How Microsoft UK got hacked and how you can learn from their mistakes

I subscribe to windowsecurity.com‘s newsletter which is actually a pretty good read. Today’s newsletter has an article about the Microsoft UK Events Website getting defaced and goes into great detail to show just how the site was compromised.

In a nutshell, they used SQL Injection and the fact that the web.config was configured to display errors instead of displaying a custom error page.

I highly recommend any developer or website owner to review the article at:

http://www.windowsecurity.com/articles/Microsoft-UK-Events-Website-Hacked.html

so that they can avoid falling prey to these same tactics. 

As a host, I can firmly say the #1 issue we see today with sites getting defaced is a weak password (using password, your username, your simple passwords simply aren’t secure) and the #2 issue is SQL Injection. Not many website owners (and unfortunately web developers) are familiar with SQL Injection and assume that their web app is inherently safe, this is a classic ASS-U-ME assumption. WindowsSecurity.com recommends that you use a commercial product from Acunetix to scan the security of your site. But other resources are:

  • ScanAlert’s (or any other reputable scanning company’s) PCI compliance scanning service: http://www.appliedi.net/scanalert-pcicompliance/ which is offered free for the first year for AppliedI.net hosted websites.
  • Nessus is a freely available scanning solution you can use as well (and the same tool many commercial security scanning providers use)
  • xfocus.org also has a scanning tool called x-scan that I like to use as well. It uses nessus rules but is created by a Chinese company so there’s not really any documentation on it.

This is by no means the end all article on web site security but if you read the windowsecurity.com article I think you’ll be more aware of the techniques being used by hackers today and if you sign up for one of the commercial services and also experiment with a few of the free tools available today you’ll be a little more aware of just what’s out there.

Oh and one word of advice on using security scanners, most hosts today employ IPS (intrusion protection servers) or some other network security devices so don’t be surprised if you attempt to scan your live website it becomes unavailable.  That could mean one of two things happened, one you crashed your website and have a serious issue or two, the host’s IPS or other network security saw your scans as an attack and has disabled your access to their network.  It’s a good idea to scan your application locally of course and should you need to do a remote scan let your host know before hand.

One Reply to “How Microsoft UK got hacked and how you can learn from their mistakes”

  1. Great post, Jess. Thanks!

    I haven't used inline SQL since .net 1.1 – Stored procs are always the way to go. But with .net 2.0, you can use inline queries against your datastore in an ObjectDataSource. Does this compromise security and leave one open to SQL Injection. My initial thought would be yes, because you're not calling a stored procedure, but then I doubt, thinking that Microsoft has to have accounted for that.

    Perhaps I'm missing something, I'm only 6 months into the 2.0 framework and 3.5 is already ramping up and deploying… Can't ever stay on top of technology. Not sanely, at least.

    Goodday, Jess!

    (bs.)

Leave a Reply