[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] MS blocks staff dial-in access after 'minor' hack
From:       William Knowles <wk () C4I ! ORG>
Date:       2000-10-31 2:37:36
[Download RAW message or body]

http://www.theregister.co.uk/content/1/14327.html

By: John Lettice
Posted: 30/10/2000 at 16:26 GMT

According to Microsoft it knew about the hacker's intrusion almost
immediately, it tracked the hacker's movements through its network,
and it shut down all of the accounts used by the hacker last week. So
how come it blocked access to its corporate network for all of its
employees, globally, over the weekend?

Since Friday the company has been mounting a determined effort to
convince the world that its systems, its software and its source code
are secure, and if you take the story according to Microsoft at face
value, the threat from the hacker was minor, was finite, and has now
passed. A "Microsoft official" quoted in today's Wall Street Journal
even went as far as suggesting that the company has detailed
information that will help pinch the perpetrator.

So if it's all over bar the arresting, the only reasons for shutting
down access must surely be that Microsoft has belatedly concluded that
there are - as we suggested yesterday - serious problems with the way
it runs its network security. In this context Microsoft's explanation
of why it originally said the hacker could have been loose for six
weeks, rather than the 12 days it now claims, is significant.

The six week period takes us back to when the corporate email system
was taken down because of a virus outbreak, and Microsoft's security
team initially feared - so it said - that the two might have been
connected. But the real connection is their awareness of the fact that
the methods of propagation for both were the same. If Microsoft staff
and Microsoft systems are vulnerable to viral email attachments, then
they must also be vulnerable to QAZ Trojans intended to break into the
network. And besides, under current circumstances there's a high
probability of copycat attacks.

Microsoft is clearly beginning a long, hard look at its network
security, and Register sources suggest this is not before time. Said
one: "MS source control is not very locked down. Pretty much every MS
employee can commit to the tree. Which means if you're hacked in and
you know this, you can commit your own backdoor code into Windows that
might stand a chance of going gold."

This doesn't sound entirely plausible, although the large teams
Microsoft has working on code would tend to make it more difficult to
police security, and possible easier for rogue code to get through. A
tale from Microsoft Germany, however, sounds all too convincing:

"Where I work, I have a colleague who has worked at MS Germany. He
once mentioned that he had set up himself a dial-up server with
callback in one of the labs there. This server remained active more
than a year after he left. To quote: 'Need a new Office - no problem
just keep leeching a weekend or so - it's callback, so it's for free.'
Of course it was against security-policy (' ...and of course I had
turned-off all logging').

"The server was only removed presumably during a full restructuring of
the lab, where it was probably found to be superfluous and shut
down..."

All companies are of course like this, but as Microsoft is probably
the biggest, fattest, most tempting target for hackers, it really
can't afford to be like this for much longer.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".

[prev in list] [next in list] [prev in thread] [next in thread]