It’s common knowledge that Microsoft Corp. sometimes chooses functionality over security in its software products. Now it’s also common knowledge that Microsoft is unable to protect its own internal networks.
On the heels of providing a patch for a serious security hole in its Internet Information Server, the empire Bill Gates built is reeling from a brilliant – and highly illegal – hacking job by a person or persons as yet unknown. Microsoft has confirmed its security was breached and issued a statement calling the cyber attack a deplorable act of industrial espionage, but refuted the suggestion that the source code for some of its most valuable upcoming releases – including the latest versions of Windows ME, Windows 2000 and Office – has been pilfered. It was initially reported in the Wall Street Journal on Oct. 27 that the blueprints to these programs may have been lifted.
“There is no evidence that the intruder gained access to the source code for Office or any Windows products. There is no evidence to suggest that any of Microsoft’s on-line services have been or will be affected by the incident, and we have no reason to believe that any customers have been or will be affected in any way,” the statement read. “The hacker may have viewed some source code under development for a future product. We remain confident based on all the evidence that no code has been modified or corrupted in any way.”
Microsoft did call upon the assistance of the U.S. Federal Bureau of Investigation (FBI) to help nab the crafty hacker(s).
According to the FBI, the nature of the attack appeared to be more sophisticated than the status quo. It is believed by investigators that the hackers had access to Microsoft’s network anywhere from 12 days to six weeks prior to being detected.
Both Microsoft Canada and Microsoft Corp. declined ComputerWorld Canada requests for comments on this story.
How the invasion of one of the world’s most prolific software companies began is simple: a Microsoft employee received an e-mail containing a common hacker program known as QAZ Trojan, which he/she unknowingly launched. QAZ opens a back door for hackers to access, thus allowing remote control of an infected terminal. The QAZ worm then disguised itself as Microsoft Notepad. Microsoft’s security employees discovered that passwords used to transfer the source code behind the company’s software were being sent from their network to an e-mail address in St. Petersburg, Russia on Oct. 14.
“This occurrence increases visibility and awareness (of security-related issues) and it makes people aware that anyone, even Microsoft, is vulnerable even when precautions are taken,” said David Smith, the vice-president of Internet strategy with the Gartner Group in Stamford, Conn. “It’s true that the PC is a weak link in a corporation’s armour, but I don’t know of any company that doesn’t have a PC.”
Posing as Microsoft employees working from home, hackers used the stolen passwords to enter confidential areas of the company’s internal network and began downloading files.
To date, the motive for the attack is as elusive as those responsible for it. But one theory involves data hostage, in which an electronic thief threatens to publicly exposing intellectual property for ransom purposes.
“Consumers are less concerned about security, so I don’t see any long term impacts there,” Smith continued. “As for the corporate market, they’re going to have some empathy for them. All of these companies face the prospect of being broken into.”
Eric Hemmendinger, a security analyst with the Boston-based Aberdeen Group, criticized Microsoft’s lack of detail to the public once the story broke.
“When you call in the FBI, you’re bringing in what you hope are the big guns,” Hemmendinger told ComputerWorld Canada. “To say that they called in the FBI, but that nothing was touched here of substance, is just real hard to believe.”
But IDC Canada network services analyst Dan McLean said Microsoft may have had little choice in calling on the FBI.
“It could be a due-diligence process that had to be done given the nature of the business and the information that was relayed to the public,” McLean said. “Any high-profile company is potentially in the cross-hairs of the hacker community…the real question is what is the extent of the damage done? I expect the damage was fairly minimal.”
On the surface, one could argue that Microsoft is suffering from instant karma due to their own design flaws. The Windows operating system is relatively open to security problems, and holes in Outlook and Outlook Express are commonly exploited. But Microsoft isn’t the first major corporation to be hacked in recent months: America Online, RealNames, NASA and the Communications Workers of America have all fallen victim to attack.
While Microsoft itself is tight-lipped about the whole affair, its founder Bill Gates has busied himself of late with more philosophical dilemmas.
Gates, speaking at the Creating Digital Dividends Conference in Seattle on Nov. 2, criticized the software industry for putting too much faith in digital solutions. He told the attending delegates that the world’s poorest people (estimated at about two billion) need food and health care, not laptops.