Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Cyberattack on Google Said to Hit Password System
NY Times ^ | 19 Apr 2010 | JOHN MARKOFF

Posted on 04/19/2010 7:01:38 PM PDT by for-q-clinton

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.

(Excerpt) Read more at nytimes.com ...


TOPICS: Business/Economy; Extended News; News/Current Events
KEYWORDS: attack; cyberattack; google; hack; password; security; system
Navigation: use the links below to view more comments.
first 1-5051-86 next last
Wow. Is nothing safe anymore? First Apple OS X is found to be riddled with security holes and now google. If this keeps up they may end up making Microsoft look secure...and that will be one incredible result. Just a couple years ago Apple was considered by their users/fans as impenetrable and google was the darling of the IT world.

It's amazing how success breads attention and hackers.

1 posted on 04/19/2010 7:01:38 PM PDT by for-q-clinton
[ Post Reply | Private Reply | View Replies]

To: ShadowAce

tech ping please.


2 posted on 04/19/2010 7:01:59 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton

the article doesn’t say it, but reading between the lines, it may be implied, based on google’s reaction wrt china, that this was a state-sponsored theft/infiltration.


3 posted on 04/19/2010 7:07:41 PM PDT by WoofDog123
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton

I wish I could confidently say use vender X for secure web based applications, but I’m sure all companies are susceptible to such an attack.

Does anyone know if Microsoft’s web based platform has been hacked yet?


4 posted on 04/19/2010 7:07:43 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 2 | View Replies]

To: for-q-clinton

> Just a couple years ago Apple was considered by their users/fans as impenetrable and google was the darling of the IT world.

As many objective people tried to point out, the low incidence of hacks on Linux, Mac and other systems was partly due to their low numbers. Also, MS has pushed hard on security for quite a few years now. None of it stands still.


5 posted on 04/19/2010 7:09:49 PM PDT by old-ager
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

6 posted on 04/19/2010 7:11:42 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: WoofDog123

I agree. I know EDS had to set up a completely different network for GM to firewall China from the rest of the company. It is well known fact that China tells companies that certain people (communist party officials) will be put in certain positions. And their sole job is to steal patent info and trade secrets from the company.

And China’s culture teaches it’s good to steal from the rich...not by theft, but by trickery and deceit. Google being fairly new to the global market may not have known this and went into China as they did all other countries and gave the keys to the kingdom to the communist official not realizing he was there to steal their info for the state.


7 posted on 04/19/2010 7:11:43 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 3 | View Replies]

To: for-q-clinton

I’m tired of the Chicoms reading my emails!


8 posted on 04/19/2010 7:14:31 PM PDT by cavador (Wash your Hands-Cover that sneeze!It helps stop the H1N1 Virus)
[ Post Reply | Private Reply | To 1 | View Replies]

To: cavador

But what about the DOJ? They are trying to get Yahoo to turn over emails withOUT a search warrant!

You may not have heard about it since GW is no longer President.


9 posted on 04/19/2010 7:16:19 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 8 | View Replies]

To: for-q-clinton

If you RTFA, you’ll see that the initial penetration was via a Microsoft software package, Messenger, then stealing Google source code via what sounds like a Windows penetration.

I quote thusly:

“The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team. “


10 posted on 04/19/2010 7:20:56 PM PDT by NVDave
[ Post Reply | Private Reply | To 1 | View Replies]

To: NVDave

Do you know what OS the user clicked on was? Was it linux, Windows, OS X, or some other OS?

I believe Google has a lot of Linux in their envirnment. And if it was an inside job they would have known about the version and patch level of Linux.

Just becasue they used messenger to send the link doesn’t mean messenger was the vulnerability.

And if it was Windows (or any OS for that matter) was it a known vulnerability with a fix already available and Google didn’t push it to all their desktops? If so, that is a real concern as Google isn’t properly maintaining their inside environment with current security patches.


11 posted on 04/19/2010 7:25:15 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 10 | View Replies]

To: for-q-clinton

ChiCom war-hackers showing Google the price for disobeying dear leader.


