Microsoft says it knew about hacker right away

[William Knowles <wk () C4I ORG>]

http://www.techserver.com/noframes/story/0,2294,500274376-500428608-502699493-0,00.html

SEATTLE (October 30, 2000 1:21 p.m. EST http://www.nandotimes.com) -
Microsoft Corp. says a hacker had high-level access to its computer
system for 12 days - not up to five weeks, it had first reported - and
was monitored the entire time.

While the company says it believes no major corporate secrets were
stolen, some security experts believe the 12-day period was plenty of
time for a hacker to do damage that may not have been detected yet.

Microsoft spokesman Rick Miller said Sunday that beginning Oct. 14 a
hacker gained access to high-level secrets and that at some point over
the next 12 days viewed blueprints, or source code, for Microsoft
software that is being developed.

When it confirmed the incident Friday, the Redmond, Wash.-based
software giant said an electronic intruder had access to source code
for as long as five weeks. Microsoft used that time estimate because
the duration of the hacker's presence was unclear and the company
wanted to be sure it did not underestimate the problem, Miller said.

The company was alerted to the break-in by the creation of new
accounts giving users access to parts of Microsoft's computer network,
Miller said.

"We start seeing these new accounts being created, but that could be
an anomaly of the system," Miller said. "After a day or two, we
realized it was someone hacking into the system."

It was not until Oct. 26, however, that the company notified federal
law enforcement, which is investigating the matter. Microsoft said it
initially planned to handle the break-in on its own.

"We realized the intrusion had grown to the level that warranted
bringing in the FBI," Miller said. Miller said the activity did not
corrupt or modify the code for the product, which he declined to
identify.

If any attempts to download or transfer the source code were made,
such activity was not recorded in Microsoft's logs, Miller said,
adding that it is extremely unlikely any source code files were copied
because of their immense size.

But some security experts questioned that assessment.

"It's impossible to say with absolute certainty that (source code)
file has not been copied," according to Simon Perry, vice president of
security solutions at Computer Associates International in Islandia,
N.Y. "Over a 12-day period, it would be absolutely possible to take a
copy of that."

Ray Pompon of Seattle-based Conjungi Networks, which installed some
security tools for Microsoft in 1994, agreed, saying, "Source code
files can be very big, but they're easily compressible."

Microsoft has refused to say at what point it learned the hacker saw
the source codes. Pompon said whether the company discovered it
immediately would depend on what type of monitoring it was doing -
something the company has not disclosed.

Miller acknowledged the hacker could have been in the system for
longer than 12 days, but he said the company is confident that
high-level access occurred only between Oct. 14 and Oct. 25.

But even with low-level access, the hacker could have accessed
corporate e-mails and other confidential information, Miller said.

Microsoft has refused to identify what program the source code was
for, except to say it was a product years from release - not Windows
or Office software.

Pompon said it's less damaging to Microsoft that the product was not
one already on the market. "Microsoft can be more careful about what
they're going to release and make sure it's not vulnerable," he said.

Microsoft's source codes are the most coveted in the
multibillion-dollar industry.

With access to software blueprints, competitors could write programs
that undermine Microsoft or use the data to identify weaknesses,
making computer break-ins and virus-writing easier.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".