Microsoft’s internal database contains description of vulnerabilities of its widely used products, including its Windows operating system. This treasure trove of critical information, guarded by just a password, was accessed by hackers in 2013.
According to 5 former employees of Microsoft, a highly sophisticated group of hackers had managed to break into Microsoft’s network security in 2013 and had managed to access its secret internal database for tracking bugs.
This is only the second time in Microsoft’s corporate history that hackers have managed to breach its internet security.
The issue gains significance since this secret database contained descriptions of some of its most critical and unfixed vulnerabilities in many of its widely used products, including its Windows operating system.
Knowing these vulnerabilities are crucial for hackers and spies since tools can be developed to exploit them for breaking in to secure networks.
Although these vulnerabilities were likely to be fixed within months of the hack, as per the former employees, U.S. officials find the situation is alarming since hackers with knowledge of the vulnerabilities may have used them to mount attacks onto government and corporate networks.s.
“Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.
Companies from across a vast array of industries are ramping up efforts to find and fix vulnerabilities in the software programs midst a wave of cyber attacks. As a result, many firms, including Microsoft, pay security researchers and hackers, “bounties” for information on vulnerabilities in their code.
After learning of the breach in its network, Microsoft’s security researchers have gone and taken a look at hacking attacks at other organizations, and found no evidence that their vulnerabilities were exploited by hackers in their attack.
In this regard Microsoft has gone on record and has said said: “Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected.”
While two current employees stand by this assessment, three former employees assert that Microsoft’s study had too little data to be conclusive.
As a result of the breach, Microsoft has tightened up its security and has firewalled its secret internal database from its corporate network and requires two authentications for access.
The dangers posed by the loss of such critical information can be better appreciated in the context of the National Security Agency (NSA) loosing its stockpile of hacking tools which led to the onslaught of the destructive “WannaCry” worm which attacks industries on a global scale and shutdown many facilities, including hospitals in the U.K.
Microsoft’s President Brad Smith compared NSA’s loss to the “the U.S. military having some of its Tomahawk missiles stolen,” and cited “the damage to civilians that comes from hoarding these vulnerabilities.”
As per Mark Weatherford who was deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security at the time of the Microsoft breach in 2013, companies should treat bug reports as the “keys to the kingdom”.
Just as companies have a strict protocol in place around their intellectual property and other such sensitive corporate information, “Your bug repository should be equally important,” said Weatherford.
In 2013, a week after news reports emerged of its breach, Microsoft had published a brief statement that portrayed its own break-in as limited and made no reference to its bug repository.
“As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion,” said Microsoft on February 22, 2013.
“We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.”
However, inside Microsoft there was widespread alarm, with company officials realizing that access to its secret database had been compromised, said the five former security employees.
They went on to add, not only was the database poorly protected, with only a password securing access to its critical data.
“They absolutely discovered that bugs had been taken,” said a former Microsoft employee. “Whether or not those bugs were in use, I don’t think they did a very thorough job of discovering.”
This could be partly due to Microsoft reliance on automated reporting for software crashes to warn of potential attacks.
As per security experts, a problem with this approach lies in the fact that the vast majority of sophisticated attacks do not cause crashes, in which case the automated reporting system does not kick in to report a breach which leaves the targeted machines, with sensitive information, open to attack by spies and hackers.