12 posted on 04/19/2010 7:30:16 PM PDT by anymouse (God didn't write this sitcom we call life, he's just the critic.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton

One of the biggest problems with “computing in the cloud.”


13 posted on 04/19/2010 7:31:54 PM PDT by dfwgator
[ Post Reply | Private Reply | To 1 | View Replies]

To: dfwgator

Well that and the fact that the government claims to have rights to view your information without a search warrant!

That is really the killer. How can a company rely on cloud computing if the DOJ is claiming they get free access to all cloud based emails and IM sessions without a search warrant?


14 posted on 04/19/2010 7:34:01 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 13 | View Replies]

To: for-q-clinton

Need to move to digital certs and pin numbers.


15 posted on 04/19/2010 7:41:35 PM PDT by RockyMtnMan
[ Post Reply | Private Reply | To 1 | View Replies]

To: RockyMtnMan

But if their is a backdoor that will do you no good.


16 posted on 04/19/2010 7:54:25 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 15 | View Replies]

To: for-q-clinton

Google’s source repository is probably on some variant of Unix - perhaps Linux, perhaps something else. Most all serious s/w shops use some variant of Unix for their servers and their SCM repositories.

Here’s more information on the widespread source-code filching operation out of China:

http://www.wired.com/threatlevel/2010/01/google-hack-attack

The Windows machine penetrated most likely had a SCM client installed, so there was no need to penetrate the Linux/Unix/whatever machine that holds the SCM repository. If you penetrate an authorized client machine, you just invoke the client s/w and use scammed passwords to get in. You really don’t care what the other end of the SCM pipe is - or where it is.

There are known keystroke loggers on Windows XP that MSFT has yet to fix. There are many root kits for Windows you can buy off the shelf once you find a hole - and finding a hole in the Windows platform or third party s/w (in this case, Adobe’s s/w) on Windows isn’t difficult. The phrase “shooting fish in bucket with a shotgun” comes to mind.


17 posted on 04/19/2010 7:56:31 PM PDT by NVDave
[ Post Reply | Private Reply | To 11 | View Replies]

To: for-q-clinton

This was a classic phishing attack. The user was duped into clicking on a link that took them to a hostile website that took advantage of a BROWSER flaw. While the browser issue is problematic, it wouldn’t have been an issue if the user was more vigilant. It’s very hard to defend against social-engineering attacks since they involve trusted people doing secure things.

Your point about patches is a good one. The browser should have been up-to-date. I doubt Google fell prey to a zero-day attack.


18 posted on 04/19/2010 7:56:40 PM PDT by DeltaZulu
[ Post Reply | Private Reply | To 11 | View Replies]

To: DeltaZulu

DOH! I followed the time-honored tradition of posting before actually reading the article. Google did in fact fall prey to a zero-day attack on Adobe Reader.


19 posted on 04/19/2010 7:58:45 PM PDT by DeltaZulu
[ Post Reply | Private Reply | To 18 | View Replies]

To: NVDave

Apache’s issue tracking site also got hit recently by a targeted XSS attack.


20 posted on 04/19/2010 8:01:43 PM PDT by dfwgator
[ Post Reply | Private Reply | To 17 | View Replies]

To: RockyMtnMan

More than anything, companies need to do what we did at cisco: use an electronic one-time pad that you carry with you at all times. Every password you ever use is “burned” as soon as you use it.

Employees have to keep the OTP card with them at all times, lest they not be able to log into anything.

Other than that inconvenience, it works pretty well.


21 posted on 04/19/2010 8:01:55 PM PDT by NVDave
[ Post Reply | Private Reply | To 15 | View Replies]

To: for-q-clinton

It would be safer than a password stored in a DB at least I’d have to present my private cert after being challenged for a pin number or password (not stored remotely only locally). It’s easier to protect the CA infrastructure and limit who has access to it.


22 posted on 04/19/2010 8:08:32 PM PDT by RockyMtnMan
[ Post Reply | Private Reply | To 16 | View Replies]

To: for-q-clinton

Wow, we need to hurry up and get all those medical records online.


23 posted on 04/19/2010 8:09:12 PM PDT by dockkiller (COME AND TAKE IT.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: NVDave
Employees have to keep the OTP card with them at all times, lest they not be able to log into anything.

Interesting policy as long as the randomness is assured.

24 posted on 04/19/2010 8:13:06 PM PDT by fso301
[ Post Reply | Private Reply | To 21 | View Replies]

To: NVDave

So you know the google machine was XP? Do you have a link to confirm that or is this just guess work?


25 posted on 04/19/2010 8:16:09 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 17 | View Replies]

To: for-q-clinton
> Wow. Is nothing safe anymore? First Apple OS X is found to be riddled with security holes and now google. If this keeps up they may end up making Microsoft look secure...and that will be one incredible result. Just a couple years ago Apple was considered by their users/fans as impenetrable and google was the darling of the IT world. It's amazing how success breads attention and hackers.

"Riddled with security holes"... well, of course no operating system is free from flaws, only a diehard Mac fanboi would claim that, and that ain't me. But I think "riddled" is perhaps a little strong. Consider:

I'm still waiting for those Mac viruses you say are gonna happen. C'mon "for-q"... surely you know some other guys who hate Apple as much as you do, who can write viruses. Tell 'em to stop sitting around with their thumbs up their arses and start programming!

The fact is that there are around 50,000,000 Macs on the net now, none of which have even rudimentary anti-virus software, all of which are operated by users running with full administrative privilege, most of whom are not technically savvy. That's enough to build hundreds or thousands of useful botnets, if a virus could be written that would work on a Mac.

And there's no competition from other virus writers -- it's a totally open fertile field! FIFTY MILLION COMPUTERS with their legs spread wide on the Internet saying, "Take me, I'm yours!! Come on big boy!!"

What a field day!! C'mon, for-q, prove that the Mac is no longer the "impenetrable" machine the Apple fanbois say it is.

Who's gonna be the first to write a successful Mac virus??? One that self-replicates and pwns the machine without the user being any the wiser... like a typical Windows virus... it can't be that hard, right? You keep saying it's easy... "riddled with holes" you said.

C'mon, where's the virus? Where's the virus????

[crickets. nothing but freakin' crickets...]

Seriously, I can't wait for the first real Mac virus that goes out and compromises, say, half a million machines. You know why? Because it'll shut up the Mac fanbois (whom I find tiresome), and it'll mean I can finally stop having to shut up the stupid Windows fanbois like you who take every opportunity to spread FUD about the security of a Unix-based operating system.

I've really gotten quite tired of it, and yet neither you nor the other fanbois, of whatever flavor, show any signs of shutting up on your own. *sigh*

[more crickets]

WHERE ARE MY MAC VIRUSES, FOR-Q? I'M TIRED OF WAITING.

Just joking. I can wait some more, no problem... :)

26 posted on 04/19/2010 8:17:02 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: DeltaZulu; NVDave

I missed that too and I read the entire article. NVDAVE is saying it was windows XP but I must have missed that as well


27 posted on 04/19/2010 8:17:06 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 19 | View Replies]

To: NVDave

I’m not familiar with that...is that like the RSA number generator?

Is that more secure than smart cards with pins?

But even so how does it prevent backdoor attacks? Are you saying all data is uniquely encrypted so that only the user who wrote it can read it...even if on a server?


28 posted on 04/19/2010 8:19:02 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 21 | View Replies]

To: for-q-clinton

And my banks keep begging me to “do it all online!”

Yeah. Right. I think not!!


29 posted on 04/19/2010 8:20:08 PM PDT by brityank (The more I learn about the Constitution, the more I realise this Government is UNconstitutional !! )
[ Post Reply | Private Reply | To 1 | View Replies]

To: RockyMtnMan

I agree, but if the hackers installed backdoors to the data only user level encryption would protect it. But I doubt google is using user level encryption on their source so that only the user who created it has access to it.


30 posted on 04/19/2010 8:20:24 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 22 | View Replies]

To: brityank

It’s online whether you do it or not though.


31 posted on 04/19/2010 8:20:46 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 29 | View Replies]

To: dayglored

Really you didn’t hear about OSX being the first one hacked at the latest round of a hacking contest? I could have sworn we had a few threads about that and you participated in it. And let’s not forget the iPhone exploits.


32 posted on 04/19/2010 8:23:09 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 26 | View Replies]

To: for-q-clinton

True. But they can’t come back and lay the blame on me that my ‘lack of security’ caused the breakin to my account. That’s all on them.


33 posted on 04/19/2010 8:23:28 PM PDT by brityank (The more I learn about the Constitution, the more I realise this Government is UNconstitutional !! )
[ Post Reply | Private Reply | To 31 | View Replies]

To: fso301

We did some stats on the generated passwords - it was pretty good. The algo was based on DES.

DES, of course, is subject to differential cryptanalysis, but that’s when used in a wholesale crypto environment. You could replace DES with SHA-1 or other one-way hash functions; it isn’t really important which algo you use, just so long as you can’t guess the next number in the sequence if you know the prior one.

DES seemed to work OK because the generated crypto-text was the same length as the DES key, the salt value and the prior key in the sequence. Differential cryptanalysis needs a bunch of data in order to start narrowing down the key search space.


34 posted on 04/19/2010 8:24:44 PM PDT by NVDave
[ Post Reply | Private Reply | To 24 | View Replies]

To: brityank

good point. But I wonder how you could prove it? Assuming your account is the only one hacked?


35 posted on 04/19/2010 8:24:54 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 33 | View Replies]

To: NVDave

So sha-1 being broken doesn’t impact this?


36 posted on 04/19/2010 8:26:43 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 34 | View Replies]

To: for-q-clinton

I’ve never accessed their sites - they’d have a tough time proving I was there - no logs, no passwords, nada.


37 posted on 04/19/2010 8:27:01 PM PDT by brityank (The more I learn about the Constitution, the more I realise this Government is UNconstitutional !! )
[ Post Reply | Private Reply | To 35 | View Replies]

To: for-q-clinton

I didn’t say that this particular attack was on WinXP. I said that there are known keystroke loggers on Windows XP which Microsoft has yet to respond to. They have on other more recent variants of Windows, but not XP.

In this type of attack (cross-platform, cross-site scripting), a keystroke logger is the easy way to gain access to the server. Just log the keystrokes for the user’s server password on the Windows client platform, then use that with a trojan attack. Done deal.


38 posted on 04/19/2010 8:27:41 PM PDT by NVDave
[ Post Reply | Private Reply | To 27 | View Replies]

To: NVDave

So do we know what client OS was used in this case. I could guess some variant of windows because they used messenger, but there are messenger clients for non-windows machines.

Heck for all I know it could be a smartphone OS that was used.


39 posted on 04/19/2010 8:29:24 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 38 | View Replies]

To: NVDave

BTW: What’s the point of talking about Xp if that wasn’t the exploit vector? One could theorize about such exploits on Linus or any other OS for that matter.


40 posted on 04/19/2010 8:30:57 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 38 | View Replies]

To: for-q-clinton

You could use a RSA prime generator as the means to a one time pad.

The idea behind a one-time pad is that you create a cipher key so long that you use pieces of the key XOR’ed with your plaintext, and never, ever use that piece of the key again. The Soviets pioneered use of this in the field with the Verona ciphers, famous during the Cold War for frustrating MI-5 and the NSA for years and years.

The idea behind a OTP password generator card is that the card has a password. You enter that password to activate the card. Once your PW to the card is accepted, you tell it “generate a password string for me.” It does. You enter that password to whatever server or machine you’re logging into. If the algorithm on the server and your OTP card are in agreement as to your sequence of passwords, you’re in.

As soon as you use a password generated by the OTP card (ie, you use it to log into any server tied into the password generator service), that password is “burned” - it may never be used again. You can set an option on these OTP systems to either lock down the account upon receipt of a burned p/w, or to merely prompt for another one.

