Private Military Companies

When outsourcing fails you

Microsoft’s South Korean MSN site, apparently very popular, more so than the US version, is operated by a third party. This vendor apparently did not patch their servers hosting MSN Korea, allowing for the malicious code to be inserted. On the technical side, disconcerting is the (currently) unknown (or not made public) duration the malicious code was operating.

Source: CNN.com – Microsoft:MSN site hacked in South Korea – Jun 2, 2005.

Microsoft acknowledges that hackers booby-trapped its MSN Web site in South Korea to steal passwords from visitors.

More from the CNN story:

The Korean site, unlike U.S. versions, was operated by another company,
which Microsoft did not identify. Microsoft’s own experts and Korean
police were investigating, but Microsoft believes the computers were
vulnerable because operators failed to apply necessary software
patches, said Sohn, an MSN director.

The Korean site, unlike U.S. versions, was operated by another company,
which Microsoft did not identify. Microsoft’s own experts and Korean
police were investigating, but Microsoft believes the computers were
vulnerable because operators failed to apply necessary software
patches, said Sohn, an MSN director.

Security researchers noticed the suspicious programming added to the
Korean site and contacted the company Tuesday. Microsoft traced the
problem and removed the hacked computers within hours, Sohn said, but
it doesn’t yet know how long the dangerous programming was present.

I’m not bashing on Microsoft here, but this case is demonstrative of the security implications of outsourcing. It was apparently not until Microsoft got involved that the issue was quickly resolved.

The ‘security researchers’ mentioned could have been part of non-Microsoft trawlers looking for a security hole for the glory of discovery (the Internet’s Magellans are alive and very busy) but what of the hacker looking for the exploitation?