By Jack Bryar
NewsForge Columnist
Maybe NOW they’ll get serious about fixing the security in their
software.
This hasn’t been a good couple of days for the executives at
Microsoft. The company fell victim to one of the oldest and dumbest
Web-hacks known. Someone at the company accidentally picked up a copy
of
QAZ Trojan, a virus, not much different from dozens of other Trojan
horse and worm programs, that have messed up Windows-based corporate
networks over the last couple of years courtesy of well-documented
flaws
in Windows, Office and Microsoft Outlook.
QAZ Trojan has been around for a while. It is usually picked up as
an
email attachment, and executes on opening. The user thinks they have
an
attached Windows Notepad message. QAZ executes a backdoor program,
which
effectively provides a third party with remote access to the user’s
system — and all the remote systems it has access to. Presumably this
back door allowed the hacker access to server files. Not long
afterwards, passwords were being sent to an email address in St.
Petersburg, Russia.
Sometime thereafter Microsoft “security” personnel noticed that that
someone or something was touring the network and had stopped to peek at
some source code files — at least that was the official story as of
Friday afternoon. The story kept changing throughout the course of the
day. At one point Microsoft’s whole happy-talk SWAT team had sprung
into
action. Guys like Mark Murray, Rick Miller, John Pinette, and Matt
Pilla
kept issuing ever-narrowing assurances that nothing happened that would
endanger Office or Windows, at least. There was no problem, nothing
had
really happened, nothing was touched (as far as they could tell) and
the
FBI was deeply involved.
Others suggested the problem was a little worse than that. The
Associated Press said that the breach might have begun a good five
weeks
ago, in mid-September. In addition, spokesmen for a security firm,
AXENT
Communications, sent out a press release late Friday that claimed that
Office and
Word source programs were accessed. I spent much of Friday
evening with the company’s press agency and never did discover how they
knew this.
In the meantime, senior Microsoft executives around the world were
being chased down by reporters eager to find out what really happened.
The guy who got Steve Ballmer to admit that hackers had looked at
source
code had to track him down in a Swedish hallway.
Unfortunately, even when reporters managed to corner Microsoft
managers or other “experts” they asked all the wrong questions.
Reporters asked whether the hackers had somehow “compromised” the
company’s software by taking a peek at files of source code. Of
course,
Ballmer and all the others solemnly maintained that nothing had been
compromised. Such a silly question. Source code, particularly beta or
alpha level stuff, is going to be of little use to anyone except
Microsoft, unless the hackers also got most of the accompanying
documentation and related libraries. Such code certainly isn’t going
to
be “held hostage,” as the Wall Street Journal suggested, or be
“auctioned off to criminal elements.”
Another guy, a reporter from the BBC, asked if perhaps some
competitor was trying “to get an edge” on the company — a question
which would presume that Microsoft HAD competition.
In Russia, a very silly person named Denis Zenkin who
works for a “Moscow based anti-virus company” called Kaspersky Labs
told
local reporters that he knew the hackers weren’t Russian despite the
St.
Petersburg email address. How did he know this? He said it was because
the “only known hacker in St. Petersburg quit a few years ago.”
That’s a pretty funny claim. Crackers and phreakers have so
thoroughly compromised segments of Russia’s telecom and data nets that
travelers are frequently warned that even a simple ATM or credit card
transaction can be a risky adventure. According to Alice Lagnado of
the
Times of London, crackers in the area are so organized that they have
their own magazine, which she called Khakers. I don’t know Khakers,
but
I do know Hackers Magazine. Its editor, a fellow by the name of Sergei
Pokrovsky, told the Moscow Times how much admired the Microsoft
crackers,
saying, “I want to meet them… They are real professionals.”
Another nitwit, a self-proclaimed American “security expert,
formerly
from NASA” intoned gravely to a European reporter that this was
evidence
that Microsoft might be letting too many people test their code.
(Supply
your own response here).
But by far the dumbest set of questions I heard anyone ask was
whether, somehow, this crack into a Microsoft code library meant that
Microsoft’s software might now be vulnerable to penetration by
outsiders.
Excuse me?
Over the last couple of years, pointing out security holes in
Outlook
and Windows has grown into a virtual cottage industry. I get regular
emails from three web-based services that make money advising their
clients about new holes found in Microsoft’s suite of products.
Security
experts from around the globe make a good living by offering training
programs that point out these same security problems. Consulting
companies like Ernst & Young offer regular “Hacking 101” classes
focused largely on Microsoft, and they have three applicants for every
slot they
have available.
And there is a good reason for all this demand. According to the
Computer Security Institute, 273 large companies and government
agencies
reported losses totaling over $266 million last year, largely due to
software security problems.
In the past, concerns about Microsoft’s security flaws have been met
with an avalanche of press releases and cosmetic patches that always
address the immediate problem, but which never addressed the
fundamental
architectural issues that lay at the heart of many of these security
failures. Up to now, Microsoft has suggested that Windows, Outlook and
Office were certainly easier to secure than that Open Source
stuff. The company implied that the problem was largely the fault
of
users, and that poor administrative or user practices were at fault, or
that people simply didn’t understand the software well enough to use it
properly.
All those things may be partly true. They may even be true at
Microsoft. But perhaps, now that these security problems have affected
the gnomes of Redmond, the company might try a little harder to fix
them. Even if you don’t run a single Microsoft program, I think you’ll
agree — that development would be good for everyone.
NewsForge editors read and respond to comments posted on our
discussion
page.
