A few things I had thought of....
The hackers appeared to have accessed Microsoft's system by e-mailing software, called QAZ Trojan, to the company's network and then opening a so-called back door through the infected computer.
A ``trojan'' is a hacker's term for a device similar to the Trojan horse of Greek mythology. It looks like a normal attachment in an e-mail, but contains a hidden code that can take control of the recipient's computer.
Bruce Schneier, chief technical officer of Counterpane Internet Security Inc. of San Jose, Calif., said the break-in highlights companies' lack of network traffic monitoring.
``If you're not watching your logs 24 hours a day, seven days a week, this is the kind of thing that happens,'' he said. ``Microsoft got whacked and it made the news. But this could have happened to anyone.''
We dont know the details (and likely wont) of the specific hack but it sure appears that Microsoft's corporate DMZ/firewalling architecture was not well thought out. The security analyst in the report hinted on it. Most Trojan's utilize a non-well-known port number (like 32284 as an example) to listen on it quietly within a victim's workstation. This listened port number is referred to as the "back door". Then the external hacker will then "probe" the victim workstation and "knock" on the "back door" to see if its there. If the utility is up and running, then the hacker uses the utility's backdoor and service to take over the workstation or perform services quietly through this victim workstation.
(I have a personal firewall - Norton Internet Security - on my cable-modem connected workstation and this backdoor/probing hack is visible several times a day!)
The fact that supposedly the hacker was able to directly probe and connect to a Microsoft Intranet connected workstation through a non-well-known port would be a huge DMZ architecture failure / design flaw! I cant believe that Microsoft made such a big DMZ mistake and they would have no one but themselves to blame. Even if the Trojan used a "well known" port to listen on to make it look more innocent, this should still have raised Major Red Lights.
I am currently consulting for a major Canadian financial institution on DMZ architecture design to precent attacks just like this, so this topic hits home for me and gives me a lot of ammunition to my client to show how easy a weak design can be penetrated.
The DMZ atrchitecture should not allow ANY direct Internet to Intranet connectivity. Instead all required conversations from the Internet to Intranet zones MUST pass through a dual segmented DMZ whereby all Microsoft required or offered Internet services would flow through an "Internet Services Gateway". These gateways would provide all of Microsoft's well-known services. All inbound/outbound conversations to Intranet connected worksations would flow through a Proxy Server (like Novell's ICS) and a Circuit level firewall like SOCKS where Intranet workstations would not be able to allow direct listening ports to an Internet source (or at all).
Sooo, based on what we know of the attack, it appears that Microsoft has no one to blame for the successful attack but their own weak architecture and policies..
The impact of the successful attack....
Microsoft's source codes are the most coveted in the multibillion-dollar industry. With access to them, competitors could write programs and challenge Microsoft's products.
Obvious Microsoft does not covet its code too much since it appears that it had no Internet security monitoring in place to catch this relatively simple method of hacking, no architecture in place to prevent this hack, and weak enforced corporate policies for MSFT employees regarding the opening / handling of external attachments or programs from the Internet (i.e. virus scanning and not opening attachments). Microsoft's actions have spoken louder than its words - their code is obviously not that coveted.
I have heard some "so called" analysts say that this was a complicated hack and was obviously not carried out by some Teen hacker. It appears to me that this is not the case - but I am sure we will never know for sure.
The impacts could be very serious for Microsoft and even the industry. Obviously for the reasons mentioned, but also because Microsoft is not telling the industry what software was compromised. And with MSFT's overwhelming marketshare in many of its products, when this unknown product hits the market, it will likely be popular and its code will be everywhere. The potentially wide distribution could be as dramatic as a well hidden time-bombed trojan (if MSFT does not go through this code line-by-line), or copy-cat versions of the code with hacks being distributed.
There are a lot of potential issues - but I think it would be the right thing for MSFT to do by informing the industry on what product is at risk so that each MSFT customer can decide if they want to be part of the potential risk of this product when it comes out.
I think we can be assured of two things... 1) we wont really know just how successful the hack was until and if the actual hackers brag about their side of the story and/or or back it up with the damage they could inflict with whatever they stole or executed during their weeks within Microsoft. 2) MSFT has already started a full scale review of how this relatively easy hack occurred. They will be busy "closing the door after the horses have left".
Maybe they should consider hiring one of their Microsoft Solutions Partners to give them advice on Internet security measures and architecture.
Just my humble opinions based on what we all have been told.
Cheers!
Toy |
