Skip to comments.Cyberattack on Google Said to Hit Password System
Posted on 04/19/2010 7:01:38 PM PDT by for-q-clinton
Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Googles crown jewels, a password system that controls access by millions of users worldwide to almost all of the companys Web services, including e-mail and business applications.
(Excerpt) Read more at nytimes.com ...
It's amazing how success breads attention and hackers.
tech ping please.
the article doesn’t say it, but reading between the lines, it may be implied, based on google’s reaction wrt china, that this was a state-sponsored theft/infiltration.
I wish I could confidently say use vender X for secure web based applications, but I’m sure all companies are susceptible to such an attack.
Does anyone know if Microsoft’s web based platform has been hacked yet?
> Just a couple years ago Apple was considered by their users/fans as impenetrable and google was the darling of the IT world.
As many objective people tried to point out, the low incidence of hacks on Linux, Mac and other systems was partly due to their low numbers. Also, MS has pushed hard on security for quite a few years now. None of it stands still.
I agree. I know EDS had to set up a completely different network for GM to firewall China from the rest of the company. It is well known fact that China tells companies that certain people (communist party officials) will be put in certain positions. And their sole job is to steal patent info and trade secrets from the company.
And China’s culture teaches it’s good to steal from the rich...not by theft, but by trickery and deceit. Google being fairly new to the global market may not have known this and went into China as they did all other countries and gave the keys to the kingdom to the communist official not realizing he was there to steal their info for the state.
I’m tired of the Chicoms reading my emails!
But what about the DOJ? They are trying to get Yahoo to turn over emails withOUT a search warrant!
You may not have heard about it since GW is no longer President.
If you RTFA, you’ll see that the initial penetration was via a Microsoft software package, Messenger, then stealing Google source code via what sounds like a Windows penetration.
I quote thusly:
“The theft began with an instant message sent to a Google employee in China who was using Microsofts Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.
By clicking on a link and connecting to a poisoned Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Googles headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team. “
Do you know what OS the user clicked on was? Was it linux, Windows, OS X, or some other OS?
I believe Google has a lot of Linux in their envirnment. And if it was an inside job they would have known about the version and patch level of Linux.
Just becasue they used messenger to send the link doesn’t mean messenger was the vulnerability.
And if it was Windows (or any OS for that matter) was it a known vulnerability with a fix already available and Google didn’t push it to all their desktops? If so, that is a real concern as Google isn’t properly maintaining their inside environment with current security patches.
ChiCom war-hackers showing Google the price for disobeying dear leader.
One of the biggest problems with “computing in the cloud.”
Well that and the fact that the government claims to have rights to view your information without a search warrant!
That is really the killer. How can a company rely on cloud computing if the DOJ is claiming they get free access to all cloud based emails and IM sessions without a search warrant?
Need to move to digital certs and pin numbers.
But if their is a backdoor that will do you no good.
Google’s source repository is probably on some variant of Unix - perhaps Linux, perhaps something else. Most all serious s/w shops use some variant of Unix for their servers and their SCM repositories.
Here’s more information on the widespread source-code filching operation out of China:
The Windows machine penetrated most likely had a SCM client installed, so there was no need to penetrate the Linux/Unix/whatever machine that holds the SCM repository. If you penetrate an authorized client machine, you just invoke the client s/w and use scammed passwords to get in. You really don’t care what the other end of the SCM pipe is - or where it is.
There are known keystroke loggers on Windows XP that MSFT has yet to fix. There are many root kits for Windows you can buy off the shelf once you find a hole - and finding a hole in the Windows platform or third party s/w (in this case, Adobe’s s/w) on Windows isn’t difficult. The phrase “shooting fish in bucket with a shotgun” comes to mind.
This was a classic phishing attack. The user was duped into clicking on a link that took them to a hostile website that took advantage of a BROWSER flaw. While the browser issue is problematic, it wouldn’t have been an issue if the user was more vigilant. It’s very hard to defend against social-engineering attacks since they involve trusted people doing secure things.
Your point about patches is a good one. The browser should have been up-to-date. I doubt Google fell prey to a zero-day attack.
DOH! I followed the time-honored tradition of posting before actually reading the article. Google did in fact fall prey to a zero-day attack on Adobe Reader.
Apache’s issue tracking site also got hit recently by a targeted XSS attack.
