Hacked websites 'didn't read the manual'

[InfoSec News <isn () C4I ORG>]

http://www.vnunet.com/News/1109143

Ian Lynch  [18 Aug 2000]

Microsoft has blamed administrator error, rather than a bug in its
software, for leaving hundreds of websites running SQL server open to
attack this week.

Several UK government websites were attacked on Monday by a hacker,
called Herbless, who claimed to have exploited a weakness in SQL
server allowing him to take over the websites of three local
authorities and five government agencies. Attacks made on major
corporate sites in the US by pro-Napster activists, have been linked
to the same problem.

Nicholas McGrath, Windows product marketing manager at Microsoft UK,
told vnunet.com that "the problems could have been prevented by
administrators if they had followed recommended procedures in our
documentation".

He said that when SQL server is set up there is a simple default
password for the SQL administrator. He said unless the system is being
used on a trusted network, which the company owns entirely, Microsoft
recommends this password be changed.

McGrath said that in an unchanged configuration, referred to as 'mixed
mode', hacks could take place, but Microsoft guidelines recommend that
administrators switch to NT authentication mode if connected to a
public network, such as the internet, and that this would have
prevented the hacks.

He compared the hacks to a thief checking doors to see if the owner
had left the keys in the lock.

Wayne Sowery, technical director at MIS Corporate Defence Solutions,
agreed. "Microsoft is correct. It is a configuration issue and I think
we'll see a lot more of these attacks. However, perhaps Microsoft
should have included a prompt to change the password that appears
on-screen during the configuration process," he said.

He added: "There is also the possibility that SQL server may be
running in the background as a licensed component of non-Microsoft
software, with the administrator unaware of the need to change the
default password."

Microsoft said on Thursday night that it would post guidelines on the
'bugtraq' section of securityfocus.com for administrators wishing to
protect against copycat attacks, although this could be delayed at
least 24 hours before appearing on the modified website. Microsoft
appears to be taking the issue seriously as evidenced by the four
security spokesmen put forward to speak to vnunet.com yesterday.

The operators of one of the hacked UK government sites said it was
working to ensure that similar attacks weren't executed on other sites
hosted on its server. Chris Kenward, managing director at Thames
Global Internet Service, which hosts the hacked binfield.gov.uk site,
said "if [Herbless] could do that to one site, he could do it to the
other 300 sites on our servers".

Security experts said that "it looks likely" that a series of hacks
made on Tuesday and Wednesday, during which pro-Napster messages were
posted on major corporate websites, may have exploited a similar
vulnerability.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".