Hacked websites 'didn't read the manual'

Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week.

Several UK government websites were attacked on Monday by a hacker, called Herbless, who claimed to have exploited a weakness in SQL server allowing him to take over the websites of three local authorities and five government agencies. Attacks made on major corporate sites in the US by pro-Napster activists, have been linked to the same problem.

Nicholas McGrath, Windows product marketing manager at Microsoft UK, told vnunet.com that "the problems could have been prevented by administrators if they had followed recommended procedures in our documentation".

He said that when SQL server is set up there is a simple default password for the SQL administrator. He said unless the system is being used on a trusted network, which the company owns entirely, Microsoft recommends this password be changed.

McGrath said that in an unchanged configuration, referred to as 'mixed mode', hacks could take place, but Microsoft guidelines recommend that administrators switch to NT authentication mode if connected to a public network, such as the internet, and that this would have prevented the hacks.

He compared the hacks to a thief checking doors to see if the owner had left the keys in the lock.

Wayne Sowery, technical director at MIS Corporate Defence Solutions, agreed. "Microsoft is correct. It is a configuration issue and I think we'll see a lot more of these attacks. However, perhaps Microsoft should have included a prompt to change the password that appears on-screen during the configuration process," he said.

He added: "There is also the possibility that SQL server may be running in the background as a licensed component of non-Microsoft software, with the administrator unaware of the need to change the default password."

Microsoft said on Thursday night that it would post guidelines on the 'bugtraq' section of securityfocus.com for administrators wishing to protect against copycat attacks, although this could be delayed at least 24 hours before appearing on the modified website. Microsoft appears to be taking the issue seriously as evidenced by the four security spokesmen put forward to speak to vnunet.com yesterday.

The operators of one of the hacked UK government sites said it was working to ensure that similar attacks weren't executed on other sites hosted on its server. Chris Kenward, managing director at Thames Global Internet Service, which hosts the hacked binfield.gov.uk site, said "if [Herbless] could do that to one site, he could do it to the other 300 sites on our servers".

Security experts said that "it looks likely" that a series of hacks made on Tuesday and Wednesday, during which pro-Napster messages were posted on major corporate websites, may have exploited a similar vulnerability.