The theory that hackers reached Microsoft Corp.'s product development servers via a home-based employee's computer demonstrates why it's critical for companies to ensure that their remote employees aren't stepping-stones into the corporate network.
Attackers using a server in Russia penetrated Microsoft's corporate network in a high-profile security breach that was made public 10 days ago.
Meanwhile, on Friday, another hacker claimed to have penetrated the company's Web servers, and Microsoft confirmed that at least one server had been breached.
Microsoft initially said some of its source code may have been stolen during the incident. Officials later said it appeared that the hackers may have only viewed portions of the code for products that are still under development.
Microsoft claimed that it knew about the hacker for at least 12 days - during which the company apparently tracked the person's every move within the network.
So far, Microsoft hasn't yet offered any public explanation as to how the hackers may have gained entry into what should have been a bullet-proof network.
Several analysts said they believe the attackers used a Trojan horse program known as QAZ to break in.
Trojan horses like QAZ usually enter a victim's system as e-mail attachments or are hidden in pornographic files and downloadable games.
Once inside a system, the programs broadcast their location to the hacker, who then takes administrative control of the system without the user's knowledge. He is then able to do the same things the authorized user of the computer would be permitted to do.
The odds of such programs being downloaded on a home computer are much greater than for an office-based one because home security is frequently less stringent and harder to monitor, said Russ Cooper, an analyst at Reston, Va.-based security firm TruSecure Corp.
An employee opening e-mail from an insecure service or using a work computer to log in to a personal Internet account could, for instance, unwittingly download a malicious program that could then infiltrate a corporate network. Similarly, unauthorized users - such as an employee's child - could use an office system to download games that contain viruses, Cooper said.
"It's been a problem for quite some time, and with more people working from home, the threat is increasing," Cooper said.
In Microsoft's case, the hack could have also originated with an office-based employee downloading and opening a file containing malicious code, said Jeffery V. Johnson, CEO of Metases, an Internet security consulting firm in Atlanta and an affiliate of Meta Group Inc. in Stamford, Conn.
But increasingly, "people are breaking into home-based systems and using them as pivot points" into corporate networks, according to Johnson.
It's precisely this concern that prompted insurance and finance company Lutheran Brotherhood in Minneapolis to install firewalls on notebooks belonging to its 1,800-strong field force earlier this year, said information security manager Jay Dybdahl.
Such firewalls "become very critical when a home user is always connected to the Internet via [Digital Subscriber Line] or some other [persistent] connection," Dybdahl said.
"The fact is, if we're going to allow access to corporate networks from staff at home, there are going to have to be new procedures followed that protect those processors," said Cathy Hotka, vice president of information technology at the National Retail Federation, a retail trade association in Washington.
Controlling home users is a matter of faith, said Rick Waugh, a product manager at Telus Corp., a telecommunications company in Burnaby, British Columbia. "You put rules in place and hope they follow them," he said.
For more enterprise computing news, visit Computerworld online. Story copyright © 2000 Computerworld, Inc. All rights reserved.
RELATED LINKS
Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.
Request a reprint or permission to use this article.
