Slashdot Mirror
Korean MSN Site Hacked
An anonymous reader writes "CNN is reporting that MSN's Korean website was hacked in order to allow usernames and passwords to be stolen. Microsoft is initially blaming unpatched, outsourced servers. Just another embarrassment to Microsoft's security push."
We all know microsoft doesn't trust windows to run its webservers!
Untold number of "In korea, only old people..." bad jokes are on their way.
They might steal all the old peoples' email passwords!
"Yet another security issue related to microsoft."
Actually, it was related to a patch not getting installed. (Pilot error.)
"Derp de derp."
It's not really an embarrassment to Microsoft. It's an embarrassment to Koreans who have long been the leaders in wide-spread broadband and internet usage. You'd have expected that they, of all nationalities, would have their act together when it came to running servers. Unfortunately, it seems that even they are not immune to hacks.
Which is all for the better, of course. The more these systems are attacked, the harder they become. Kind of like how the SR-71's outer plating would become harder each time it took to the skies, or like how the samurai's katana becomes harder each time it is thrust into the forge. Systems become stronger by trial.
So next time there won't be this problem. That there was a problem this time is unfortunate, but like the lessons of history, this experience will make the victims Better. Stronger. Faster than before.
Please slashdot, you're not doing any justice by harping on Microsoft. Your bias is just disgusting. Why don't you post one of the 1,000,000 Linux defacements or break-ins that happen monthly?
And I know I'm posting Anonymously. I don't have an account nor do I care to create one at your site until you stop being the Fox Network equivalent for Tech News.
Microsoft is initially blaming unpatched, outsourced servers.
Looks like they didn't install SP2, enabled the firewall, and have automatic download of Windows Updates enabled. I guess Microsoft forgot to pay extra for having "secured" servers when they signed the outsource contract. It's a shame that they have to eat their own dogs... uh, food.
>>> The Korean site, unlike U.S. versions, was operated by another company, which Microsoft did not identify. Microsoft's own experts and Korean police were investigating, but Microsoft believes the computers were vulnerable because operators failed to apply necessary software patches, said Sohn, an MSN director.
Don't trust other companies to apply security patches for your site.
Don't try to use the force. Do or do not, there is no try.
From Netcraft:
/ /www.msn.co.kr
Windows Server 2003
Microsoft-IIS/6.0 9-Dec-2004
http://toolbar.netcraft.com/site_report?url=http:
http://www.thebricktestament.com/the_law/when_to_
"CNN is reporting that MSN's Korean website was hacked in order to allow usernames and passwords to be stolen. Microsoft is initially blaming unpatched, outsourced servers. Just another embarrassment to Microsoft's security push."
Yes, Microsoft has a good deal of well-deserved bad karma. That you could consider this to be a failing of their software is ridiculous, though. If this is an embarassment to Microsoft, many Free, Open software packages of every sort, from Apache to Linux to OpenBSD to OpenSSH have been so embarassed.
I'm all for calling out Microsoft when they're (a) full of marketing bullshit, (b) way behind everyone else technically, and (c) playing dirty politics. They deserve to be criticized then. But this is simply a non-event. They had a website get cracked. Big deal. Heck, Sourceforge, the largest repository of Open Source software, has been cracked multiple times, if you want an Open Source counterpart.
Blame Microsoft when they deserve it, and your words will get more weight. If Oracle had run out and said that "Our database is hacker-proof", and the next day their website had been broken into and their database cracked, that would be a fair point to criticize someone. But simply "you had a website cracked" is no longer a big deal for most companies.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Not that this is very important, but they wouldn't be running their servers with SP2.
They are likely running Windows Server 2003 and the latest service pack for WS2K3 is SP1. SP1 for WS2k3 came out after SP2 for XP so it should contain everything that SP2 contains.
The Internet is full. Go Away!!!
Only old servers are unpatched.
503 Sig Unavailable
The Signature could not be accessed. Please try again later or contact the administrator
Yeah, but as the article states, the servers were outsorced. Rather than a lesson over the importance of patching, I feel this is more a lesson of if you want something done right, do it yourself.
Insert witty Slashdot sig here.
