Microsoft: We Were Watching Hackers

S E A T T L E, Oct. 30, 2000 -- Microsoft Corp. says a hacker had high-levelaccess to its computer system for 12 days — not up to five weeks,as the company had first reported — and that the company monitoredthe illegal activity the entire time.

While the company says it believes no major corporate secretswere stolen, some security experts believe the 12-day period wasplenty of time for a hacker to do damage that may not have beendetected yet.

Microsoft spokesman Rick Miller said Sunday that beginning Oct.14, a hacker gained access to high-level secrets and at some pointover the next 12 days viewed blueprints, or source code, forMicrosoft software that is being developed.

When it confirmed the incident Friday, the software giant said an electronic intruder had access to sourcecode for as long as five weeks. Microsoft used that time estimatebecause the duration of the hacker’s presence was unclear and thecompany wanted to be sure it did not underestimate the problem,Miller said.

Company Waited Two Weeks

The company was alerted to the break-in by the creation of newaccounts giving users access to parts of Microsoft’s computernetwork, Miller said.

“We start seeing these new accounts being created, but thatcould be an anomaly of the system,” Miller said. “After a day ortwo, we realized it was someone hacking into the system.”

Not until Oct. 26 did the company notify the FBI, which isinvestigating. Microsoft said it initially planned to handle thebreak-in on its own.

“We realized the intrusion had grown to the level thatwarranted bringing in the FBI,” Miller said. Miller said theactivity did not corrupt or modify the code for the product.

If any attempts to download or transfer the source code weremade, such activity was not recorded in Microsoft’s logs, Millersaid, adding that it is extremely unlikely any source code fileswere copied because of their immense size.

Experts Skeptical of Microsoft Claims

Some security experts questioned that assessment.

“It’s impossible to say with absolute certainty that [sourcecode] file has not been copied,” said Simon Perry, vice presidentof security solutions at Computer Associates International inIslandia, N.Y. “Over a 12-day period, it would be absolutelypossible to take a copy of that.”

“Source code files can be very big, but they’re easilycompressible,” said Ray Pompon of Conjungi Networks in Seattle,which installed some security tools for Microsoft in 1994.

Microsoft has refused to say at what point it learned the hackersaw the source codes. Pompon said whether the company discovered itimmediately would depend on the type of monitoring, something thecompany has not disclosed.

Miller acknowledged the hacker could have been in the systemlonger than 12 days but said the company is confident thathigh-level access occurred only Oct. 14-25.

Even with low-level access, the hacker could have accessedcorporate e-mail and other confidential information, Miller said.

Blueprints for Destruction

Microsoft has refused to identify what program the source codewas for, except to say it was a product years from release—notWindows or Office software.

Pompon said it’s less damaging to Microsoft that the product wasnot one already on the market.

“Microsoft can be more careful about what they’re going torelease and make sure it’s not vulnerable,” he said.

Microsoft’s source codes are the most coveted in themultibillion-dollar industry.

With access to software blueprints, competitors could writeprograms that undermine Microsoft or use the data to identifyweaknesses, making computer break-ins and virus-writing easier.

For instance, the “Love Bug” virus that crippled computers inMay, causing billions of dollars in damage worldwide, exploited asecurity glitch in Microsoft’s e-mail programs.

Trojan Horse Attack

The most recent hackers apparently used what is called a“trojan horse,” a sneak attack concealed as an attachment in ane-mail.

The attachment looks normal, and some can even perform as whatthey appear to be. However, inside the attachment is a programthat, once inadvertently activated by the user, can wreak havoc ona computer system.

“What’s still unknown is how much damage was done,” WalterBoos, president of Content Technologies Inc. in Bellevue, saidSunday. “Whether it was 12 days or 12 weeks, the troubling thingis that it could happen at all.

“Microsoft is no slouch. They’re smart people. If it can happento them, it can happen to anyone.”