Forgot your password?
typodupeerror
Microsoft Security The Internet

Korean MSN Site Hacked 305

Posted by CowboyNeal
from the open-for-rooting dept.
An anonymous reader writes "CNN is reporting that MSN's Korean website was hacked in order to allow usernames and passwords to be stolen. Microsoft is initially blaming unpatched, outsourced servers. Just another embarrassment to Microsoft's security push."
This discussion has been archived. No new comments can be posted.

Korean MSN Site Hacked

Comments Filter:
  • by mingot (665080) on Friday June 03, 2005 @12:15AM (#12711275)
    We all know microsoft doesn't trust windows to run its webservers!
  • by MyNymWasTaken (879908) on Friday June 03, 2005 @12:15AM (#12711278)
    Untold number of "In korea, only old people..." bad jokes are on their way.
  • by turtled (845180)
    I assume they weren't using *nix? =)
  • Oh No! (Score:5, Funny)

    by Greenisus (262784) <michael@mayot[ ].com ['ech' in gap]> on Friday June 03, 2005 @12:17AM (#12711291) Homepage
    They might steal all the old peoples' email passwords!
  • Hopefully, this incident will remind MSN of the importance of always making sure they have applied the latest patches, updates, and service packs from Microsoft's Windows Update site.
    • Yeah, but as the article states, the servers were outsorced. Rather than a lesson over the importance of patching, I feel this is more a lesson of if you want something done right, do it yourself.
    • At least not that I've seen in my limited Windows admin experience. They always seem to be manual hotfixes and service packs.
  • by Dancin_Santa (265275) <DancinSanta@gmail.com> on Friday June 03, 2005 @12:18AM (#12711299) Journal
    It's not really an embarrassment to Microsoft. It's an embarrassment to Koreans who have long been the leaders in wide-spread broadband and internet usage. You'd have expected that they, of all nationalities, would have their act together when it came to running servers. Unfortunately, it seems that even they are not immune to hacks.

    Which is all for the better, of course. The more these systems are attacked, the harder they become. Kind of like how the SR-71's outer plating would become harder each time it took to the skies, or like how the samurai's katana becomes harder each time it is thrust into the forge. Systems become stronger by trial.

    So next time there won't be this problem. That there was a problem this time is unfortunate, but like the lessons of history, this experience will make the victims Better. Stronger. Faster than before.
    • by nacturation (646836) <nacturation AT gmail DOT com> on Friday June 03, 2005 @12:46AM (#12711450) Journal
      It's an embarrassment to Koreans who have long been the leaders in wide-spread broadband and internet usage. You'd have expected that they, of all nationalities, would have their act together when it came to running servers.

      How do you figure that? Widespread broadband penetration does not imply widespread knowledge of sound security principles. I wouldn't be surprised to find that Korean servers are hacked just as often as the servers in any other nation -- the only differing being that the hackers/scriddies use higher speed connections.
    • Which Koreans do you want to blame? All Koreans?
    • So next time there won't be this problem. That there was a problem this time is unfortunate, but like the lessons of history, this experience will make the victims Better. Stronger. Faster than before.

      Not always. Sometimes the experience leaves the victim Dead. Extinct. Irrelevant. (cf : Dinosaurs)


    • > Kind of like how the SR-71's outer plating would become harder each time it took to the skies, or like how the samurai's katana becomes harder each time it is thrust into the forge

      ...or like thinking gets harder after every hit on the hash pipe.

    • Of course it is an embarassment to Microsoft! You would not absolve your bank of responsibilty for your money just because they outsourced one of their servers. Neither should we so absolve Microsoft when they fail to protect the passwords that may miscreants grant access to those same funds.

      Passport is supposed to be Microsoft's single point of entry to the web. Sign on to one passport site and you're validated for all of them. That's the plan, that's what Microsoft want for passport. Potentially, pass

  • by Anonymous Coward on Friday June 03, 2005 @12:19AM (#12711304)
    Please slashdot, you're not doing any justice by harping on Microsoft. Your bias is just disgusting. Why don't you post one of the 1,000,000 Linux defacements or break-ins that happen monthly?

