A group of hackers say they disabled part of the server that Microsoft put on the Web as a test for those who think they can breach the system's security.
Two attacks that took down the guest book section of the Windows 2000 Beta Internet Test Site took place yesterday. The group sent "poison packets" to the server. The packets masqueraded as small chunks of information but actually were quite large, said George Davey, a leader of the effort.
Microsoft confirmed the attack, saying technicians manually disconnected the attackers.
While the server's CPU was working to swallow the larger-than-expected data packets, the guest book page was inaccessible. However, the overall system didn't crash and the attackers didn't seize control, said Keith White, director of marketing for Microsoft's business and enterprise division.
CNET News.com verified that the guest book didn't appear during one of the attacks yesterday, returning the error message "There is a problem with the page you are trying to reach and it cannot be displayed...Internal server error."
Computer security is an increasingly important field as companies move more services to the Internet, often with publicly accessible Web sites that allow visitors to interact with corporate computers. Microsoft wants to make Windows 2000 "the most secure version of Windows ever, both in terms of feature functionality, and system design," the Web site says.
Microsoft's site has "ground rules" that exhort would-be attackers to "find the interesting 'magic bullet' that will bring the machine down" and see if they can find "hidden messages sprinkled around the computer."
Both sites declared victory. Davey said his group succeeded in getting past some of the computer's defenses, and Microsoft said it succeeded in keeping the machine running and finding new vulnerabilities to address. "This is exactly what we want customers to do with this site," White said.
Shortly after the test site went up, the same server was taken down by a lightning storm, but Microsoft also acknowledged at the time that the guest book program had been compromised.
Since the site was switched on a month ago, Microsoft has found and fixed four bugs in how the server handles Internet information, White said. An attacker crashed the machine August 17, Microsoft said.
Tests only moderately useful
Putting a server up for would-be attackers to pound on allows companies to find new security holes, but "a lot of these challenges are more to help the perception that the machine is secure," said Christopher Klaus, chief technology officer of Internet Security Systems.
The most serious computer crackers won't participate in such challenges because they don't want to show their hand, Klaus said. "Some people who know how to break in may not want to disclose all their secrets," Klaus said. "If a robber has a master key to break into every building in the world, he's not going to go to the FBI and demonstrate."
Windows NT and 2000, as well as Unix and other operating systems, aren't particularly secure unless set up properly, Klaus said. "Most systems out there by default are wide open in terms of security issues," he said, but "can be made pretty secure if configured properly and locked down."
More dangerous today are the software applications that reside on top of the operating system. E-commerce has raised a host of new problems because it involves many applications, Klaus said. "Most hackers simply go around it by going through the application layer. As we're seeing e-commerce take off, the hacker's target isn't a small bull's-eye."
Attacking the Web server
The attacks on the Microsoft server yesterday came through the Active Server Pages (ASP) component of Microsoft's Internet Information Services (IIS) Web server software, Davey said. In testing the attack on his own Windows 2000 servers, he said restarting the server didn't fix the problem; instead, the IIS software had to be reinstalled. Also on the test server, the attack caused the computer's CPU usage to jump to 100 percent.
On the Microsoft site, the computer returned to normal once the access was shut down.
"Most people don't have the expertise to selectively shut off [specific Internet addresses] like that," Davey said today. "Had they not shut us off, it would have killed their machine."
Davey thought it notable that the Microsoft server initially made no mention of the ASP problems. "Why don't you guys mention any of the ASP downtime that we have documented?" he asked in an email to Microsoft. Notification of the attack appeared on the Web site at 10 a.m. today, after CNET News.com called Microsoft about the attack.
The machine is running a beta, or test version, of Windows 2000, on a Pentium III chip with 256 MB of memory.
The machine has been configured to make access difficult, Davey and Microsoft said. However, as the test continues, the company likely will open up more access channels known as "ports" to test it more heavily.
Davey said the challenge of breaking into the system is fun. "Normally, you can't hack, because it's illegal."
He praised Windows 2000 as "by far the best thing ever released by Microsoft." But there's still room for improvement. "All these open holes that get shut up will lead to a more secure server," Davey said.