All the latest UK technology news, reviews and analysis
|
|
|
03 Apr 2002
British Airways has removed 100 "unauthorised" web servers running Microsoft IIS from its network over fears that the software could be a target for virus attacks.
The move came after the company found that the web servers had been installed by its own staff "without the correct authorisation procedures".
BA was worried that the servers could be attacked by the Code Red virus. A company spokesman said that the airline was not affected by the virus.
Code Red exploits a buffer overflow vulnerability in an unpatched machine that could allow an attacker to gain complete control of an affected web server.
It then makes copies of itself and scans the internet looking for other vulnerable IIS machines to infect. It is this that led the airline to take preventative measures.
"As part of our normal housekeeping procedures, and in line with good IT security practice, we launched an internal review of our use of Microsoft web servers," said a spokesman. "We are undertaking a project to remove the product where it has been installed without the correct authorisation procedures."
According to internet consultancy Netcraft, all BA websites currently visible from the internet run Netscape Enterprise 4.1 on Sun Solaris.
The BA spokesman explained that all the IIS servers ran internal departmental intranets and that it was not possible to view them externally "unless this is configured in our web access control infrastructure".
If an IIS-based server is not properly configured and patched, it is vulnerable to attacks. The spokesman admitted that "there is no such thing as perfect security".
Richard Barber, of security consultants Integralis, said that BA had felt secure because it had a policy of using non-Microsoft web servers.
"People on the inside of a company can set up their own web servers and, if these go to the internet through the firewall at http, they become visible," he explained. "It is then fairly obvious from the outside of the network to hackers."
"Unfortunately BA was not managing and maintaining the threat that staff presented in putting up their own websites," he added.
In future BA hopes to keep tabs on its infrastructure "by regular audits and reviews of web servers", said Barber.
Microsoft declined to comment.
Latest stories from Security
Related videos
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
Orange and Intel talk us through the ins and outs of their San Diego smartphone
Connect with V3.co.uk
The wrong printers, for the wrong tasks on the wrong contracts
Who leads the BI pack and who should we be watching out for?
2nd & 3rd Line CRM Support Analyst / MS CRM Systsems...
Digital Insight Manager, Hertfordshire, £28,000. An...
Enterprise / Solutions Architect. Salary £60,000 - £90...
Business Intelligence Developer - Leeds. Salary £35,000...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?