Redmond strives to cram Great MS Hack back in box

It was possible to hack in and steal source but, er, they didn't...

  • alert
  • submit to reddit

The smart choice: opportunity from uncertainty

So did they or didn't they? Through Friday Microsoft spokespeople, spinmeisters and execs seem to have been largely unsuccessful in damping down the fires started by the Wall Street Journal's 'Microsoft hacked' story, but by the end of the day some kind of corporate line seemed to be emerging - they didn't get anything, they didn't change anything, and anyway they weren't in there for long.

But the trouble with the 'no story' story is that it doesn't directly address several of the claims made by the WSJ, that it doesn't necessarily guarantee that the hackers weren't in there for longer (and that they're not actually still in there), and that this Redmond corporate line wasn't completely available when the story first broke.

Compare and contrast:
The WSJ said that hackers could have been in the network for as long as three months. During the day Microsoft sources traded this down to six weeks, and then finally to one week.

The WSJ said that the break-in had been discovered on Wednesday, and after initial Microsoft attempts to investigate it itself, the FBI was called in on Thursday. But later the company said that it had first detected the intrusion on Tuesday 17th, six days earlier.

The WSJ said that Microsoft security "detected passwords being remotely sent to an e-mail account in St. Petersburg, Russia. Microsoft... interpreted electronic logs as showing that those internal passwords were used to transfer source code - software blueprints - outside the Microsoft campus." This would have been entirely impossible in the scenario Microsoft is now describing - the intrusion was detected when the creation of new accounts "did not match our normal audit logs," the activities of these accounts were monitored over the next few days, and only source for one "future product" was seen by the intruder.

In addition, as Microsoft would have a record of download attempts, no code can have escaped. So, after initially giving the impression that its security was collander-like, Microsoft is now presenting it as efficient enough to spot the intrusion straight away, then monitor it, and then finally call in the cops when there was nothing more to be learned.

Seeing the spin-doctors will have known since Thursday at the latest that the WSJ was going with a story, it kind of makes you wonder why they left it until Saturday to run this one by the New York Times for counter-spin. But even laying that aside, there are holes in the pitch.

It seems to be pretty well established that the intruder used the QAZ Trojan to break into an employee's machine, but what happened next is still in some doubt. The break-in was to the employee's home machine, Microsoft told the NYT, the implication being that this was somehow less serious. The certainty of this, and the rest of the story, is however undermined slightly by the NYT saying this was described by Microsoft officials as "one possible chain of events." So maybe they're not sure after all.

Once established on the machine with access to Microsoft's network QAZ will have tried to gain control of other machines on the network. Did it succeed? Despite the assuredness of Microsoft's current story, this isn't covered. What about the passwords being sent to St Petersburg? What about the logs "showing that those internal passwords were used to transfer source... outside the Microsoft campus"? These claims remain strangely undenied.

According to the NYT Microsoft corporate security officer Howard Schmidt Schmidt "said the intruder might have had access to the victim's computer before Oct. 17, but would not have raised alarms within the security offices until he created the new accounts."

So actually the intruder could have been around for three months - Microsoft doesn't know. Microsoft does know about new accounts created by the intruder, and the source they had access to (not Office, Win2k or WinME), but does it know for sure that there were no other unauthorised accounts, or unauthorised control of legitimate accounts?

If you think about what actually happened, even according to Microsoft, your confidence in the Microsoft version of events does tend to ebb. At minimum it was possible to successfully plant a Trojan in a Microsoft employee's home computer. Through this it was possible to gain access to source code under development, even as Microsoft's security people were allegedly monitoring that access. Microsoft incidentally says that the code couldn't have been downloaded because that would have been recorded, rather than that it couldn't be downloaded because it was secure. For the company crown jewels, this is not good.

Either the intruder had initially hijacked the home computer of a reasonably senior employee with reasonably high access levels, or had been able to create new accounts with that status. This is of course perfectly plausible, because Microsoft has a pretty loose structure (which in part explains past escapes of code), and a lot of employees with home access to the company network. Clearly, by Microsoft's own admission, it's possible to get at source code via this route, and it's likely that it's also possible to change that code. Otherwise why, in the words of the WSJ, was Microsoft "checking to ensure that the hackers didn't alter some of the company's commercial software"?

Despite the 'we are in control' noises now coming out of Redmond, it looks like an inherently leaky system that could easily have supported a major source code escape. If it didn't, Microsoft surely has to put it down more to luck than security. ®

Related story:
MS hacked! Russian mafia swipes WinME source?

Securing Web Applications Made Simple and Scalable

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.