Microsoft puts address lists on insecure server


Microsoft puts address lists on insecure server

Eric Doyle
A Microsoft public server carrying millions of customer details and other internal documents was taken offline and secured last Tuesday, shortly after the company discovered its mistake.

The unsecured FTP server was intended to allow customers to download patches and fixes and upload files for analysis by Microsoft technical support staff.

Marketing staff at the company evidently mistook it for an internal server and have been storing confidential details and other documents, unaware that these could be accessed from the Internet.

It is estimated that 18 million addresses were contained in two compressed, password-protected files, but the protection could readily be cracked using simple tools that are available on the Web.

A spokesman said the company is investigating a potential policy breach because the server was not designated as a secure resource and storing sensitive information was prohibited.

Chris Wysopal, director of research and development for digital security specialist @Stake, said ensuring that people observe security policies is crucial. "Companies need enforceable policies. A bank is much more than just a vault - it is people following approved processes."

The discovery of such a blatant flouting of security policy is being seen as a blow to Microsoft's attempts to establish itself as a security-conscious organisation through its Trustworthy Computing initiative launched last January.

Since then it has issued 65 security bulletins, primarily fixes for buffer overruns, and held up the release of several products to try to change the perception of its products as being buggy and insecure.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy