Information Security News mailing list archives
Microsoft exec tells how hacker got in
From: InfoSec News <isn () C4I ORG>
Date: Fri, 23 Feb 2001 14:52:59 -0600
http://seattletimes.nwsource.com/cgi-bin/WebObjects/SeattleTimes.woa/wa/gotoArticle?zsection_id=268448455&text_only=0&slug=hack23&document_id=134269414 by Brier Dudley Seattle Times technology reporter Friday, February 23, 2001 A top Microsoft executive revealed yesterday how a hacker was able to view some of the company's top-secret source code last October, shedding light on a notorious attack that raised concern worldwide about network security. A hacker gained broad access because an employee forgot to create a password when configuring a server, leaving the password blank, said Bob Herbold, Microsoft executive vice president and chief operating officer. Herbold, who is retiring to start a consulting business, gave the most detailed account of the attack yet during a lecture at the University of Washington Business School, where he was discussing the state of the technology industry for an audience of executives and school supporters. After extolling the financial benefits for corporations of conducting more business online, Herbold mentioned the attack to emphasize that human error is usually to blame when security is breached. "It's not the technology, folks, it's the people," he said. "When we trace them back, it's always human error." In the October attack, someone was able to roam through Microsoft's network for 10 to 14 days and view secret codes on which some key programs are based. That could make programs susceptible to future attacks, but a company spokesman said that is unlikely. Microsoft is thought to have one of the best security systems in the industry. It's also one of the most frequent targets of hackers. Herbold said the attacker entered the system through the computer of a Microsoft employee. There was wide speculation after the attack that it involved a "Trojan horse" virus that can be attached to an e-mail message and give an outsider network access, but Microsoft has yet to officially acknowledge that's what happened. Once inside, the intruder searched for a server with a blank password, Herbold said. Until Microsoft released its Windows 2000 software last year, its server software came with a blank password, and administrators sometimes forget to create new passwords. Herbold said a server being set up for a customer was left with a blank password, giving the intruder access. Next the intruder searched the network for personal computers with blank passwords or passwords that would be easy to decipher, Herbold said. As the intruder sought higher and higher levels of access, Microsoft noticed, began monitoring the activity and notified the FBI. The investigation is continuing, Seattle FBI Agent Ray Lauer said. Microsoft spokesman Adam Sohn downplayed Herbold's comments. "We said it was human error a long time ago," he said. "If anything, he was trying to amplify that point, that it wasn't technology - it was a configuration problem." But it was the first time Microsoft has said a blank password was used to gain access, said Richard Stiennon, security-research director for Gartner, a Connecticut computer-consulting firm. "That's new information," he said. The attack highlights the need for users to be educated about security procedures and the importance basic protective features such as passwords. "It's definitely Security 101," Stiennon said. "It's right in the Microsoft documentation." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Microsoft exec tells how hacker got in InfoSec News (Feb 24)
- Re: Microsoft exec tells how hacker got in security curmudgeon (Feb 26)