Microsoft blames adminstrators for hacking attacks

Software giant raises questions about how network administrators are looking after their systems

Microsoft blames network adminstrators for last week's attacks on government Web sites Monday.

Microsoft claims that network adminstrators failed to install adequate password protection on their SQL servers. The software giant believes that the hacker -- called Herbless -- was able to gain control of the SQL servers because network administrators had not set a password for administrator access. This is disputed by the author who claims to have written new code which exploited weaknesses in the SQL servers to allow him to attack the Web sites.

SQL servers can run in two different states, mixed mode authentication and integrated authentication. In mixed mode, an administrator account is created with full access to the SQL environment, for which a password must be created. Microsoft advises that SQL servers that are connected to the Internet run in integrated authentication mode, because security is greater than in the mixed mode. It appears that the sites attacked by Herbless were running in mixed mode with the administrator password set blank.

Nicholas McGrath, product marketing manager of Microsoft UK, strongly encourages network administrators to maintain adequate security. "People must recognise how insecure the Internet is, and act accordingly. Leaving a Web site unprotected is the equivalent of leaving your car unlocked and full of valuables, with millions of people walking past", he said.

Microsoft responded quickly to Herbless' claims, and posted "best practice" advice. As well as recommending that SQL servers attached to the Internet are always run in integrated authentication mode, it advises that anyone running a system in mixed mode assign a strong password to the administrator account.

Sheffield City Council, whose Web site was defaced by Herbless, refused to comment on the hacker attack.

McGrath claims it is not up to Microsoft to make the software foolproof. "We could tighten up the software, but this would result in lowered usability. We believe in providing users with flexibility and choice, but the downside is more opportunity to compromise security," he said. The mixed mode is appropriate for a network that is not connected to another network such as the Internet.

Sandra Baccari Edler, research analyst with IDC, agrees that more attention must be paid to online security, but believes that such attacks help to alert other administrators to the dangers. "The gap in security that this hacker used is one that can and often has been overlooked by those responsible for securing their organisations. The good news, however, is that these incidents raise awareness, allowing potential victims to secure their systems before they are breached," she said.

She agrees with McGrath that organisations must be aware that the Internet is a very insecure environment. "Only when companies treat their security needs in a comprehensive manner will the likelihood of such easily achieved hacks decrease", she added.

Take me to Hackers

What do you think? Tell the Mailroom. And read what others have said.