I am sorry, Microsoft, but I don't give a damn that you outsourced your servers. The customer is buying your name and reputation when they buy your product. So, you may have saved money on the bottom line, but you have squandered trust the consumer had for you. At some point in the future, you will realize what a valuable commodity this was and how expensive it is to re-acquire.
"To those who are overly cautious, everything is impossible. "
Aww how cute! Look at all the Anti-Corprate Gates haters. Maybe if there were as many Linux haters you would see the same happen to Linux systems.
"Microsoft said it cleaned the Web site, www.msn.co.kr, and removed the dangerous software code... "
I got $5 that says this translates to "formatted and reinstalled the OS..."
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
It wasn't an overt defacement; very small iframe at the bottom of the main page that pointed to a seperate file on the same server. That file contained an tag with a src url of some other file in the same directory ending in .gif.
.gif obviously, but was a collection of IE client-side exploits to try to load a particular bit of malware.
Of course that file wasn't actually a
A quick google for that malware shows the other chinese sites that I found (hey, I think that's officially the first time I've made cnn). One was discussing it, the other appeared to be (intentionally or otherwise) loading it.
And yet there probably isn't a piece of complex software in existance that hasn't needed a patch to fix a problem...
Just another embarrassment to Microsoft's security push.
No, this is a classic case of why outsourcing mission critical systems and/or data is wrong. It also goes to show that it's NECESSARY to patch mission critical hardware (hell, even non-mission critical Spider Solitaire machines).
We all have issues with MS, but this time it isn't directly their fault.
"The site is running IIS/6.0. (obviously) Does this mean that it hard to patch Windows/IIS ?"
Difficulty is not necessarily a prerequisite to neglect. Ask any woman who's ever bitched about the elevation of the toilet seat.
"Derp de derp."
The hackers used the Zerg rush.
Bill Gates: Chairman Il, I'm calling in regards to your proposal to develop MSN-orthKorea.
Kim Jong Il: Ahh, yes. I would like all searches to return two results--the party's web page and Western blondes. And the butterfly is too free. Can you change it to a moth made from gray wool and the sorrows of my people?
Bill Gates: I think we can do that. MothXP (formerly My Moth) enables you to go that place today.
Kim Jong Il: Excellent... Can you make the moths old?
You're forgetting that you can't just compare raw numbers like that.
Apache runs a lot more web servers than IIS. Despite BSD being way more secure than Linux it is also used much less frequently.
Statistics like these are probably the most useless in determining security in terms of safety. I can't say for certain, but more than anything they probably say more about the commonality of the respective programs and operating systems.
Especially when looking at most of these "hacks" they are really just web site defacements, most of which don't count against specific operating systems or web servers.
A lot of attacks like those are done by taking advantage of holes in web software, ie SQL injections, or exploiting other flaws in script logic.
Oh well... I'm wasting my time.
Don't you mean our old Korean overlords?
Microsoft's virtual monopoly for the desktop OS means that security vulnerabilities are profitable. People buy a new computer when they find the old one has become slow. The don't realize they are infected, and that their computer became imperceptibly slower each time it got infected.
From the linked article, it's also important to note that "The Korean site, unlike U.S. versions, was operated by another company". So the pilot wasn't even Microsoft.
This wasn't mentioned by the story poster at all, which probably wouldn't have been accepted if it read - more truthfully - Unpatch Microsoft Web Server Compromised. We all know that an unpatched MS server is vulnerable. With that in mind, it just reads like well-crafted front page FUD.
People wonder why people have doubts about open source. One reason is accountability.
If linux.org got hacked, who'd care, or even if slashdot ( remember ). MS at least is standing up and admiting it has a problem. OS just hides behind it's structure. Because we are open we will get patched.
Somebody hacked into their computers in order to steal password, not to shame MS. Be mad at the hackers for once. Is this going to be any different if/when MS is not king of the hill? No, get over it.
On a side note. Has slashdot ever consider not allowing posts to a story? This is a classic example of a useless post section. About the only thing useful might be how they got in, but no is going to know that until this story isn't on the front page.
Can we IhateMS.slashdot.org and stick these stories there?
So the idea is that Microsoft may not be responsible for the security and user safety of online services with their name on it because they may not personally be the ones actually running it?
Well then I'll be sure to keep that in mind the next time I am considering paying for or signing up for a Microsoft-branded online service.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts