E-Business Commentary -- Leaving gates Wide Open

If Microsoft's security can be breached, how vulnerable is your company?

This is a story about what happens when you leave the barn door open too wide for too long, and a very big horse sneaks inside. A Trojan horse, that is. The barn door, in this case, was a gaping hole in Microsoft Corp.'s own super-secure network, allowing unauthorized entry to an unknown hacker. Microsoft reported the break-in on Oct. 25, calling it "an act of industrial espionage." A week after reporting the break-in, Microsoft tried to contain the public-relations damage. Thus, we learned in the company's later communiqu, posted on its Web site, that its network was breached for 12 days, not the five or six weeks initially reported. That's sort of like the Trojans saying, "Hey, we initially thought that the empty belly of the wooden horse we found inside our gates carried 100 invading Greeks, but now we see that instead it contained only about 35 who sneaked in." Microsoft's changing story only serves to show how little the company really knew about the penetration of its network. Clearly, the news of the scaling of Microsoft's walls by an unknown party sent a chill through network security people everywhere. Obviously, if the company this happened to made auto parts or built air-conditioners, it wouldn't have made a hack (excuse the pun) of a lot of difference. Companies are getting hacked left and right, via direct assaults on their corporate networks or via their Web sites. But the fact that the world's largest software company, which is widely viewed as having one of the best security teams and network security systems anywhere, can be broken into electronically, exposing not only internal secrets but also information about future products, means that corporate America could be in for big trouble in the era of the Internet and e-commerce. As one security expert observed, the victimization of Microsoft suggests that companies with lesser security resources "would be at even greater risk." Microsoft claims that the intruder failed to gain access to data on its current products, but the company conceded that he or she "may have viewed some source code under development for a future product." To be sure, Microsoft isn't the only company or organization to have its network cracked open. One fifth of companies responding to a survey by the Computer Security Institute reported losing proprietary data from hacking in 1999. More recently, hackers have cyber-pried their way behind the computer screens at the Republican National Committee, the Democratic National Committee, and 3Com Corp. Not long ago, both Lucent Technologies Inc. and AT&T Corp. were named as targets of international hacker groups. In Microsoft's case, company management knew four months earlier that Oracle Corp. had hired a snoop to poke through their garbage. And it is no secret that the U.S. Justice Dept. would love to get its hands on -- legally, of course -- any and all Microsoft secret communications that may not have come out during the government's antitrust trial of Gates & Co. So after all that, how is it that an outsider was able to infiltrate the network of the company whose software is more widely used than any other? According to a company spokesman, the intruder created new computer accounts similar to those used by employees. Microsoft apparently discovered the intrusion when the hacker tried to escalate things by attempting to gain access to higher, more secure parts of the network. Microsoft says it knew all along that the intruder was there, and that it had detected and monitored his presence early on. You can bet if the Trojans were around today to put a spin on how they were hoodwinked, their tale would go something like this: "We knew all along," the Trojans.com army spokesman would tell Virgil, "that there was a bellyful of armed Greek soldiers in there from the moment we brought that wooden horse inside our gates."

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish