Google hacked by China

Google hacked by China

Google China

Google China

If you haven’t yet seen the news that Google was hacked by someone looking (in part) for info on Chinese human rights activists,  then you might check out this summary on the SANS Newsbits.  SANS reliably provides sober assessments of incidents like this.  (Don’t mind the weary “I told you so” tone of the articles, it is difficult to continue beating the security drum when few decision makers are listening.)

It is romantic to think that Google might try to live up to it’s unofficial motto of “don’t be evil” by pulling out of China.  However, if Google pulled out it wouldn’t serve to  tighten up their corporate information security.   Also, Google pulling out of China will just give Chinese consumers one less search engine to choose from.  The wrong people would be punished.  It might make a fine display on the world technology stage to “take a stand” against the Chinese government, but it will almost certainly hurt Google’s profits. [ UPDATE 1/19/2010 – Google now denies they will leave China, but want to negotiate a non-censored search (?)]

The biggest payoff might have already been achieved.  Simply announcing the incident and the possible intention to leave China has had a huge impact online.  In the first place, very few corporations are even aware when they have been compromised, let alone announce it willingly to the world.  This sets an excellent standard of transparency.  If other corporations followed this example, it would raise the visibility of information security and hopefully lead to more attention (and budget) being devoted to protecting corporate information systems.  If other companies do not follow this example, it makes Google appear more honest, not less secure.  (This last was accomplished by revealing that as many as 30 other companies had also been hacked.)  In the second place, Google is hurting the reputation of the Chinese government by their announcement alone.  This may or may not be fair given that it’s difficult to prove exactly who hacked Google, but it focuses attention of the issue of Chinese “cyberspying“.

The actual attack vector was probably a previously unknown IE vulnerability (zero day attack).  It makes sense to start switching to a different browser, preferably one that has a Flash blocker plug-in available.  IE might be so vulnerable because it’s still got ~60% of the market.  It’s a high value target for hackers.  Having more browsers to divide up the attention of the hacker population might give browser developers a relative advantage.  The fact is that all software contains bugs and the more people you have beating on your software, the more bugs are revealed and the more robust your software becomes as you patch those bugs.

This incident highlights the general trend that client machines are becoming the most common attack vector.   Here is a quick summary of my current thinking in this regard:

  1. Switch your primary browser to anything but IE.
  2. Definitely use a Flash blocker.  Flash is too dangerous to use indiscriminately.  You can always choose to play flash video on sites you trust. For Firefox I use the aptly named “Flashblock” add-on: https://addons.mozilla.org/en-US/firefox/addon/433
  3. Try to keep Adobe Acrobat patched and don’t open Acrobat files unless necessary.
  4. Keep client apps patched  (i.e. MS Office, Quick Time,  etc.).
  5. Explore using a browser proxy service.

What do you think? All comments are welcome.

[UPDATE 2/14/2010]
I just saw this other blog which suggests that one of these attacks exploited “a system used to help Google comply with search warrants by providing data on Google users.” Also, Spint apparently served 8 million GPS requests within a year and “someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response.” Nice. Automating government access to user data seems problematic to me. Ideally, each search warrant request should be validated, but I don’t see how that can realistically be done. So we end up with systems designed to help US law enforcement catch criminals and terrorists than can be hacked to spy on practically anyone. We trade one form of security for another and privacy goes in the garbage. What a conundrum!

8 thoughts on “Google hacked by China

  1. I would add the need to have good network security monitoring tools, that monitor outgoing traffic, particularly ones that focus on the command and control signals. The Trojan Hydraq, its been around for years, used in this attack relies on these signals to steal data.

    Additionally network based Intellectual Property protections and monitoring is critical for companies if they hope to keep their IP assets safe.

    Eoghan

  2. Scott, you build in a logic bomb in your penultimate paragraph — if IE is 60% of market, and has been hammered for years, aught it not to be the most robust browser around? Frankly the only suggestion I’d wager you’ll ever see implemented is the proxy, and with that the activation energy is so high most will never bother. Of Eoghan, I would say, good advice, but you’ll need skilled staff to parse your logs for any useful information, so the cautionary tklindt wins — no one should get too comfortable.

    • globalizenetworks

      You are right, I contradict myself at the end there. That’s why it’s a good idea to throw these ideas out there for peer review.

      IE should be the most robust by that final argument, but I wonder if that robustness is offset by the fact that it’s the number one target of hackers right now. Another point I didn’t mention is that people seem to hate Microsoft particularly. This may or may not change when their market share decreases. Regardless, I am sticking with Firefox myself for now.

      • There are a few unstated assumptions:
        * that security issues once found, are also quickly fixed. Mozilla may push patches more often than Microsoft.
        * that users of both browsers are equally likely to report security breaches. Firefox users are probably more capable of telling if they were attacked.
        * that the upgrade rate would be equal. In fact, Firefox almost forced everyone to upgrade from version 2 to version 3, while IE 6 doesn’t bug the user to upgrade to IE7, and nor does IE7 promote IE8.

        • globalizenetworks

          Those are good points. One reason that Microsoft products are so bloated is the commitment to supporting legacy software. However, that is also part of their corporate value proposition. Anyone who has managed a Linux system can appreciate this when trying to install new packages with an old distribution. DLL hell is replaced by RPM hell.

  3. Another option to stay safe is to move off of Windows entirely. Macs are much less vulnerable, and Linux is even more so, probably by orders of magnitude. The reason is just the same that you mention with IE. Because the most wide-spread technologies attract most malicious attacks, it’s simply a better ROI for the covert elements carrying them out. Also closed source systems are always more vulnerable than open source systems, because the former rely solely on the eyeballs of the company to secure them and it’s probably not their most pressing business concern to create more secure or less buggy software.

    In my experience with open and closed source systems, I find without fail that (popular) open source software is substantially cleaner, more modular, more maintainable and secure than anything closed source I’ve seen after years of use.

    • globalizenetworks

      I agree, but Linux still basically a non-starter as a corporate desktop right now. Even Mac’s have integration issues with predominately Windows-based corporate network infrastructures. (i.e. Microsoft replaced Outlook for Mac which was MAPI with the inferior Entourage which uses IMAP.)