If you get out of sync (let’s say you bungle the entry of a password), you merely ask the OTP card to generate you a new password again. The server s/w generated ‘n’ passwords ahead of your current OTP card’s sequence. Once it accepts a password in that window of passwords, the password and all passwords prior to the password accepted are ‘burned’ and can never be used again.

The way this prevents attacks is this: OK, you (the hacker) log the keystrokes in a situation like this. That’s nice. You, the hacker, don’t have the OTP card or the algo, so you can’t generate a new password to log in at your own time and choosing. You can hijack a session once the user enters a password, but that means you’re going to be detected, because the user is sitting there, watching his computer be taken over.


41 posted on 04/19/2010 8:35:39 PM PDT by NVDave
[ Post Reply | Private Reply | To 28 | View Replies]

To: for-q-clinton

What the point is about XP: a lot of large companies and installations sat out Vista, and they’ve not yet upgraded to 7. Microsoft has a KNOWN VULN, with a KNOWN EXPLOIT, in the wild, and they have not yet issued a patch for it.


42 posted on 04/19/2010 8:36:39 PM PDT by NVDave
[ Post Reply | Private Reply | To 40 | View Replies]

To: for-q-clinton
> Really you didn’t hear about OSX being the first one hacked at the latest round of a hacking contest? I could have sworn we had a few threads about that and you participated in it. And let’s not forget the iPhone exploits.

Nobody with an ounce of computer security experience pays the least attention to those hacking "contests". They're just ad campaigns for the tech journals who sponsor them, and they set them up so that they make headlines to draw hits. Don't be so naive, you can't be that ignorant of how they work.

It's news when an Apple machine gets compromised first, and they know it. (Who would bother to read their pages, with a headline, "Windows falls first in hacking contest!"??? YAWN.)

So they set them up so that the long-practiced, completely-scripted, well-rehearsed exploits for the Apple products get done first. Well, duh -- they want to be able to write that headline with "APPLE" in it.

Besides, who gives a damn about such exploits unless they turn into REAL viruses??? How many of the Apple exploits have turned into real Mac viruses in the wild?

Ummm, none.

You can do better than that answer. Please try harder.

43 posted on 04/19/2010 8:37:14 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 32 | View Replies]

To: for-q-clinton

You don’t find SCM clients on smartphones. It was at least a laptop.


44 posted on 04/19/2010 8:37:18 PM PDT by NVDave
[ Post Reply | Private Reply | To 39 | View Replies]

To: for-q-clinton

The hackers have found that the iPhone is the target of choice now. Easily hacked and used by millions that have no clue.


45 posted on 04/19/2010 8:37:58 PM PDT by ColdWater ("The theory of evolution really has no bearing on what I'm trying to accomplish with FR anyway. ")
[ Post Reply | Private Reply | To 1 | View Replies]

To: NVDave

And is google in that lot of companies that use XP?


46 posted on 04/19/2010 8:37:59 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 42 | View Replies]

To: for-q-clinton
One could theorize about such exploits on Linus or any other OS for that matter.


47 posted on 04/19/2010 8:39:05 PM PDT by Richard Kimball (We're all criminals. They just haven't figured out what some of us have done yet.)
[ Post Reply | Private Reply | To 40 | View Replies]

To: dayglored

Wow so 0-day exploits don’t count now. Very interesting.

Ok, so now apple zealots are saying 0-day exploits don’t count. Well I guess we can erase half of Windows vulnerabilities.


48 posted on 04/19/2010 8:39:29 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 43 | View Replies]

To: Richard Kimball

I knew that was coming. Once I re-read my post I see I typed s instead of x. Too bad FR doesn’t allow for edits.

But if it did we wouldn’t have hugh and series (plus the stune that I was recently made aware of).


49 posted on 04/19/2010 8:40:31 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 47 | View Replies]

To: for-q-clinton

Could well be. Dunno. They’re big enough, certainly. And for most of what people who work with Google’s code base do, XP would do everything they ever need.

I’ve long maintained that Win XP, if all the patches are applied, does most everything everyone wants to do with a PC.


50 posted on 04/19/2010 8:41:03 PM PDT by NVDave
[ Post Reply | Private Reply | To 46 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-86 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson