Users consider Microsoft hack implications

Over the past seven days, as Microsoft has released one statement after another about the hack on its corporate network, one thing is clear - nothing is clear at all.

The software giant said initially that the hacker (or hackers) could have been accessing the network for up to three months, and that it was unsure whether the source code to its products had been downloaded or tampered with.

It then said the hacker had only gained access for 12 days, that only source code for products currently under development had been viewed but not downloaded, and that Microsoft's security staff had monitored every move, compiling information that would help the FBI with its investigation.

But the lack of conclusive evidence or information on the extent of the attack has meant that analysts are divided on who was responsible, why they did it, and how it could ultimately affect Microsoft's vast installed base of business users.

"If anyone obtained Windows 2000 source code, Internet Information Server, SQL Server or any of the main engine systems, you can paint an arbitrarily gloomy scenario off the back of it," said Neil Barrett, technical consultant at security firm Information Risk Management.

"I can guarantee that Microsoft software has holes in it, but without the source code you are just fumbling around for vulnerabilities," he added.

Charles Kolodgy, research manager of internet security at researcher IDC, said: "One of the most popular operating systems being deployed at the moment is Linux, and everyone gets to see that source code. So I don't think having someone look at Microsoft's code, which isn't even going to be the final version, should concern people. The lesson of this is: be vigilant."

Don't panic!
While business users seem concerned by these security issues, they are not reaching for the panic button yet. Sainsbury's, which has about 14,000 desktops running Windows 95 and is looking at whether to migrate to Windows 2000, said the situation was a low risk one.

"I'd be nervous on the security front - that somebody has Windows source code, and could then dig around and look at the security safeguards in the system and work at bypassing those," said Graham Hill, IT technical services manager at Sainsbury's.

"Having said that, any attempt at hacking has to come in through a firewall and then through a set of Novell or NT-type servers, so if they don't have a code for that, they are going to be hard pushed to get to the desktop," he added.

But the most disturbing aspect of the break-in is that Microsoft was targeted successfully. Analysts agree there is little commercial value to be gained from stealing bug-ridden source code from partially developed software, although the 'bragging rights' within the hacker community are huge.

They believe that the hack took place as follows, however - hackers used an object packager to turn executable files such as Trojans into an object that can sit within a bigger package such as an email. They specify an icon such as a Word document and embed it in the packaged email.

Typically, hackers find out the human resources contact for sending CVs to from the company's website and email them. The contact reads the email and the Trojan does its damage.

Key points

• If hackers have stolen Windows source code, it will make it easier for them to exploit the operating system's security vulnerabilities
• Although users expressed concern over the attack, they say it represents a low risk to their systems.