Microsoft 'set hacker trap' theory

Hackers who broke into Microsoft's corporate network last month could have been lured into a hacker trap containing nothing more than dummy data, according to researcher Gartner.

Details of the attack are sketchy and contradictory, but it appears that hackers based in Russia may have had access to what they believed was the source code for Windows and Microsoft applications for as long as 12 days.But William Spernow, information security analyst at Gartner, said Microsoft's "low-key" response to the hack suggested it could have been a routine event and also indicate that Microsoft might have been using a "honeypot", or hacker trap, security system.

"Microsoft's uncharacteristically low-key response to the widely publicised hack into its networks suggests that this may have been a routine event rather than a major compromise of its systems," said Spernow.

"There is a strong possibility that the hacker really did not get into anything more than what a well-designed security system based on a honeypot network would allow."

A honeypot network is a section of an enterprise's network that has been designed to be attractive to intruders. This section will contain false information that appears to be, for example, application source code or future marketing plans.

"The honeypot-network approach to intrusion detection has recently emerged as one of the most important trends in enterprise information security," said Spernow.

Once an intruder enters the honeypot - which no authorised user would have reason to enter - the system automatically alerts security staff, who begin tracking the intruder's activities and may even feed him or her disinformation for the purpose of learning more about his or her identity and location, Spernow explained.

"Understanding the nature and motivation of intrusion attempts is critical to enhancing information security procedures. A hack by a teenager hoping to impress his friends can have serious consequences for an enterprise but usually poses less of problem - and almost always calls for a different degree and type of response - than corporate espionage or politically motivated 'information terrorism'," Spernow said.

"The honeypot network offers enterprises the most important element they need in identifying intruders and their motives: time. Time is especially critical when - as perhaps with the Microsoft hack - the intruders work in foreign countries, where identifying and apprehending intruders may require high-level co-operation between governments," he added.

"Whether the recent Microsoft hack targeted a successful honeypot network may never be known definitively. Clearly, an enterprise such as Microsoft would not want to publicise its successes in this area so as to draw more hackers to the supposedly valuable information waiting to be stolen."

However, companies should consider adding honeypot networks to their stock of information security tools to increase their level of knowledge of the identity, location and degree of sophistication of the hackers threatening their systems, said Spernow.