• silicon.com
• Technology
• Security

By editorial@silicon.com, 27 October 2000 16:00

COMMENT And this was no minor hack - according to the Wall Street Journal, which uncovered the incident, our malicious individual (assuming it was the work of one person) hid a Trojan program called QAZ in a Notepad document, which was sent to a Microsoft employee's email. The employee opened the file, which triggered the Trojan to alert a computer in Asia. It's then supposed to have installed tools from a site in the South Pacific. Other computers were infected as the Trojan propagated, passwords were collected, and then reportedly emailed to an address in St Petersburg, Russia. Whether or not that's all true - and some security experts doubt the Russian connection, with Microsoft itself refusing to confirm the details - it is undoubtedly true that the network was compromised. So what does all this mean for businesses in general? One mischievous silicon.com viewer suggested in a Reader Comment that Microsoft's own products were to blame - an echo of the aftermath of the last LoveBug attack, when Microsoft was accused of releasing inherently insecure products. Our viewer said: "Most Microsoft products appear to ship with security disabled (default security on NTFS drives, UDP port 139 wide open, etc). It seems to me that their philosophy is 'enable everything and then try to switch off the holes you don't want open'. Personally I think good security starts the other way round." He's quite right, at least on his last point - any IT manager who hasn't changed the default security settings on his or her software, whether Microsoft's or otherwise, deserves to be hacked. But even that may not be enough. Surely Microsoft itself would have taken every precaution to protect such sensitive data - assuming the Wall Street Journal report is correct and the source code of upcoming products was accessed. A determined hacker, either with malicious intent or with industrial espionage in mind, will always be able to crack every network, given time. So what's the answer? Unfortunately, no system is totally secure - just as no filing cabinet or safe is totally secure. Total security, in this case, would have involved Microsoft removing the source code under development from its network. Hardly an option as productivity would grind to a halt. So all you can do is balance security, and the amount you spend on it, with productivity - while factoring in the potential damage of losing the data in question. It's hardly a perfect solution. But as Microsoft has just found out, this is a far from perfect world.