Think tank warns that Microsoft hack could pose national security risk

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO55656,00.html?OpenDocument&~f

By DAN VERTON
December 27, 2000

Although Microsoft Corp. has denied that the hacker who penetrated its
network in October gained access to any of the company's source code,
a recent report by a Washington-based think tank is warning that the
compromise may hold grave national security implications.

In a report released this month titled "Cyber Threats and Information
Security: Meeting the 21st Century Challenge," the Center for
Strategic and International Studies (CSIS) concluded that the
government and the private sector should be concerned about the
"trustworthiness" of future Microsoft products in the aftermath of the
hack into the company's network. Former Deputy Secretary of Defense
John Hamre, a longtime cybersecurity proponent in the defense and
intelligence communities, heads the CSIS.

"It is doubtful that the millions (sometimes billions) of lines of
code required to power Microsoft's products could readily be
sanitized," the CSIS report states. "With most military and government
systems powered by Microsoft software and more generally reliant on
[commercial, off-the-shelf systems], this recent development can pose
grave national-security-related concerns," the 73-page report
concludes.

Microsoft, however, strongly disagrees with the analysis.

"The CSIS quote sensationalizes the incident and misstates the facts
in a number of important ways," a Microsoft spokesman said. "Most
important, Microsoft has repeatedly stated that after tracking the
intruders and investigating their activities, there is no evidence and
no basis to believe that they had any access at all to Windows or
Office source code. That is, we have no reason to believe that the
intruders were able to see Windows or Office source code, much less
modify it. Microsoft's current and future products remain intact and
secure, and customers can use them with confidence."

Microsoft security personnel discovered the hack in October when they
noticed that passwords were being remotely sent to an e-mail account
in Russia. The hackers then posed as Microsoft employees working
off-site rather than at the company's Redmond, Wash., headquarters to
gain access to sensitive areas within Microsoft's internal network.

Government systems aren't the only ones at risk, according to CSIS.
"Whoever stole proprietary secrets at the heart of the ubiquitous
Windows program can hack into any PC in the world that uses it and is
connected to the Internet," the report states. Such security concerns
could hold serious implications for the dozens of private-sector
companies that own and operate the nation's critical infrastructure.

Although initial reports alluded to the possibility that the hacker
may have gained access to the source code of some of the company's
future products, including Windows Me, Windows 2000 and Office, a
Microsoft spokeswoman said that no source code was compromised or
stolen and that every possible step has been taken to ensure the
integrity of the code for future users

[CSIS report at:
http://www.csis.org/homeland/reports/cyberthreatsandinfosec.pdf ]

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".