Security·4,733 discussions

MS hack due to user error??

Locked

Microsoft admitted today that hackers have had access to their network for several weeks. The company seems to be blaming their users in two ways: Someone wasn’t running the anti-virus software and someone else opened the Trojan Horse virus.
What about their security? How did they let this happen? Is it really that easy to get into their network?

Topic

Is microsoft unreliable?

In reply to MS hack due to user error??

It is true that no system is hack-proof. There is always someone smarter who will try to outsmart another by beating his program. So it can be said that the war against hackers is also a war against programmers becuase programmers are the people whocreate the programs.

But what does it mean when Microsoft itself, the giant software company, is hacked? Does this show a new breed of hackers who will down microsoft’s server with this new information?

No matter how I look at it, Microsoft must update their server and implement a better security.

Security woes

In reply to Is microsoft unreliable?

Its all very well to blame Microsoft, and insist that good secuirty policies and procedures would stop this, but speaking from exprienace, it is impossible to have anwhere near a 100% secure network.

In a large corporations with thousands of users and systems, viruses and securty wholes will always appear.

Why? Because the user will find ways around the policies which will in turn jeopardise network integraty. Usually through laziness i.e. a user will open an attachment without being scanned; A user will download item without scanning.

Network administrators and IT staff are indeed at loss when users don’t use commen sense and follow the secuirty procedures.

Consider this

In reply to Security woes

Is it unreasonable to consider using less popular applications other than say, Outlook, which rouge programmers tend to target through some of the more publicized exploits? This of course in addition to user security training or security awareness programs.

User Education and Managment is the Key

In reply to Security woes

No matter what extensive measures that you go to in the effort to protect your network, users can always be the weak link. It usually boils down to user education. There is never enough time and effort spent on education the user on good common sense procedures. There are methods you can deploy to protect your network from attacks such as this but it usually requires restricting the user in some fashion. This is not always culturally acceptable to the users in the environment you work in. Businesses have made e-mail the method of choice for the exchange of data including small executible programs. This can be restricted but in many cases some “trusted” users are exempted from these policies which can result in this type of security breach. User education and better managment is the solution.

Trusted User

In reply to User Education and Managment is the Key

The “trusted user” will also teach the “new user” to some degree.
Often the blame is placed on a “user” when the blame is due to the Mentor.
There is a fine line between “SuperUser” and “Trusted User”.

The “Trusted User” is addept at operating current sw/hw but is limited in overall knowledge.
The “SuperUser” is in a position to understand all facets of operations and
decide how much to tell who when.

authorization and authentication

In reply to Trusted User

Security does not have to be an endless cat and mouse game… network administrators should NOT plan on going in circles with hackers forever. We have to trap the destructive ones… and not surrender security and safety of networks.

Two areasare still achievable….
who is AUTHORIZED
and of those authorized ALL must be autheticated….

How can we better authenticate our authorized users?

Don’t give up the ship.

E-Mail Is An Unauthenticated User

In reply to authorization and authentication

The problem, as noted below in the “Real Information Comes Out” message is yet another program run from e-mail.

The problem continues to be that e-mail and the IP protocol in general does not implicitly support security. Rather than chastisingusers and making ever more complicated anti-virus programs, the industry needs to wake up and provide a true end-to-end security mechanism. Once this mechanism is in place, the OS can protect users from malicious attacks from outside users. There is still the possibility of insider attacks, but even these can be compartmentalized.

Until an end-to-end security mechanism is put in place, e-mail based attacks will continue to occur and their affects will only become larger as networked computers become more and more firmly embedded in business.

Reply To: MS hack due to user error??

In reply to Is microsoft unreliable?

Microsoft recently converted from a hack-proof system supplied by IBM to a Microsoft system because their marketing department was embarrassed by the fact that people asked “If NT is the equal of AS/400, how come Microsoft is running its business onAS/400.” so MS converted from 23 AS/400 to 1200 NT servers (yes, it takes 50 NT servers to replicate the work of one IBM e-server) and they ran into all sorts of trouble, because NT is not REALLY the equal of the AS/400.

However, as you can see by another post I made here, the NT vs. AS/400 was not the real cause of the security breach.

I don’t know about Hack Proof….

In reply to Reply To: MS hack due to user error??

Tha AS/400 is high-quality gear, but it certainly is *not* hack proof. NOTHING is hackproof. If a legitimate user can get into a system, so can a blackhat. In the end it is about technique and procedure.

The “Network Security War” that some media outlets like to propagandize so much is nothing new. It is, was and always will be and ongoing contest. It is not, necessarily, between good and evil (though the popular media would probably disagree). It is an ongoing struggle in which both sides may win individual battles, but neither can ever win the “war”. If you lose a battle, you find out why, fix it and prepare for the next.

That’s the way it is, was and always shall be.

Reply To: MS hack due to user error??

In reply to I don’t know about Hack Proof….

Never been “reported” as being hacked, but in some of the AS/400 discussion lists the reasons why the hackers tend to choose one kind of high profile site and not another kind has more to do with some sites invite mischef while others invite industrial espionage, and some invite both.

Yes AS/400 compiled objects can be altered after compilation via System Tools & other Utilities which ordinarily are accessible only by persons with high security authorization who ordinarily cannot connect to any AS/400. However, many AS/400 software consultants use the IBM ECS line into their client networks, and some are less security conscious than others.

So while the weak link for Microsoft was an employee home PC, one weak link for AS/400 is theheavy use of the ECS line by software consultants for whom Security is not an important topic.

Computers can be Secure

In reply to Is microsoft unreliable?

http://www.radium.ncsc.mil/tpep/epl/epl-by-vendor.html is a directory by vendor of the most secure computer systems available with links to what is needed to achieve this. Many vendors are conspicuous by their absense. The computer press needs to ask when there is a breach whether the system being used was on this list & whether the security there met the criteria shown.

Vulnerabilties: MS vs IBM

In reply to Computers can be Secure

There are so many levels you can focus your security on. I think the least focus is on the worktop level.
As far as an AS/400 or a s/390 being more secure? Any OS that is not easily accessable to the general hacking public, is usually the least exploited. (When was the last big Mac virus? and yes there have been viruses on mainframes).

Viruses in the form of trojans are the easiest way in. If you you have home users that are dialing in- you should require the same protective measures you doin the office.

Virus and Intrusion detection has become so complex now that you need staff with experience to protect you.

No matter how secure you make a system- there will always be someone who can get in. The best thing is to take the precautions and enforce standards to make your enterprise a hardened target.

SFO

The user or network operating system

In reply to MS hack due to user error??

I have read through all the comments made and I have one question, why is everyone out there quick to jump on a user error. Have any of you network professional even consider it just may be a weakness in there operating system. Correct me if I am wrong but has it not been well advertised that there is a security hole in their current server 2000 operating system. Which dealt secure domain where an administrator with no rights to that domain can get into it if they knew the proper sequence of keystrokes. This has been proven sometime ago by some of their competitors (Novell and others) who do alot of testing on microsoft software. To sum this up, if I were someone in charge of a network running server 2000 I will be real concerned about my own companies valuable assets (it information), because obviously they (microsoft) have to be using their new server 2000 on their own networks.

back door channels open

In reply to The user or network operating system

Has any one considered that microsoft has
always had a back door to their software an that some one figured out how to access it through the back channel over the internet. just like some of add boxes you click on leave a program that reads and relays your browsing habits an sites you visit. Unless microsoft has stopped leaveing a back in their software any real good hacker/programer can gain entrance to a system given the time perfect what he needs to set up trojin that he/she can upload undetected an later avtivate it for access.

look at the tree

In reply to The user or network operating system

kbnet —
Look at what all of the previous responses were responding to… The discussion thus far has centered upon whether the NOS must absolutely be at fault.
The consensus thus far seems to be that the most secure technology must still be usedby people, who make mistakes. This holds whether the OS is Win2K, Linux, or whatever other OS you may hold dear.
You are undoubtedly correct that there are security holes in Win2K, but even if there were none at all, the toughest security questionstill remains to be answered (and I would be interested in seeing some discussion on this one): how to protect against user error, much less user carelessness?

MS chokes on its own dog food

In reply to look at the tree

It’s said that Microsoft eats its own dog food. In other words, it uses Win2k and all of the other MS products. If their network security failed, whether you blame the NOS or user(s), it ultimately is a failure of the security of the NOS.
Remember, most of the security fixes posted to Microsoft’s site are a result of the experiences of Microsoft’s customers, not Microsoft’s first-hand experience.
It’s also possible that the breach was a result of an “inside job.”

the dog food tastes like hack-snacks

In reply to MS chokes on its own dog food

yeah, it very well COULD be an inside job, but then again… Who WOULDN’T want to teach the big dog a lesson? I mean, COME ON! We all know of and/or have heard of all the toes MicroSoft has been stepping on… If they think that their software isperfect and has no security issues, bot oh boy do I have some news for them. I cant say it enough that even in an NT environment, EVERYONE should be running a firewall and cookie management software. these back-door things that were spoken of are actually considerred ‘spyware’ and realplayer has it, aureate has it, and a few other programs have it… look up ‘OptOut’ at http://www.grc.com on how these things work… it’s kinda interesting that a lot of people are totally oblivious to it. but I donotice that users are the common bad link in all security holes… Now we have to get all these users trained enough to just REALIZE what is a security risk and what isn’t… That is half of the battle…

not just a microsoft problem

In reply to the dog food tastes like hack-snacks

What everyone says about MS being a big dog may be true, people in the hacker community want their names on the big board as “the one” who fed the dog lemons. I’ve seen and heard every possible argument about MS and their “evil” ways, but am convinced that they are a business like any other. They push their products hard and work very hard at marketing them.

The Justice Department can work at making them walk the straight and narrow. That has nothing to do with the technical soundnes or weakness of 2000. I like Win 2k and think they have surpassed 4.0 by light years with the product. I think that the capability to “harden” the OS is a lot stronger than with NT 4.0. They have done a good job.

The reality is that no matter who was on top, be it Sun, Novell, HP or MS they would be attacked, because they were the “big dog”. Java based mail clients and OS’s have just as many holes as Outlook and 2k. Hackers “in the negative meaning of the word” thrive on the “look what I did” attention. They want the notoriety.

I think it will be interesting to see what MS releases or sets up to protect from these types of intrusions. I’m glad they are using their own software because I think it will make their products better.

By the way,these guys will be caught when they start boasting on their hangouts about what they did. It will make for interesting reading for a while.

Absolutely..not just a Microsoft problem

In reply to not just a microsoft problem

Thanks, binarypc for your post. While Bill Gates and company are no angels, they have produced some of the best products on the market today. These statements may seem bias, but true (no matter how much some say otherwise). Are there security holes in MS software? Sure. Are there holes in Unix, Linux, Netware, etc? Microsoft?s products are implemented across the world more than any other and thus are susceptible to more attacks. Is this recent security breach a concern? Absolutely, and I am sure that MS will deal with it accordingly. Security is the responsibility of both the user and the one who implements the secure infrastructure. It is also a balancing act because more security equals less freedom for the users of any particular system.

Microsoft is a big dog and will always (sometimes fairly and sometimes unfairly) face an enormous amount of scrutiny when their systems are compromised. How well they or any other business addresses these issues is the key.

Catching the hackers…

In reply to not just a microsoft problem

If anyone expects some hacking group to come boasting about this break-in should consider that the group (or entity) responsible is not a hacker group per se.

What if this was industrial spying? Or state-sponsored stealing of intellectual property? In these cases, no one is going to boast about the exploit.

There’s far more to gain by staying quiet and leveraging the fruits of their labor in the future.

I don’t believe this was just a group of script-kiddies having some fun with a trojan horse program. This was a serious group looking to steal the most sought-after commodity in the computer world. The value of what they stole is much more valuable with silence.

