Information Security News mailing list archives
Microsoft hacked for up to three months
From: William Knowles <wk () C4I ORG>
Date: Fri, 27 Oct 2000 23:57:49 -0500
http://www.theage.com.au/breaking/0010/29/A14335-2000Oct29.shtml Source: AFP|Published: Sunday October 29, 1:46 PM WASHINGTON - Hackers may have had access to Microsoft's internal documents for weeks or even months, reports said today. The Washington Post said the intruders had access for at least six weeks to blueprints for Microsoft software being developed, although the software company denies this. The Los Angeles Times said hackers may have had access for as long as three months before being discovered. Both newspapers cited unnamed sources. Microsoft meanwhile described the intrusions as much narrower than originally reported. Our investigation shows no evidence that the intruder gained access to the source code for our major products, such as Windows ME, Windows 2000 or Office, the company said in a statement. Although the hacker apparently was able to view some source code under development for a future product, the investigation confirmed that there was no modification or corruption of any source code. The source code, which Microsoft guards jealously, is made up of millions of lines of instructions to create the software used on personal computers. Unlike many of its competitors that make their codes publicly available, Microsoft views this as a company secret. We are confident that the integrity of Microsoft's intellectual property remains secure. Similarly, we have no evidence to suggest that any of Microsoft's online services have been or will be affected by the incident, the Microsoft statement said. The security breach did not involve a security vulnerability in any Microsoft product. We are working with law enforcement to address this deplorable act of industrial espionage. The intrusion at the world's largest software firm raised fears that any company or individual could be targeted. But some experts said the attack was the result of Microsoft letting its guard down. The hacker or hackers apparently used commonly known tricks, including a socalled Trojan horse inserted in an email to steal passwords to Microsoft's internal corporate network. This isn't evidence that this is an adept hacker, said Richard Power, editorial director of the Computer Security Institute in San Francisco. This is evidence that they are not taking computer security seriously enough.
From what I've gathered thus far, it would appear that a Microsoft
employee's lapse in judgment is what brought about the initial intrusion, said a hacker who uses the nickname Cancer Omega and operates the site attrition.org. The intruder had a great deal of blind luck. Additional blind luck was on the intruder's side in that the Trojan was not quickly detected and thus allowed largely unfettered access. But Bruce Schneier, chief technical officer of Counterpane Internet Security Inc, said: The surprise is not that it took Microsoft three months to notice. The surprise is that they noticed at all. This happens regularly. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Microsoft hacked for up to three months William Knowles (Oct 30)