Dutch hacker breaks into Microsoft Web server again

The Dutch hacker who penetrated one of Microsoft Corp.'s Web servers last Friday has done it again, marking the third time in less than two weeks that the software vendor has had to confirm that its corporate network was successfully breached by outsiders.

A Microsoft Web server that redirects incoming traffic to another system was compromised Tuesday in much the same way it was last week. In the first incident, the hacker, whose alias is "Dimitri," took advantage of a known security hole in Microsoft's Internet Information Server (IIS) that the company had failed to plug even though it recently urged users to install an already-available patch (see story).

On Tuesday, Dimitri took credit for another incursion in which the Web server was defaced with a text file that read, "Patching your systems is very hard, huh?" Dimitri also complimented pop singer Britney Spears, who he claims is his idol, for a concert she performed last Saturday in the Netherlands.

Microsoft spokesman Adam Sohn confirmed the latest incident took place, but he said the hacked pages on the server weren't visible to regular users of the company's Web site. Only people privy to the specific Web address of the pages that Dimitri created could view them, Sohn said, adding that the hacker disseminated the URL to reporters and other hackers.

Microsoft's systems administrators "just don't bother securing their networks," Dimitri said when asked why he had broken into the Web server for a second time. "The only thing they did on Friday was remove the file I left [then]," the 19-year-old student added. "Basically, they lied about applying patches."

However, Sohn said the software giant remains unsure of exactly how the second hack was accomplished. The patch that's supposed to plug the IIS security hole was indeed installed after the initial incident last week, he added. Sohn couldn't say why the patch wasn't applied in the first place but claimed that the oversight was "certainly the exception, not the rule."

Sohn also downplayed the impact of Dimitri's hacking exploits, saying the victimized Web server is in semiretirement and is only being used to redirect traffic to a second system that stores information about upcoming Microsoft events. "It's an unfortunate and annoying occurrence," Sohn said.

But the two hacks by Dimitri came close on the heels of Microsoft's disclosure that it had been hit by a more serious month-long intrusion in which an attacker was able to view the source code for an unspecified future product (see story). That incident was reported on Oct. 26 to the FBI, which is investigating the matter.

"Certainly, the timing is unfortunate," Sohn said. "Every organization has a security team that tells you they can do better. For us, security is a journey, not a destination." But he defended Microsoft's internal systems, saying the company's security procedures were able to minimize the damage done in all three incidents.

Michiel Gosens, a spokesman at Microsoft's Dutch subsidiary, said officials at the Microsoft Nederland unit have asked Dimitri to meet with them next week. "We want to start a dialogue with Dimitri," Gosens said. "We would like to know why Dimitri feels he needs to challenge us this way."

Gosens said executives at Microsoft's corporate headquarters have been informed about the proposed meeting with Dimitri. However, he added, they have yet to reply with their approval or disapproval on the matter.

Joris Evers of the IDG News Service contributed to this story.

Related links:

  • For more security coverage, visit our Security Watch page.
  • Have opinions on security issues? Head to the forums. (Note: Registration required to post message; anyone may read messages. To register on Computerworld's forums, click here).
6 tips for scaling up team collaboration tools
  
Shop Tech Products at Amazon