Source Code

In reply to Catching the hackers…

If some stories are correct, that the hackers got access to source code that is not delivered with the products to end users, then there is the potential to dream up new hacks & viruses & security violations not yet found by beta testers.

classified(proprietary)info

In reply to not just a microsoft problem

Why is classified(Proprietary) information even available from outside of the company? This is just plain poor management. The quote that gets me is: “We start seeing these new accounts being created, but that could be an anomaly of the system,”Miller said. “After a day or two, we realized it was someone hacking into the system.” Isn’t one of the first clues to hacking, unrecognized accounts. I wonder who the fall guy will be.

User error?

In reply to look at the tree

Microsoft made any possible effort to leave their user unaware about what his software actually do when user activate an object.

You can’t blame the user ’cause even a simple thing like “hide file extension” made user unaware about the nature of a file.

Security by obscurity deos not pay. The real weakness is in the I.T. staff that chooses to rely on one single vendor for an entire network.

Complex topic

In reply to look at the tree

Security can be a good tool making life easier for the user … see only what you supposed to be working with, simplify what you are faced with.

Application design needs to be able to catch errors on many levels. User keys in something that is wrong … software catches if it is invalid, but what if user is keying in a date & keys in 01/02/03 & the system is looking for MM/DD/Yy format but the user is thinking DD/MM/Yy format … what they just entered was a valid date, but it was a wrong input. I think all date input fields need a prompt so we know when to do YY/MM/DD or whatever is called for.

Software needs to be checking for ranges … what you entered was valid but outside the normal pattern … are you sure.

Sometimes usernot know made error & later data processing needs to catch possibly wrong & software design needs ways to be able to correct errors after the fact.

We makd lots of corrections … we ought to have some kind of audit trail in case of mistakes correcting mistakes.

Not just their products

In reply to The user or network operating system

This is kinda off topic, but there’s an urban legend that Microsoft has been, and still, uses competing products.

They’ve been trying to show how powerful and scalable their server software is, yet they allegedly use an AS/400 for shipping duties.

Whether it’s true or not, I’d like to see an inventory of their servers. Out of curiousity, of course.

BTW: This is a great chance for Open Source movement to use FUD (Fear, Uncertainty, Doubt) against Microsoft, instead of the other way around… heehee

Urban Legend (or not)???

In reply to Not just their products

I have been reliably informed by an ex-EDS employee that when EDS were having problems getting Exchange Server to run on NT, that after having spoken to MS Tech-Support several times, to no avail, they finally got MS to admit that MS were running Exchange on a Unix platform.

Says a lot about their products doesn’t it…

User error or industrial espionage ?

In reply to MS hack due to user error??

Yes someone might have disabled their anti-virus software, but was this done in error or intentionally to allow the Trojan horse entry ? The possibility of this hacking being done by a group of well organised professionals is very strong. Their motive was different from your common garden variety hacker seeking notoriety, thousands of programmers and software houses would love to get hold of MS source. These guys are not going to boast about their feat, aint no money in that…

MS responsible for employee actions

In reply to MS hack due to user error??

That is pretty weak if MS is pointing the finger at their own employees. Even if the hacker themselves were MS employees. Isn’t MS still responsible? Don’t they run security checks?

I’m sorry, but since MS has pissed off so many people with their aggressive tactics. I don’t feel any sympathy for them getting hacked. Im not for vigilantism but maybe this hacker will succeed where the courts fail.

Unwise to trust users w/ antivirus maint

In reply to MS responsible for employee actions

Concur w/ VoodooV’s first paragraph.

Any quality AV product (I won’t name names) can be set up such that it will automatically scan, atuo-protect, and update the system. Why would MS expect their users to be better trained and supervised than other companies?

Users will do what they are trained and led to do, and most companies don’t do enough user training. Therefore it’s much easier to have the IT department set up auto-everything with a good AV package and check on it once in a while. The only time I have ever had problems with this approach was when the user, in violation of published policy, tried to mess with the AV settings and left the machine unprotected.

