April 8th, 2002 11:03 PM
BA ditches MS servers after virus threat
Airline removes 100 'unauthorised' web servers
British Airways has removed 100 "unauthorised" web servers running Microsoft IIS from its network over fears that the software could be a target for virus attacks.
The move came after the company found that the web servers had been installed by its own staff "without the correct authorisation procedures".
BA was worried that the servers could be attacked by the Code Red virus. A company spokesman said that the airline was not affected by the virus.
Code Red exploits a buffer overflow vulnerability in an unpatched machine that could allow an attacker to gain complete control of an affected web server.
It then makes copies of itself and scans the internet looking for other vulnerable IIS machines to infect. It is this that led the airline to take preventative measures.
"As part of our normal housekeeping procedures, and in line with good IT security practice, we launched an internal review of our use of Microsoft web servers," said a spokesman. "We are undertaking a project to remove the product where it has been installed without the correct authorisation procedures."
According to internet consultancy Netcraft, all BA websites currently visible from the internet run Netscape Enterprise 4.1 on Sun Solaris.
The BA spokesman explained that all the IIS servers ran internal departmental intranets and that it was not possible to view them externally "unless this is configured in our web access control infrastructure".
If an IIS-based server is not properly configured and patched, it is vulnerable to attacks. The spokesman admitted that "there is no such thing as perfect security".
Richard Barber, of security consultants Integralis, said that BA had felt secure because it had a policy of using non-Microsoft web servers.
"People on the inside of a company can set up their own web servers and, if these go to the internet through the firewall at http, they become visible," he explained. "It is then fairly obvious from the outside of the network to hackers."
"Unfortunately BA was not managing and maintaining the threat that staff presented in putting up their own websites," he added.
In future BA hopes to keep tabs on its infrastructure "by regular audits and reviews of web servers", said Barber.
Microsoft declined to comment.
April 8th, 2002 11:08 PM
Go British Airways! They've got my vote because then they'll be using something worthwhile...like Apache.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
April 8th, 2002 11:56 PM
We have that same issue. Engineers just installing whatever pleases them at the time with no regard to what it could be doing to anyone else.
Many a time I've had to take my destructive packet filterer over to a cubicle and *snip* *snip*.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson