Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-04-29 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft web site compromise and partner security

Published: 2007-04-29
Last Updated: 2007-04-29 12:04:19 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

There’s been a lot of discussion over the last few hours regarding a Microsoft website that apparently got defaced. While the domain name has been taken offline, the defacement itself was rather obvious. Users browsing the page were shown a typical “0wn3d by” message with a picture taken of Bill Gates during what was probably his least pleasant visit to Belgium in 1998.

The affected site displayed a remotely hosted image and the attacker’s nickname:

body onload="document.body.innerHTML='/p align=center//font size=7/Own3d by Cyber-Terrorist//font//img src=http://c2000.com/gifs!/billgates.jpg//p align=center//font size=7>--Cyb3rT--//font///p/';"//noscript/

The affected site was a subpage of ieak.microsoft.com where users could select a distribution license for the Internet Explorer Administration Kit. The server isn’t, however, located on the Microsoft network, but at a hosting partner. In addition, the source of the page mentions another third party as being responsible for the site’s development.

While the brand impact of a low-level compromise like this is negligible, it does bring up some hard questions. In this day and age of increasingly popular out and co-sourcing, how do you ensure your partners are able to meet your security requirements ? Reputation is a good starting point, while supplier audit and compliance with relevant security standards can complete the picture. Both should be part of any outsourcing RFP.

After all, while this may be a small time issue, web site defacements have in the recent past often involved malicious code distribution. Being unavailable and looking a bit silly is one thing to reflect on a brand. Being involved in the distribution of a banking fraud trojan quite another.

--
Maarten Van Horenbeeck

Keywords:
0 comment(s)

NIST publishes guidance on RFID

Published: 2007-04-29
Last Updated: 2007-04-29 09:21:12 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Last Friday, the US National Institute for Standards and Technology (NIST) published guidance on how to securely use RFID technology. SP800-98 explains RFID technology, places it in context, reviews risk involved with each of its uses and suggests mitigative controls.

It considers business process, business intelligence and privacy risk, in addition to 'external risks' such as those involved with electromagnetic radiation. The document, with its 150 pages is very detailed, and a timely release given the wide variety of potential uses for which RFID technology is now being considered.

Keywords:
0 comment(s)
Diary Archives