extract and update.
Man. panic time.
According to cnn, the opening that was being talked about was an opening on MSIE, not on IIS. These frames could be used in malicious attacks that take advantage of a flaw in Microsoft's Internet Explorer Web browser that the company patched last December.
IOW, the opening that everybody is talking about is on the client, not on the server. At this time, I would not trust anything that is coming from MS (or the news). The news will probably go after MS, while MS will try to spin it in their favor. Personally, I suspect that MS actually tried to spin by implying that the missing patch was on the server, and the reporters did not pay attention. Anymore it seems like most reporters miss the real stories.
I prefer the "u" in honour as it seems to be missing these days.
Shouldn't this also be in "It's Funny, Laugh"?
Actually I think that the MS webservers run a UNIX variant, but I could be wrong.
How many people can read hex if only you and dead people can read hex?
Anyone else find a Kornet IP responsible for 99% of attempted attacks?
IIS Hacked, No way. Now thats breaking news.
People wonder why people have doubts about open source. One reason is accountability.
If linux.org got hacked, who'd care, or even if slashdot ( remember ). MS at least is standing up and admiting it has a problem. OS just hides behind it's structure. Because we are open we will get patched.
Somebody hacked into their computers in order to steal password, not to shame MS. Be mad at the hackers for once. Is this going to be any different if/when MS is not king of the hill? No, get over it.
On a side note. Has slashdot ever consider not allowing posts to a story? This is a classic example of a useless post section. About the only thing useful might be how they got in, but no is going to know that until this story isn't on the front page.
Can we IhateMS.slashdot.org and stick these stories there?
In Korea, only old servers are used for email...
# cat
Damn, my RAM is full of llamas.
So, if this story makes MS look bad, then by that logic I can go and WinNuke -- with my 1337 skillz -- whatever remaining Windows95 boxes are out there, and call it a victory against MS as well?
The moral of this story seems to be fairly simple; outdated, unprotected software can -- and will be -- exploited. This isn't MS-specific, unless you're some special kind of ignorant.
Why DON'T they do all their stuff in-house? Why let some two-bit company handle it? - aren't Microsoft supposed to be the world's experts on all things computing? Especially when it comes to Windows software?
But Microsoft is still gets the blame when their software is found to be insecure, no matter who they contracted to maintain it. They won't even identify the other company.
We don't know for sure if there even IS another company involved. It's a lot easier to pass the blame than to say, "Uh...Our best people and our best products let this happen."
Don't like Slashdot? don't come here.
Your server can only be as secure as the quality of the people you hire. It's totally possible to run a totally insecure Linux server and it's also totally possible to run a completely secure Windows server. The people that manage the servers just have to know what they're doing, on either OS. People that blame the OS for their hacks should really blame the person that manages it.
I like my women how I like my sugar.. granulated.
Could you name an example? Last year, several Open Source projects have reported that some of their servers were hacked into. I definitely remember Debian going though lists of MD5 hashes to find back older known-good versions of their files.
But maybe you can enlighten us? btw, I am not saying that Open Source is somehow 'better than Microsoft' in this case. It's just that you saying that people probably don't see something is rather hard to prove for the people you speak to ("Hey, I don't know any project that told me they were hacked, it must be true!").
So the idea is that Microsoft may not be responsible for the security and user safety of online services with their name on it because they may not personally be the ones actually running it?
Well then I'll be sure to keep that in mind the next time I am considering paying for or signing up for a Microsoft-branded online service.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
I LOVE slashdot, are you kidding me? This is the funniest site I've ever been too.
I can't connect to any of my Hotmail accounts using Outlook Express. Maybe this is serious enough that MS is temporarily disabling all accounts?
eTrade SUCKS
I can't say I'm surprised by the "if it's M$ it's bad" sort of propaganda, but seriously people: all software needs patching. Windows and *nix alike, if they go unpatched obviously the holes are not mitigated.
How many times has sans.org been hacked?
So the idiots running the servers didn't bother to keep them up-to-date....and thus it's Microsoft's fault?
Sounds to me like another case of user stupidity. If yer not going to take care of things, either don't have them or shut up.
A distribution is a collection of pieces of software, mixed together, to form an operating system. Each piece of software is maintained separately.
That's what GNU/Linux distros are: they all start with practically the same kernel (Linux) in the bowl, put some GNU and BSD utilities, add water, mix together and serve.
BSDs on the contrary, are entire operating systems where each component is developed ad-hoc for the OS. They doesn't share a kernel and add some random utilities. Each of them maintain a PUBLIC source tree of the whole operating system. Everything is in the same place developed from a single tree.
Take a look at the CVS tree if you are curious.
Thanks to the freedom of the license, all of them share code which redounds on benefit of the users.
The best way to predict the future is to invent it
So, each *BSD is kind of a "distro" of the BSD source tree. Except they have different source trees.
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
wait are these free accounts? and if so how long have you had them... I know they didn't specifically disable the interface for accounts, but they made it such that new clients couldn't connect meaning for awhile I could connect on one computer but not the other... I should check to see if they reenabled that stuff.
Gravity Sucks
Never the less, if you say that FreeBSD isn't a distro how can jaseuk's comparison on FreeBSD vs. RedHat and Debian be right. It should be compared to all Linux distrobutions. That's what I have been trying to say, jaseuk started comparing FreeBSD to specific Linux distrobutions when flithm talked about BSD vs. Linux.
Good point, but that doesn't negate the original point of the GP.
Microsoft claims you can manage thousands of servers and workstations worldwide from a single desktop computer. Not only that, they claim it's cheap and easy to do so.
If all their advertising is true, why the heck aren't they doing it?
"City hall" in German is "Rathaus" Kinda explains a few things......
Heya, thanks alot!! I checked it again and it works once again... :) I remember having outlook express post an error message "Account not accessible because free e-mail accounts have had remote checking disabled" (completely paraphrased), but apparently they changed their mind... and they must never have gotten around to even temporarily disabling your account :P
Lucky me!
Gravity Sucks