[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Microsoft was hacked again

Saturday October 28 07:00 PM EDT
Microsoft confirms hackers saw code for upcoming software 
By Joe Wilcox, CNET News.com

Microsoft acknowledged Friday that hackers had accessed source code to programs
in development, but company representatives said the intruders did not see code
for existing products.

More Tech News
Download Free Software
Find Product Reviews 
The admission quells fears hackers might have stolen the source code, or
blueprint, for some of Microsoft's most valuable programs, including Office,
Windows Me and Windows 2000.

As a criminal investigation under the direction of the FBI progressed, the
nature of the attack appeared to be more sophisticated than first suspected,
adding fuel to speculations of industrial espionage.

"There's no evidence that the unauthorized intruder gained access to source
code for our major products," said Microsoft spokesman Ricardo Adame. "It
appears the hacker was able to view some source code under development."

Adame emphasized that while the hackers were able to view the source code,
"there were no modifications or corruptions" and "no source code was

Investigators believe a Microsoft employee received email containing a common
hacker program known as a Trojan horse, which he or she unknowingly launched.

The program then attempted to spread to other computers on Microsoft's network
and pilfered passwords that were later sent to a Russian email address, said
sources familiar with the investigation.

While Microsoft and many other companies encrypt passwords so they cannot be
easily stolen, careless employees can make the process easy for hackers, said
Gartner security analyst John Pescatore.

"A lot of people have emails that say, 'Hey, I'm on vacation. If you need to
get to such and such, here's the password,'" he said.

The hacker could have launched a program that searched for and retrieved emails
containing the word password.

Sources familiar with the investigation said that once the hacker had obtained
one or more passwords, he or she connected to Microsoft's home campus in
Redmond, Wash., posing as an employee working off-site.

Once inside and behind Microsoft's security firewall, the hacker had limited
access to some other computers on Microsoft's network.

"Since you're running on someone else's computer, it's assumed you are a
trusted user," explained Richard Smith, chief technology officer for The
Privacy Foundation. "So the hacker could have been probing around the network
leisurely for a few weeks. Then they started to probe around where the source
code is kept."

In fact, the criminal investigation has determined the hack started around the
end of September, Adame said, and went undetected until early this week.

"There was some unusual behavior in the security protocols we use in terms of
the network," he said. "That's when the security team started the whole
(investigation) process."

How far the hacker got is still uncertain, but sources close to the company
said much of the intrusion was confined to a single computer.

Whether, given more time, the hacker could have pilfered the development code
he or she saw or gained access to more valuable code is uncertain, Pescatore

"They key message here is, do you know where your crown jewels are stored?" he
said. "Do you have extra levels of security for your corporate crown jewels?"

Pescatore compared someone getting the source code of Windows 2000 to stealing
the formula to Pepsi.

Security experts were surprisingly supportive of Microsoft, despite the amount
of time the hacker may have had access to the company's network.

"If you look at what Microsoft said about the entire incident, it shows they
have got auditing and logging on, which, by the way, is something many big
corporations don't do very well," said Robert Graham, chief technology officer
with security software maker Network Ice.

"This would point to the efficiency of Microsoft's security stance," he said.

Dibyendu Saha

Do You Yahoo!?
Yahoo! Messenger - Talk while you surf!  It's FREE.