I’m not going down to get into whether MS deserves to be hacked. Sympathy is, or should be, irrelevant under the law. I’ll just cast my vote on election day.

Good fortune,
Don

How to deal with user problems.

In reply to MS hack due to user error??

One of the ways to deal with lax security from users is to compartmentalize the network. It appears from the news reports that anyone with a password gould gain read/write access to the MS Source library. If that is the case, then you have to ask the question, why was the master copy of code in an internet accessable area? Why not keep a copy and use change mgmt sofware (pvcs..etc) to manage changes and sync with the master code after the changes are validated? The os may not be to blame here,a trojan could be easily be written to infect and pass info back about Linux, SunOS, etc. The problem appears to be that that not enough effort was made to protect and isolate valuable inforamtion.

Their own med.

In reply to MS hack due to user error??

The rest of us have been suffering for years because of MS’s lack of security – their holes. It’s about time they’ve suffered from it.

Another sleeping beed!!!!

In reply to MS hack due to user error??

My opinion is:
I think Microsoft is planing to make a new OS where the word burnabilites is going to be a Word of the past. Microsft is well nown for Bugie OS and Programs with lots of burnabilites so they are tring to aim now more torse the real Security for the enteptises. Rember the best security is to now the WAY IS DUN!!! The rest is just to bring attention and publicite!!!
Thanks
nixxo_us@yahoo.com

Security Breech my foot

In reply to Another sleeping beed!!!!

Folks, Look at the big picture.
Frankly, I find it hard to believe that Bill Gates as smart as he is, would be stupid enough to expose his source codes to the world without some logical purpose. What are the odds that he knew someone was trying tohack into his systems, so he invited them and gave them phony source codes? Now that they have something to play with and keep them busy spending there money on the wrong technology, he can be left alone to develop what he really wants too. Including bugs and fixes in his own programs. After all he did convince IBM to write Windows 95 for him, then left them without any rights to any part of the operating system.

The real story isn’t as interesting

In reply to MS hack due to user error??

Well, now that more info has come out, we find that the media is over-hyping what they don’t understand. I can’t say I’m surprised.

MS is telling us that the intruder only viewed source code of a developmental product that is not an OS or mail system. They have pretty accurate logs of the transactions and know exactly what was
up/downloaded. No access was gained to current products (like Win2K or Outlook).

The compromise came via an employee at home who was not using AV software on hishome computer. He received the QAZ trojan via email and executed it, resulting in his personal login/passwords being sent to the intruder. The intruder then used that information to dial into MS and authenticate himself as a legit user. From there, he was able to use the real employee’s credentials to create new accounts and roam around the system. All of this activity was monitored in real time by the security team in Redmond. When they felt they could no longer control the intruder’s activity they notified the FBI.

Good fortune,
Don

Really?

In reply to The real story isn’t as interesting

When was the last time you heard about Bank of America or Merrill Lynch getting hacked. Yet This appears on the front page of most major newspapers. Not the front business section either.

When Jackson broke up Microsoft he made it particularly difficult for each entity to exchange resources or otherwise collaborate. There are ONLY strict legal issues that need to be circumvented for information to migrate. In the reports I read, whatever code was hacked subsequently appeared in a public newsgroup. That newsgroup was then REPORTED to have been closed. Sounds like a great loophole to me.

Reply To: MS hack due to user error??

In reply to MS hack due to user error??

Microsoft Management needs to have someone reading the Disaster Recovery Planning thread that is on Tech Republic @
http://www.TechRepublic.com/forumdiscuss/thread_detail.jhtml?thread_id=17159

because MS had various different people saying different contrary things about the situation. I read one place that the way the hacker got in was to access a HOME COMPUTER of an EMPLOYEE of MICROSOFT.

The home computer security was not as up to date as the corporate network, and this is a well known hole in security. Companies assume that when there is a dial in by an employee it is really by the employee, and not a hacker.

Same way as when we get e-mail from a trusted person. We assume it is really from the trusted person & not some virus that got into their PC & sent out some garbage to everyone in their address book.

[Author]

Replies