Network managers rapped over lax security

Network managers have been ignoring warnings to download a Microsoft security patch and have been hammered by hackers over the last few weeks as a result.

Intel, Hewlett Packard (HP), Compaq, Gateway and the New York Times were all attacked because they used unpatched versions of Netscape Enterprise Server or Microsoft IIS.

The news came three weeks after Network News warned of the continuing danger, and six months after Microsoft published a patch to fix the flaw.

Assistant data protection commissioner Phil Jones said that network managers who failed to update their systems were breaching the Data Protection Act, which requires anyone responsible for personal data to take "appropriate" security measures.

"People should be mindful of weaknesses in the software they are using. Not downloading a patch might suggest that they are not adapting their security measures," said Jones.

Three weeks ago Network News highlighted security holes in the websites of major corporations including McDonald's, HSBC and Safeway.

The list was compiled using well-publicised techniques, allowing an intruder to get a directory listing for the site and even retrieve administrative user names and passwords.

McDonald's plugged the hole soon after but didn't do enough to prevent an attack on their UK website last week. A cracker calling himself Fluffy Bunny altered the homepage, renaming the company 'McB00biez' and advertising products such as 'Bunny Burger' and 'Bexter Nuggets'.

Cracker The-Rev of the Sm0ked Crew said he used the Unicode bug to deface the Intel, HP, Compaq, Gateway and New York Times websites.

The attacks exploited known weaknesses in Microsoft's IIS and the slowness of system managers to apply Microsoft's patch, which has been available since August last year (http://www.microsoft.com/technet/security/bulletin/fq00-078.asp).

The-Rev used the same flaw to break into Intel's site twice in two days to show up the chip maker's lax security after it called him a "script kiddie" in an article in vnunet.com.

First published in Network News