Microsoft Break-in: A Lesson in Desktop Security

Certainly you've heard the news: System crackers infiltrated Microsoft's corporate network. The company made the news public late last week after contacting the FBI to investigate the matter. Microsoft detected the break-in when the crackers began sending user account passwords to an email address in Russia. The crackers are reported to have had access for anywhere from 12 days to several months.

As you might have learned from the mountain of news reports that this event generated, the crackers used a Trojan dubbed QAZ to infiltrate Microsoft's internal network—QAZ was first discovered in July of this year. And although the news reports are full of interesting answers from Microsoft representatives and industry insiders about the break-in, the reports I've read have glazed over the bigger and more important issue: why the crack happened in the first place.

You can bet that Microsoft has plenty of antivirus software on its network, and I think it's safe to assume the company uses both server-based and desktop-based antivirus technology. As you know, server-based antivirus solutions filter various contents (e.g., Web, email, Network News Transfer Protocol—NNTP—news, and Word documents) as they enter areas of the network; desktop-based antivirus solutions typically scan content only on the particular system where you've installed the antivirus software. The two types work in tandem to create a more effective solution: If malicious code makes it past the server-based scanners for some reason, the desktop scanners can detect and stop it.

All the reports I've read state that the Trojan probably entered Microsoft's network on the back of an inconspicuous document. So, if desktop-based antivirus software was installed on the workstation where the Trojan-infected document was first opened, either it wasn't running at the time, or it had out-of-date antivirus signature files that rendered it incapable of detecting the QAZ Trojan. Either way, it's a very poor practice, as evidenced by the break-in.

According to a Reuters news report, Microsoft President and CEO Steve Ballmer said the crackers had viewed, but not modified, some of the company's "key source code." According to a CNNfn report, Microsoft said the crackers hadn't seen Windows 2000 or Office code but had seen code that is "years and years away." Is it just me, or do you read this to imply that Microsoft's current product line code is safe, but future code has been compromised to some extent?

Although other news reports stated that the crackers didn't download any code, I think you realize as well as I do that when a person views text (such as source code) on the screen, there's no way to determine whether that person saved the text to a file. So maybe it's a safer bet for Microsoft to assume the crackers do have copies of Microsoft code. If other reports are correct with their allegations that the hackers were trying to force Microsoft into adopting the open-source model by stealing its code to eventually make public, then maybe the code will pop up in the underground. Imagine what that news would do to the company's already drastically fallen stock price, not to mention its reputation.

The moral here is obvious, and could become incredibly expensive if you fail to take heed. Be certain you have antivirus software in place, at least at the desktop level. Never turn the software off unless you absolutely have to (and then only for brief instances under strict policy), and regularly check (perhaps daily, again under strict policy) to ensure you have the latest antivirus signature files installed on your systems. If you don't follow these simple guidelines, you too might fall easy prey, and it could cost you the entire business. Until next time, have a great week.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.