The theory that crackers reached Microsoft's product development servers via a home-based employee's computer demonstrates why it's critical for companies to ensure that their remote employees aren't steppingstones into the corporate network.
Attackers using a server in Russia penetrated Microsoft's corporate network in a high-profile security breach that was made public 10 days ago.
Microsoft initially said some of its source code may have been stolen in the incident. Officials later said it appeared that the crackers may have only viewed portions of the code for products that are still under development.
Microsoft claimed that it knew about the cracker for at least 12 days -- during which the company apparently tracked the person's every move within the network.
So far, Microsoft hasn't yet offered any public explanation as to how the crackers may have gained entry into what should have been a bulletproof network.
QAZ for Concern
But several analysts said they believe that the attackers used a Trojan-horse program known as QAZ to break in.
Trojan horses such as QAZ usually enter a victim's system as e-mail attachments or are hidden in pornographic files and downloadable games.
Once inside a system, the programs broadcast their location to the cracker, who then takes administrative control of the system without the user's knowledge to do the same things the authorized user of the computer would be permitted to do.
The odds of such programs being downloaded on a home computer are much greater than on an office-based one because home security is frequently less stringent and harder to monitor, said Russ Cooper, an analyst at Reston, Va.-based security firm TruSecure Corp.
An employee opening an e-mail from an insecure service or using a work computer to log in to a personal Internet account could, for instance, unwittingly download a malicious program that could then infiltrate a corporate network. Similarly, unauthorized users -- such as an employee's child -- could use an office system to download games that contain viruses, Cooper said.
"It's been a problem for quite some time, and with more people working from home, the threat is increasing," Cooper said.
In Microsoft's case, the hack could have also originated with an office-based employee downloading and opening a file containing malicious code, said Jeffery V. Johnson, CEO of MetaSeS, an Internet security consulting firm in Atlanta and an affiliate of Meta Group Inc. in Stamford, Conn.
But increasingly, "people are breaking into home-based systems and using them as pivot points" into corporate networks, according to Johnson.
It's precisely this concern that prompted insurance and finance company Lutheran Brotherhood in Minneapolis to install firewalls on notebooks belonging to its 1,800-strong field force earlier this year, said information security manager Jay Dybdahl.
Such firewalls "become very critical when a home user is always connected to the Internet via [Digital Subscriber Lines] or some other [persistent] connection," Dybdahl said.
"The fact is, if we're going to allow access to corporate networks from staff at home, there are going to have to be new procedures followed that protect those processors," said Cathy Hotka, vice president of information technology at the National Retail Federation, a retail trade association in Washington.
Controlling home users is a matter of faith, said Rick Waugh, a product manager at Telus Corp., a telecommunications company in Burnaby, British Columbia. "You put rules in place and hope they follow them," he said.