    And I know I'm posting Anonymously. I don't have an account nor do I care to create one at your site until you stop being the Fox Network equivalent for Tech News.
    • say why don't you give me an example of a linux-based server defacement? if there's a million out there you should be able to get an example to me easily. Back up your claim or I'll consider it flame bate. Not only that, but /. lets users discuss things, unlike Fox, where nothing gets discussed in the first place. I'll gladly discuss the matter later with you, IF you post a link of a linux defacement example as a reply to this topic.
    • by frikazoyd (845667) on Friday June 03, 2005 @01:28AM (#12711617)
      You don't get the major point here. It's an embarassment because it is a major, high-traffic website that requires more security than piddly local paper server number twenty seven that doesn't get a hundredth of the traffic, isn't nearly as popular, and isn't kept up to snuff on the patches.

      Now, when a major linux distribution website like RedHat or Suse or Ubuntu or Debian's gets hacked, then you'll have a case for comparison.
    • if you find us as "the Fox Network equivalent for Tech News," do what I do with Fox- don't watch it. or in this case, don't read it. at least here on /. you get a forum where your voice can be heard, or your words at least read. and even though I don't mind some bias against microsoft, there are at least 2 or 3 anonymous cowards ;) that posted back to agree with you that they feel that unfair bias is placed against microsoft. while it appears that a paradox is emerging, at the same time we can see by mod
    • by superpulpsicle (533373) on Friday June 03, 2005 @01:37AM (#12711642)
      Are you implying it's okay for Windows to be hacked 20 times if Linux is also hacked 20 times?

      If Linux has vulnerabilities, then Windows have even less excuse as a billion dollar corporation.

    • I don't have an account nor do I care to create one at your site until you stop being the Fox Network equivalent for Tech News.

      But you sure don't mind reading "the Fox Network equivalent for Tech News" and taking the time to post comments, thus becoming a member of the very community you criticize. Slashdot usually reflects the biases of its members. So what? Slashdot doesn't claim to be fair and balanced. Has it ever?

      Slashdot editors are not journalists, either. New York Times writers, yes, Slashdot

    • Waaaaah.


      Fact of the matter is, Microsoft's own website being hacked, while they're in the middle of a huge (fake) "Security Push," *is* tech news. MomAndPop.com's mail server getting pwned isn't.

    • > And I know I'm posting Anonymously. I don't have an account nor do I care to create one at your site until you stop being the Fox Network equivalent for Tech News.

      Hello there, Bill!

    • Please slashdot, you're not doing any justice by harping on Microsoft. Your bias is just disgusting. Why don't you post one of the 1,000,000 Linux defacements or break-ins that happen monthly?

      There are 1,000,000 Windows defacements or break-ins that happen monthly, but they don't get reported here either.

      Ever heard of phrase 'high-profile'?
  • by creimer (824291) on Friday June 03, 2005 @12:20AM (#12711308) Homepage
    Microsoft is initially blaming unpatched, outsourced servers.

    Looks like they didn't install SP2, enabled the firewall, and have automatic download of Windows Updates enabled. I guess Microsoft forgot to pay extra for having "secured" servers when they signed the outsource contract. It's a shame that they have to eat their own dogs... uh, food.
    • "Looks like they didn't install SP2, enabled the firewall, and have automatic download of Windows Updates enabled."

      Probably not since they weren't using XP as a server.
    • SP2? (Score:3, Interesting)

      by 3770 (560838)
      Not that this is very important, but they wouldn't be running their servers with SP2.

      They are likely running Windows Server 2003 and the latest service pack for WS2K3 is SP1. SP1 for WS2k3 came out after SP2 for XP so it should contain everything that SP2 contains.
      • Not that this is very important, but they wouldn't be running their servers with SP2.

        I was just repeating the obvious consumer line since you need SP2 for patches and IE7. Even with Windows Server 2003, it's the same thing except the service pack number is different.
  • Moral of the story? (Score:3, Informative)

    by Scorillo47 (752445) on Friday June 03, 2005 @12:22AM (#12711318)
    >>> The Korean site, unlike U.S. versions, was operated by another company, which Microsoft did not identify. Microsoft's own experts and Korean police were investigating, but Microsoft believes the computers were vulnerable because operators failed to apply necessary software patches, said Sohn, an MSN director.

    Don't trust other companies to apply security patches for your site.
    • I think you mean their server. Again, this is what Microsoft 'believes', according to their own statements. There is no proof yet what happened and how.

      All that is known is that code was attached to the site. While it's most likely the result of an exploit, it could be that a disgruntled employee did it.
  • The server they run (Score:5, Interesting)

    by putko (753330) on Friday June 03, 2005 @12:22AM (#12711320) Homepage Journal
    From Netcraft:

    Windows Server 2003
    Microsoft-IIS/6.0 9-Dec-2004

    http://toolbar.netcraft.com/site_report?url=http:/ /www.msn.co.kr [netcraft.com]
  • by typical (886006) on Friday June 03, 2005 @12:22AM (#12711323) Journal
    "CNN is reporting that MSN's Korean website was hacked in order to allow usernames and passwords to be stolen. Microsoft is initially blaming unpatched, outsourced servers. Just another embarrassment to Microsoft's security push."

    Yes, Microsoft has a good deal of well-deserved bad karma. That you could consider this to be a failing of their software is ridiculous, though. If this is an embarassment to Microsoft, many Free, Open software packages of every sort, from Apache to Linux to OpenBSD to OpenSSH have been so embarassed.

    I'm all for calling out Microsoft when they're (a) full of marketing bullshit, (b) way behind everyone else technically, and (c) playing dirty politics. They deserve to be criticized then. But this is simply a non-event. They had a website get cracked. Big deal. Heck, Sourceforge, the largest repository of Open Source software, has been cracked multiple times, if you want an Open Source counterpart.

    Blame Microsoft when they deserve it, and your words will get more weight. If Oracle had run out and said that "Our database is hacker-proof", and the next day their website had been broken into and their database cracked, that would be a fair point to criticize someone. But simply "you had a website cracked" is no longer a big deal for most companies.
    • Sourceforge is a kludge of every insecure OSS program out there: FTP, CVS, etc. It isn't very representative of a normal website.
    • by tres (151637) on Friday June 03, 2005 @01:20AM (#12711587) Homepage
      The news here is that it wasn't just a vulnerability published, nor a proof of concept, it was a full fledged crack attack against one of the sites that represent the corporation itself. The news here is that it's the same old Microsoft. The news here is that "Trustworthy Computing" is just another marketing buzzword.The news here is that if you can't even manage to secure your own servers, how do you expect the rest of the world to do it?

      Microsoft deserves every bit of blame that they get. They want to pretend like security is something that can be applied like a coat of paint, but in the end, incidents like this prove that it's the same old crap rolling out of Redmond.

    • I think you've misunderstood why this is an embarrassment to Microsoft. It's not that a server running their code got hacked. It's not that a server with their name on it got hacked. It's that they hired someone to run their code for them, but they didn't even perform trivial checks that it was being done properly.

      It's not embarrassing to be hacked. It's embarrassing to be hacked for lack of your own patches.


    • If this is an embarassment to Microsoft, many Free, Open software packages of every sort, from Apache to Linux to OpenBSD to OpenSSH have been so embarassed.

      Who could forget the profound of depth and breadth of the OpenBSD security exploit of late winter 2002 that affected millions of people worldwide, leaving them without power in the dark, the cold, and wondering if life would ever go on the same.

