Mon, Jun 19 2006 4:11
Early info isn't sometimes GOOD info
Saw a post about how "Microsoft France"'s web site was hacked..but I'm not certain that ms.com's IIS was... the web post in question doesn't point to http://www.microsoft.com/france but rather a web site called http://experts.microsoft.com/fr and the link to a page with a default.aspx sure feels like that's a blog site. Now if it is, unless you have a fully patched version of CS 2.0, there are some security issues in CS 2.0.
<theory and speculation dead ahead.. so I will prob be posting a p.s. later>
Three things come to mind...
First that good info isn't necessarily the info you get early on in the investigation, so I'd say the jury is still out of "Microsoft France" truly was defaced.. and secondly...
When you outsource and don't ensure that every bit of code on a site meets your firms security review... you run the risk of potential issues. If your standards are to patch for issues and you have an application that is at risk with no way to review for it, you may have issues. The CTO guy at Microsoft that was giving a talk the other day, said that home grown apps that they find inside the org that have not been vetted for security issues cause risk.
Lastly, to a certain person that will remain nameless.. you were right. When hiring third party vendors to do work for you and their code doesn't meet your standards and you then include it as part of your 'mantle of software' offerings, regardless of the fact that the data in the site isn't THAT important, it reflects back on your corporateness.
Good coding matters. Even it's on a site that isn't as mission critical. Good coding.. or bad coding reflects back on the site.
Again, the info is in it's early stages and all that...but this 'feels' like it was a blog site that got hacked and not Microsoft France's site.. furthermore it 'feels' that it was the application that had the hole and not IIS which is pretty consistent with the threat landscape these days.. apps are the targets, rather than the platform.
Of course this is all speculation on early information and f course I could be wrong.. but the google cache of the site sure feels like that a CS blog site got nailed and not "Microsoft".