Microsoft exec tells how hacker got in

[InfoSec News <isn () C4I ORG>]

http://seattletimes.nwsource.com/cgi-bin/WebObjects/SeattleTimes.woa/wa/gotoArticle?zsection_id=268448455&text_only=0&slug=hack23&document_id=134269414

by Brier Dudley
Seattle Times technology reporter
Friday, February 23, 2001

A top Microsoft executive revealed yesterday how a hacker was able to
view some of the company's top-secret source code last October,
shedding light on a notorious attack that raised concern worldwide
about network security.

A hacker gained broad access because an employee forgot to create a
password when configuring a server, leaving the password blank, said
Bob Herbold, Microsoft executive vice president and chief operating
officer.

Herbold, who is retiring to start a consulting business, gave the most
detailed account of the attack yet during a lecture at the University
of Washington Business School, where he was discussing the state of
the technology industry for an audience of executives and school
supporters.

After extolling the financial benefits for corporations of conducting
more business online, Herbold mentioned the attack to emphasize that
human error is usually to blame when security is breached.

"It's not the technology, folks, it's the people," he said. "When we
trace them back, it's always human error."

In the October attack, someone was able to roam through Microsoft's
network for 10 to 14 days and view secret codes on which some key
programs are based. That could make programs susceptible to future
attacks, but a company spokesman said that is unlikely.

Microsoft is thought to have one of the best security systems in the
industry. It's also one of the most frequent targets of hackers.

Herbold said the attacker entered the system through the computer of a
Microsoft employee. There was wide speculation after the attack that
it involved a "Trojan horse" virus that can be attached to an e-mail
message and give an outsider network access, but Microsoft has yet to
officially acknowledge that's what happened.

Once inside, the intruder searched for a server with a blank password,
Herbold said. Until Microsoft released its Windows 2000 software last
year, its server software came with a blank password, and
administrators sometimes forget to create new passwords. Herbold said
a server being set up for a customer was left with a blank password,
giving the intruder access.

Next the intruder searched the network for personal computers with
blank passwords or passwords that would be easy to decipher, Herbold
said.

As the intruder sought higher and higher levels of access, Microsoft
noticed, began monitoring the activity and notified the FBI. The
investigation is continuing, Seattle FBI Agent Ray Lauer said.

Microsoft spokesman Adam Sohn downplayed Herbold's comments.

"We said it was human error a long time ago," he said. "If anything,
he was trying to amplify that point, that it wasn't technology - it
was a configuration problem."

But it was the first time Microsoft has said a blank password was used
to gain access, said Richard Stiennon, security-research director for
Gartner, a Connecticut computer-consulting firm. "That's new
information," he said.

The attack highlights the need for users to be educated about security
procedures and the importance basic protective features such as
passwords.

"It's definitely Security 101," Stiennon said. "It's right in the
Microsoft documentation."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".