      To this day I see teens at the mall with cowed looks because of the horrific imprint that the OpenBSD secu

  • In Korea... (Score:4, Funny)

    by Luigi30 (656867) on Friday June 03, 2005 @12:25AM (#12711337)
    Only old servers are unpatched.
  • Outsourcing (Score:5, Insightful)

    by stox (131684) on Friday June 03, 2005 @12:29AM (#12711361) Homepage
    I am sorry, Microsoft, but I don't give a damn that you outsourced your servers. The customer is buying your name and reputation when they buy your product. So, you may have saved money on the bottom line, but you have squandered trust the consumer had for you. At some point in the future, you will realize what a valuable commodity this was and how expensive it is to re-acquire.
    • "So, you may have saved money on the bottom line, but you have squandered trust the consumer had for you. At some point in the future, you will realize what a valuable commodity this was and how expensive it is to re-acquire."

      I like how it's completely Microsoft's fault even though a.) some dickhead maliciously broke into their server b.) it could have been prevented by the non-MS people in charge by staying up to date.

      Can we at least make a couple of 'Insightful' speeches about the real bad guy?
      • I like how it's completely Microsoft's fault even though a.) some dickhead maliciously broke into their server b.) it could have been prevented by the non-MS people in charge by staying up to date.

        It is MS's fault because MS did not do enough to ensure their subcontractor ran a secure system: It is MS' responsiblity to ensure that their contractors have the appropriate skills and motivation to run the website securely. Clearly MS failed.

        • "It is MS's fault because MS did not do enough to ensure their subcontractor ran a secure system:"

          If the contractors didn't live up to their end of the contract, the burden's on them.
          • If the contractors didn't live up to their end of the contract, the burden's on them.

            That's what audits are for: to make sure contractors are living up to the contract.

            My point was that MS needs to provide the neccessary motivation to ensure the security procedutes are properly followed.

            What's the phrase: "Trust but verify"?

            Please don't interpret my remarks as saying that the contractors did not screw up: if the reports are correct they did; but ultimately it is was a MS website and MS's custome

      • Re:Outsourcing (Score:4, Insightful)

        by grolschie (610666) on Friday June 03, 2005 @12:57AM (#12711508)
        Can we at least make a couple of 'Insightful' speeches about the real bad guy?

        Meh! Bill Gates jokes are getting tiresome.
    • So, you may have saved money on the bottom line, but you have squandered trust the consumer had for you. At some point in the future, you will realize what a valuable commodity this was and how expensive it is to re-acquire.

      Next "security" fix out - the automated oxytocin mister! [slashdot.org] Required for all corporate accounts!
    • You do have a point. It's the Microsoft name that is plastered over the website. It part of their responsibility to ensure that their websites are secure, but part of the blame is on who hosted the servers. Given MS' history of security issuesm, you would think that securing their own servers would be a priority. Maybe MS did have security policy and mandates in place. Maybe the contractor ignored them. Maybe this is a problem of bureaucacy. MS just didn't check out every detail that they should. The
  • Right... (Score:2, Interesting)

    by Anonymous Coward
    Aww how cute! Look at all the Anti-Corprate Gates haters. Maybe if there were as many Linux haters you would see the same happen to Linux systems.
  • by Elminst (53259) on Friday June 03, 2005 @12:43AM (#12711438) Homepage
    "Microsoft said it cleaned the Web site, www.msn.co.kr, and removed the dangerous software code... "

    I got $5 that says this translates to "formatted and reinstalled the OS..."
    • by TCM (130219) on Friday June 03, 2005 @12:53AM (#12711489)
      I got $5 that says this translates to "formatted and reinstalled the OS..."

      Well, what would you do?
      • by zulux (112259)
        Well, what would you do?

        Formatted and installed a different OS.
        • The point is, you don't run any code from a compromised system. You wipe the system, install (the same or another system) from fresh install media and restore your data (not programs, not scripts without review, nothing except non-executable files).

          While the "format and reinstall" attitude in the perspective of just running a system over a long time is certainly wrong, it is crucial after a security breach.
          • [..] and restore your data (not programs, not scripts without review, nothing except non-executable files).

            Well, that's just not the Windows-way to do things. In Windows-land every backup-tool in existance will back up the whole hard drive.

            Of course everybody with a clue knows that this is inefficient and insecure.

            Everybody without a clue doesn't know any alternatives anyway...

