Credit Card Theft Exploits IIS Hole

Companies rushing into Internet Commerce select Microsoft IIS (Internet Information Server) "because it's easy to use", then neglect to patch known security holes.





UPDATE: - 03-26-00 - Among the credit cards compromised from these sites was the credit card of one William Gates III of Microsoft Crop.

Mar 00 - Several smaller e-commerce sites were recently hacked through a well known hole in Microsoft's IIS (Internet Information Server). Thousands of credit card numbers, names and addresses were posted on the Internet for interested parties to download and use as they see fit.

"How the hell did he even find us? We are nobody. Why did he pick us?" Obviously, some of these sites were relying on "security through obscurity", a strategy which no longer works at all in this day of automated "script kiddie" hacking tools which do block searches for sites with known weaknesses.

Microsoft has been aware of this security hole in IIS for a year and a half, and twice issued notices that it should be patched, but many users of the product do not read the notices and have not downloaded and installed the patches.

Microsoft Internet Information Server, which runs on Windows NT 4.0, has been very popular with businesses anxious to get an e-commerce site on the Web quickly and cheaply. It is free with NT, and has an easy to use "point and click" interface, as compared to, say, Apache, which is controlled by editing text files.

Because security conflicts with "easy to use", Microsoft ships their products set to minimal security. It is up to the user to change the defaults to something that works. Since IIS is preferred by those with relatively limited technical skills, such annoying details are often neglected.

Do other Web servers have security problems? Yes, but by definition (and by the fact they don't have GUI interfaces), they are usually run by technically astute administrators who pay a lot of attention to protecting their system, not by "point and click" artists working for PHBs.

Unfortunately, Computer Security for Dummies is out of print.

More information can be found at InfoWorld.

©:Andrew Grygus - Automation Access - -
All linked pages are copyright © the original creator.
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners