[Am-info] Microsoft Spills Customer Data

[Mitch Stone]

http://www.wired.com/news/infostructure/0,1377,56481,00.html

Microsoft Spills Customer Data 

Microsoft took a public file server offline Tuesday after Internet 
users discovered that the system contained scores of internal Microsoft 
documents, including a huge customer database with millions of entries.

The file transfer protocol server ordinarily enables Microsoft 
customers to download drivers, software patches and other files, as 
well as to upload files to the company's PSS Security Response Team.

But an apparent configuration error, along with what experts say was an 
ineffective internal security policy, enabled the public to have full 
access to folders containing confidential company presentations, 
spreadsheets, internal reports and other company information.

Among the files accessible to any Internet user was a 1 GB database 
containing millions of names and mailing addresses. The data was kept 
in a compressed archive named dmail_11_04_02.zip. The file, which was 
protected with the password "dbms," was easily opened with freely 
available password-cracking software.

Although the FTP server was intended for use by Microsoft's product 
support organization, marketing staff appeared to be using the server, 
unaware that it was accessible from the Internet, said Russ Cooper, 
"surgeon general" at security services provider TruSecure.

"They probably thought they were sharing the files just with other 
Microsoft people and that it was a protected server," Cooper said.

A Microsoft spokeswoman said the company has disabled downloads from 
the PSS Support server "to improve the privacy protections on the 
site." The server's outgoing file directory will be brought back online 
after a review of its security architecture, she said.

Among the many people who stumbled upon the open FTP server was Andreas 
Marx, a virus researcher with GEGA IT-Solutions. In a phone interview, 
Marx said he first noticed the security problem Nov. 15 after 
connecting to the FTP server to download a security patch for Microsoft 
Office. Marx said numerous directories in a section of the site marked 
"outgoing" were accessible and contained files with "really interesting 
names."

Marx said he reported the problem to Microsoft, and the company 
appeared to take the FTP server offline Monday. When the server was 
restored later in the day, it had been "completely cleaned" of 
confidential files, Marx said.

But shortly thereafter, he said, Microsoft employees apparently began 
uploading new confidential files to the public section of the FTP 
server.

"It looked like Microsoft had a policy about what files could be 
uploaded, but that some employees weren't following it," said Marx.

After a short stint offline Tuesday morning, the FTP server's incoming 
directory appeared to be back online later in the day with proper 
access permissions. The outgoing directory, which contained patches and 
other support information, was still inaccessible, however.

The incident follows the posting last month of dozens of Microsoft 
internal documents, including e-mails and reports labeled "Microsoft 
Internal Distribution," on a website operated by a security researcher 
in Turkey.

In an e-mail interview, Tamer Sahin said he was able to access 
Microsoft's internal network at the beginning of this year using "known 
vulnerabilities" in Microsoft's software. In a message at his site, 
Sahin said he hacked Microsoft and posted documents he retrieved during 
his trespass because of his "fanaticism to Unix."

At the time, a Microsoft spokesman said the information Sahin obtained 
was outdated, but declined to comment further, citing the company's 
policy of not discussing intrusion claims.