    • >> "Microsoft said it cleaned the Web site, www.msn.co.kr, and removed the dangerous software code... "

      So which distro did they load to replace windows?
    • Yep, or reimaged it. So what?

      <rant type="NOT directed in any way at parent poster">

      This whole story is just dumb. A site run by MS got cracked. Yay. At least they admitted it - putting them well above companies with much more of a responsibility to do so.

      I know how hard it is to keep a network secure, especially where multiple companies are involved (and before anybody starts, I'm a *nix and Linux user so don't tell me any crap about "just use Linux to make your network secure"). This isn't news. Y
  • by SamMichaels (213605) on Friday June 03, 2005 @01:04AM (#12711540)
    Just another embarrassment to Microsoft's security push.

    No, this is a classic case of why outsourcing mission critical systems and/or data is wrong. It also goes to show that it's NECESSARY to patch mission critical hardware (hell, even non-mission critical Spider Solitaire machines).

    We all have issues with MS, but this time it isn't directly their fault.
    • um, how is it not directly their fault? they did choose to outsource the mission critical component of the system, did they not?

      it seems you are releiving companies of any responsibility for outsourced operations.
  • This wouldn't have been that big of a deal if Microsoft's security push came w/ Trust in a Bottle...
  • Remember, Debian's servers were hacked a while back. People who live in glass houses shouldn't throw stones.
    • Hardly comparing like with like. Debian is a small, volunteer project with a few thousand dollars to hand. Microsoft is a giant global corporation with billions of dollars on hand. They have orders of magnitude more resources to devote to security than the Debian project.

      Windows SHOULD be vastly better than Linux, given how much they charge for it and given the extreme wealth of the company behind it.
  • Oh noes! (Score:3, Funny)

    by Ridge (37884) on Friday June 03, 2005 @01:37AM (#12711639)
    The hackers used the Zerg rush.
  • Bill Gates: Chairman Il, I'm calling in regards to your proposal to develop MSN-orthKorea.

    Kim Jong Il: Ahh, yes. I would like all searches to return two results--the party's web page and Western blondes [wikipedia.org]. And the butterfly is too free. Can you change it to a moth made from gray wool and the sorrows of my people?

    Bill Gates: I think we can do that. MothXP (formerly My Moth) enables you to go that place today.

    Kim Jong Il: Excellent... Can you make the moths old?

  • by Twillerror (536681) on Friday June 03, 2005 @08:41AM (#12712937) Homepage Journal
    People wonder why people have doubts about open source. One reason is accountability.

    If linux.org got hacked, who'd care, or even if slashdot ( remember ). MS at least is standing up and admiting it has a problem. OS just hides behind it's structure. Because we are open we will get patched.

    Somebody hacked into their computers in order to steal password, not to shame MS. Be mad at the hackers for once. Is this going to be any different if/when MS is not king of the hill? No, get over it.

    On a side note. Has slashdot ever consider not allowing posts to a story? This is a classic example of a useless post section. About the only thing useful might be how they got in, but no is going to know that until this story isn't on the front page.

    Can we IhateMS.slashdot.org and stick these stories there?

    • I agree this story is really fairly gratiuitous MS Bashing but your comments about accountability are way off track.

      First of all if any particular website got hacked then who ever runs that website is going to be accountable for it, I'm sure they too would stand up and say they had a problem.

      Amusingly in this instance MS isn't really standing up and admitting they have a problem they are saying "It's not our fault, blame the company we outsourced management of our servers to" which isn't really a great ex
  • In Korea, only old servers are used for email...
  • by mcc (14761) <amcclure@purdue.edu> on Friday June 03, 2005 @10:54AM (#12713958) Homepage
    So the idea is that Microsoft may not be responsible for the security and user safety of online services with their name on it because they may not personally be the ones actually running it?

    Well then I'll be sure to keep that in mind the next time I am considering paying for or signing up for a Microsoft-branded online service.

Counting in binary is just like counting in decimal -- if you are all thumbs. -- Glaser and Way

Working...