Published Saturday, October 28, 2000, in the San Jose Mercury News

Intrusion at Microsoft rattles businesses Security too lax at time of risk, say world experts BY ELISE ACKERMAN Mercury News

The intrusion into Microsoft Corp.'s computer network, in which an unknown hacker gained access to some of the underlying blueprints for the company's software, signals that businesses are not paying enough attention to computer security at a time when attacks are becoming increasingly common and more sophisticated, security experts say.

News of the electronic break-in rattled the business world Friday, raising fears that if the world's largest software company could be hacked, private and government networks around the globe could also be easily compromised -- especially in the age of the Internet.

The Redmond, Wash.-based software giant condemned the break-in but emphasized the intruder only gained access to computer ``source code'' associated with a future product and did not compromise the security of Microsoft products already on the market, such as Windows Me, Windows 2000 or the Office suite of business software. Source code provides a blueprint for developing software programs.

``They did in fact access the source codes,'' Chief Executive Steve Ballmer, who was in Stockholm, Sweden, told the Associated Press. ``You bet this is an issue of great importance.''

``We are working on both immediate and long-term solutions to ensure the security of our network,'' said Rick Miller, a Microsoft spokesman.

The break-in, which Microsoft reported to the Federal Bureau of Investigation on Thursday, reportedly involved computers in Russia and Asia. The intruder apparently relied on a combination of hacker tricks, including a so-called ``Trojan horse'' program that had been known to security professionals for months.

``This isn't evidence that this is an adept hacker,'' said Richard Power, editorial director of the Computer Security Institute in San Francisco. ``This is evidence that they are not taking computer security seriously enough,'' said Power, the author of ``Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace.''

More incidents

According to Carnegie Mellon's Computer Emergency Response Team (CERT) Coordination Center, the number of incidents in which network security was compromised has increased more than six-fold since 1994 -- the year that Netscape launched its Web browser and ignited the Internet revolution.

A survey of large corporations and government agencies conducted earlier this year by the Computer Security Institute and the San Francisco FBI's Computer Intrusion Squad estimated losses from computer crime last year at $124 million. The damage ranged from deleted files to stolen corporate secrets, which were sometimes used as blackmail.

The Microsoft intruder may have had a similar intent, experts speculated. In the past, Microsoft revealed portions of its source code -- but only under strict conditions to certain partners.

The company's desire to maintain control over who could view its source code was one of the major issues in the recent landmark federal antitrust case against the Redmond software company.

Access to the source code could be of some benefit to Microsoft's competitors, who could use it to develop rival products. And it could be equally useful for cybercriminals seeking to break into a company or expose flaws in its products. ``It is certainly easier to find security problems if you have access to the source code than if you don't,'' said Elias Levy, chief technology officer of SecurityFocus.com. ``If you don't have it you are blindly poking at an application to see if it breaks.''

The source code for Unix operating systems has been available on the computer underground for years. One of the key arguments for the ``open source'' movement -- which advocates openly publishing a program's source code -- is that potential vulnerability is easily exposed and fixed before it can be exploited by someone with criminal intentions.

Microsoft's intruder may have entered the company's network by using a technique known to members of the hacker community.

According to the Wall Street Journal, which first reported the intrusion, the trespasser managed to get a bit of malicious code called the ``QAZ Trojan'' onto a computer used by a Microsoft employee, who inadvertently executed the code.

Once activated, QAZ sent a message to a computer located in Asia that identified the Internet address of the hijacked Microsoft computer. The hacker was then able to collect passwords that were sent to an e-mail address in St. Petersburg, Russia, and used to access the source code, the Journal reported.

The intruder reportedly had access to Microsoft's network for several months.

``The surprise is not that it took Microsoft three months to notice,'' said Bruce Schneier, chief technical officer of Counterpane Internet Security Inc. ``The surprise is that they noticed at all. This happens regularly.''

Vincent Gullotto, who heads the anti-virus emergency response team for McAfee, a division of Network Associates Inc., said there are three ways to install a Trojan on a network: it can be unknowingly downloaded from the Internet, transferred from a floppy disk or received in an e-mail.

Normally, anti-virus software scans for Trojans and other unfriendly visitors to a computer. Gullotto said the Microsoft employee who reportedly received the QAZ Trojan may not have had an updated version of anti-virus software. It's also possible that the employee had turned off his or her anti-virus protection. Programmers sometimes disable anti-virus software because it tends to slow down computers.

The failure of companies, including high-tech stalwarts like Microsoft, to take sufficient precautions is the root of most security failures, experts say.

What firewall?

Security consultant Rik cq Farrow says he has worked with a company who assured him it had so-called ``firewall'' software, the first line of defense against break-ins. ``I said, `Let's see your firewall. . . ' It was in a box sitting on the floor.''

The attack on Microsoft could raise awareness. As Gullotto noted, if a hacker can break into Microsoft, any company connected to the Internet is at risk.

Mercury News Staff Writer Cecilia Kang contributed to this report.

http://www0.mercurycenter.com/premium/front/docs/microsoft28.htm

-- Martin Thompson (mthom1927@aol.com), October 29, 2000