Redmond strives to cram Great MS Hack back in box

It was possible to hack in and steal source but, er, they didn't...

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

So did they or didn't they? Through Friday Microsoft spokespeople, spinmeisters and execs seem to have been largely unsuccessful in damping down the fires started by the Wall Street Journal's 'Microsoft hacked' story, but by the end of the day some kind of corporate line seemed to be emerging - they didn't get anything, they didn't change anything, and anyway they weren't in there for long.

But the trouble with the 'no story' story is that it doesn't directly address several of the claims made by the WSJ, that it doesn't necessarily guarantee that the hackers weren't in there for longer (and that they're not actually still in there), and that this Redmond corporate line wasn't completely available when the story first broke.

Compare and contrast:
The WSJ said that hackers could have been in the network for as long as three months. During the day Microsoft sources traded this down to six weeks, and then finally to one week.

The WSJ said that the break-in had been discovered on Wednesday, and after initial Microsoft attempts to investigate it itself, the FBI was called in on Thursday. But later the company said that it had first detected the intrusion on Tuesday 17th, six days earlier.

The WSJ said that Microsoft security "detected passwords being remotely sent to an e-mail account in St. Petersburg, Russia. Microsoft... interpreted electronic logs as showing that those internal passwords were used to transfer source code - software blueprints - outside the Microsoft campus." This would have been entirely impossible in the scenario Microsoft is now describing - the intrusion was detected when the creation of new accounts "did not match our normal audit logs," the activities of these accounts were monitored over the next few days, and only source for one "future product" was seen by the intruder.

In addition, as Microsoft would have a record of download attempts, no code can have escaped. So, after initially giving the impression that its security was collander-like, Microsoft is now presenting it as efficient enough to spot the intrusion straight away, then monitor it, and then finally call in the cops when there was nothing more to be learned.

Seeing the spin-doctors will have known since Thursday at the latest that the WSJ was going with a story, it kind of makes you wonder why they left it until Saturday to run this one by the New York Times for counter-spin. But even laying that aside, there are holes in the pitch.

It seems to be pretty well established that the intruder used the QAZ Trojan to break into an employee's machine, but what happened next is still in some doubt. The break-in was to the employee's home machine, Microsoft told the NYT, the implication being that this was somehow less serious. The certainty of this, and the rest of the story, is however undermined slightly by the NYT saying this was described by Microsoft officials as "one possible chain of events." So maybe they're not sure after all.

Once established on the machine with access to Microsoft's network QAZ will have tried to gain control of other machines on the network. Did it succeed? Despite the assuredness of Microsoft's current story, this isn't covered. What about the passwords being sent to St Petersburg? What about the logs "showing that those internal passwords were used to transfer source... outside the Microsoft campus"? These claims remain strangely undenied.

According to the NYT Microsoft corporate security officer Howard Schmidt Schmidt "said the intruder might have had access to the victim's computer before Oct. 17, but would not have raised alarms within the security offices until he created the new accounts."

So actually the intruder could have been around for three months - Microsoft doesn't know. Microsoft does know about new accounts created by the intruder, and the source they had access to (not Office, Win2k or WinME), but does it know for sure that there were no other unauthorised accounts, or unauthorised control of legitimate accounts?

If you think about what actually happened, even according to Microsoft, your confidence in the Microsoft version of events does tend to ebb. At minimum it was possible to successfully plant a Trojan in a Microsoft employee's home computer. Through this it was possible to gain access to source code under development, even as Microsoft's security people were allegedly monitoring that access. Microsoft incidentally says that the code couldn't have been downloaded because that would have been recorded, rather than that it couldn't be downloaded because it was secure. For the company crown jewels, this is not good.

Either the intruder had initially hijacked the home computer of a reasonably senior employee with reasonably high access levels, or had been able to create new accounts with that status. This is of course perfectly plausible, because Microsoft has a pretty loose structure (which in part explains past escapes of code), and a lot of employees with home access to the company network. Clearly, by Microsoft's own admission, it's possible to get at source code via this route, and it's likely that it's also possible to change that code. Otherwise why, in the words of the WSJ, was Microsoft "checking to ensure that the hackers didn't alter some of the company's commercial software"?

Despite the 'we are in control' noises now coming out of Redmond, it looks like an inherently leaky system that could easily have supported a major source code escape. If it didn't, Microsoft surely has to put it down more to luck than security. ®

Related story:
MS hacked! Russian mafia swipes WinME source?

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.