New technologies create fresh inroads for hackers

Even as companies shore up security in some areas, new technologies--such as Web-based email and broadband DSL and cable Internet connections--create new vulnerabilities.

Worse, the increased dependence on notebook-carting employees taking work home or on the road creates gaping holes through which even the most unsophisticated of hackers can bypass corporate security measures.

"Corporations are pretty lax about security, whether it's Microsoft being hacked, corporate Web sites getting defaced, or CEOs' laptops being stolen. They are not taking security seriously," said Robert Graham, chief technology officer with security software maker Network Ice.

The attack on Microsoft, a company regarded as highly security-aware, will force many companies to question their own security practices, said Sandra England, president of PGP security for Network Associates.

"I think that it will basically send shockwaves throughout other companies," she said. "Many will be saying, 'If it can happen to Microsoft, it can happen to us.'"

Companies that do take security seriously still face problems. After years of building moats and thick walls around their networks with firewall and antivirus software, many have created huge holes in their defenses through careless practices.

Policies governing mobile workers, Web-based email and high-speed broadband connections, such as DSL and cable, are the biggest problems, Graham said.

Those careless practices may have compromised Microsoft, security experts say. Sources close to the company acknowledge that an employee unknowingly received and launched a common hacking program known as a Trojan horse.

Once installed, a Trojan horse typically contacts the hacker who sent it, usually over the Internet or through email, and attempts to spread to other computers.

Web-based email threat
How the employee got the program past Microsoft's extensive security measures is uncertain, but sources close to the company point to email as the culprit. For Microsoft and many other companies, email offers hackers a hidden backdoor that bypasses normal security features.

"One huge, gaping hole--and oddly enough, Microsoft runs one of the hugest gaping holes--is Web-based email services like Hotmail," said Gartner security analyst John Pescatore.

While email coming through server-based messaging systems, such as Microsoft Exchange or Lotus Notes, is checked for viruses or malicious programs, Web-based email is typically an open door.

Detecting unwelcome programs would then depend on the computer's own scanning software. While many PCs on networks use antivirus software, most do not have personal firewall programs to scan for intrusions, security experts say.

Even if companies install antivirus software on individual machines, employees sometimes disable or remove the software to improve performance. Some analysts suspect such activity may have allowed the Trojan horse to spread undetected on Microsoft computers.

"What typically happens in development environments is that you have guys who know their PCs very well, and they get rid of their antivirus software," said Mikko Hypponen, manager of antivirus research for security software and services firm F-Secure. "I know this because our own house is full of developers, and that's what they want to do as well."

Using Web-based email with local security features disabled would create a serious security breach, England said.

Moving targets
More serious a problem are employees with notebooks, "and I would not be surprised if this is the source for how (the Trojan horse) came into Microsoft," Pescatore said.

Any time an employee takes work home or on the road and hooks up to either a hotel network or a DSL or cable connection, the company is put at risk. Should a hacking program infect the portable, the employee could spread the Trojan horse when he reconnects to the corporate network. Because the program is introduced behind the firewall, the infection could spread undetected.

"DSL and cable modems are ripe to be exploited," England said. "That's why personal firewalls are so important."

Network Ice's BlackIce or ZoneAlarm from Zone Labs are examples of personal firewalls commonly used to minimize hacker vulnerability.

Even with the best protection installed--computers behind corporate networks with personal firewalls and antivirus software--employees still can easily compromise security through seemingly innocent behavior.

For example, sharing games and other programs via email could unleash unwanted trouble, Graham said.

"I want to receive the little programs my friends email me," he said. "But such activity is extraordinarily dangerous...Maybe this time you won't get infected, but if you keep it up, you'll pay the consequences."

CNET News.com's Paul Festa contributed to this report.