TechTarget

Microsoft puts address lists on insecure server

A Microsoft public server carrying millions of customer details and other internal documents was taken offline and secured last...

A Microsoft public server carrying millions of customer details and other internal documents was taken offline and secured last Tuesday, shortly after the company discovered its mistake.

The unsecured FTP server was intended to allow customers to download patches and fixes and upload files for analysis by Microsoft technical support staff.

Marketing staff at the company evidently mistook it for an internal server and have been storing confidential details and other documents, unaware that these could be accessed from the Internet.

It is estimated that 18 million addresses were contained in two compressed, password-protected files, but the protection could readily be cracked using simple tools that are available on the Web.

A spokesman said the company is investigating a potential policy breach because the server was not designated as a secure resource and storing sensitive information was prohibited.

Chris Wysopal, director of research and development for digital security specialist @Stake, said ensuring that people observe security policies is crucial. "Companies need enforceable policies. A bank is much more than just a vault - it is people following approved processes."

The discovery of such a blatant flouting of security policy is being seen as a blow to Microsoft's attempts to establish itself as a security-conscious organisation through its Trustworthy Computing initiative launched last January.

Since then it has issued 65 security bulletins, primarily fixes for buffer overruns, and held up the release of several products to try to change the perception of its products as being buggy and insecure.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

This Content Component encountered an error

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close