|
How
MS played cat and mouse
When
the first couple of new accounts popped up, the network administrators
at Microsoft didn’t pay too much attention. Most likely,
someone new didn’t set them up properly. Then a few more
accounts appeared. Then more. Within a few days, there were
about two dozen new accounts. What’s worse, whoever was
creating them started trying to upgrade their network privileges,
including permission to view high-level files and their more-sensitive
information.
That, according to sources familiar with the case, is when
Microsoft called in its computer security team. Company officials
believe the hacker had access for about 12 days, but only
to the source code, or blueprints, for a single product that
is still in the early stages of development. That contrasts
to initial company statements that the hacker could have had
access for up to five weeks.
But Microsoft officials admitted last Monday that its computer
experts were unable to track the infiltrator despite more
than a week’s worth of electronic cat-and-mouse through
the company’s network. “We are continuing to work
closely with law enforcement,” said company spokesman
Rick Miller. “Beyond that, we really can’t say much
more.”
Miller acknowledged the hacker could have been in the system
longer than 12 days but said the company is confident that
high-level access occurred only between Oct. 14-25. Even with
low-level access, the hacker could have accessed corporate
e-mail and other confidential information, Miller said. Mark
Rasch, a former Justice Department official and now Vice President
of a computer security firm, said Microsoft’s lack of
success is common among the industry. “Only the dumb
ones get caught,” Rasch said. “Microsoft’s
experience is not atypical, especially if the bad guy was
smart.”
Sources close to the case, who did not wish to be identified,
said that the company managed to learn of the infiltration
early. While the hacker was able to create new accounts for
himself, many computer networks build in that kind of flexibility
so that midlevel managers can create accounts for new workers
and teams. “It’s tough because once the hacker creates
the accounts, he can look like a normal person logging in,”
Rasch said. “So which accounts do you monitor? There’s
always a chance you’d miss one.”
After the network administrators reported the problem to Microsoft
security on Oct. 14, sources said the company monitored the
various accounts as the hacker tried to upgrade his security
clearances. The hacker did manage to access the source code
to one product, the company said. Microsoft officials would
not say whether the product had anything to do with Microsoft.NET,
the company’s new strategy for products that work over
the Internet instead of on a single computer. “Theoretically,
all of our products will be .NET in three to five years,”
Miller said. “But we can say for certain that it was
not one of our core products.”
The company then tried to track the intruder on its own, sources
said, but had little luck determining where his commands were
coming from. Hackers often use other computers across the
Internet, often ones they have previously broken into, to
“bounce” their data around to confuse trackers.
“There’s always a trade-off between shutting them
down and continuing to let them go while you investigate,”
Rasch said.
After law enforcement joined the investigation on Oct. 26,
sources said there was little improvement. Microsoft was forced
to shut down all the questionable accounts and barred outside
access to the network for a time to stop the hacker from accessing
more confidential data. The company believes that its systems
are now secure again, but would not confirm how the breach
took place in the first place. Media reports have said the
hacker used a “Trojan” a tool masquerading as an
innocent file or program, usually sent through e-mail that
requires the recipient to unknowingly click on it.
Other
Stories...
 Intel
moves up date for Pentium 4 to be primary chip
Watchdog
group urges Yahoo to end racist auctions
Beatles
play to young crowd with Web siter
Top
|