More than anything, companies need to do what we did at cisco: use an electronic one-time pad that you carry with you at all times. Every password you ever use is “burned” as soon as you use it.
Employees have to keep the OTP card with them at all times, lest they not be able to log into anything.
Other than that inconvenience, it works pretty well.
It would be safer than a password stored in a DB at least I’d have to present my private cert after being challenged for a pin number or password (not stored remotely only locally). It’s easier to protect the CA infrastructure and limit who has access to it.
Wow, we need to hurry up and get all those medical records online.
Interesting policy as long as the randomness is assured.
So you know the google machine was XP? Do you have a link to confirm that or is this just guess work?
"Riddled with security holes"... well, of course no operating system is free from flaws, only a diehard Mac fanboi would claim that, and that ain't me. But I think "riddled" is perhaps a little strong. Consider:
I'm still waiting for those Mac viruses you say are gonna happen. C'mon "for-q"... surely you know some other guys who hate Apple as much as you do, who can write viruses. Tell 'em to stop sitting around with their thumbs up their arses and start programming!
The fact is that there are around 50,000,000 Macs on the net now, none of which have even rudimentary anti-virus software, all of which are operated by users running with full administrative privilege, most of whom are not technically savvy. That's enough to build hundreds or thousands of useful botnets, if a virus could be written that would work on a Mac.
And there's no competition from other virus writers -- it's a totally open fertile field! FIFTY MILLION COMPUTERS with their legs spread wide on the Internet saying, "Take me, I'm yours!! Come on big boy!!"
What a field day!! C'mon, for-q, prove that the Mac is no longer the "impenetrable" machine the Apple fanbois say it is.
Who's gonna be the first to write a successful Mac virus??? One that self-replicates and pwns the machine without the user being any the wiser... like a typical Windows virus... it can't be that hard, right? You keep saying it's easy... "riddled with holes" you said.
C'mon, where's the virus? Where's the virus????
[crickets. nothing but freakin' crickets...]
Seriously, I can't wait for the first real Mac virus that goes out and compromises, say, half a million machines. You know why? Because it'll shut up the Mac fanbois (whom I find tiresome), and it'll mean I can finally stop having to shut up the stupid Windows fanbois like you who take every opportunity to spread FUD about the security of a Unix-based operating system.
I've really gotten quite tired of it, and yet neither you nor the other fanbois, of whatever flavor, show any signs of shutting up on your own. *sigh*
WHERE ARE MY MAC VIRUSES, FOR-Q? I'M TIRED OF WAITING.
Just joking. I can wait some more, no problem... :)
I missed that too and I read the entire article. NVDAVE is saying it was windows XP but I must have missed that as well
I’m not familiar with that...is that like the RSA number generator?
Is that more secure than smart cards with pins?
But even so how does it prevent backdoor attacks? Are you saying all data is uniquely encrypted so that only the user who wrote it can read it...even if on a server?
And my banks keep begging me to “do it all online!”
Yeah. Right. I think not!!
I agree, but if the hackers installed backdoors to the data only user level encryption would protect it. But I doubt google is using user level encryption on their source so that only the user who created it has access to it.
It’s online whether you do it or not though.
Really you didn’t hear about OSX being the first one hacked at the latest round of a hacking contest? I could have sworn we had a few threads about that and you participated in it. And let’s not forget the iPhone exploits.
True. But they can’t come back and lay the blame on me that my ‘lack of security’ caused the breakin to my account. That’s all on them.
We did some stats on the generated passwords - it was pretty good. The algo was based on DES.
DES, of course, is subject to differential cryptanalysis, but that’s when used in a wholesale crypto environment. You could replace DES with SHA-1 or other one-way hash functions; it isn’t really important which algo you use, just so long as you can’t guess the next number in the sequence if you know the prior one.
DES seemed to work OK because the generated crypto-text was the same length as the DES key, the salt value and the prior key in the sequence. Differential cryptanalysis needs a bunch of data in order to start narrowing down the key search space.
good point. But I wonder how you could prove it? Assuming your account is the only one hacked?
So sha-1 being broken doesn’t impact this?
I’ve never accessed their sites - they’d have a tough time proving I was there - no logs, no passwords, nada.
I didn’t say that this particular attack was on WinXP. I said that there are known keystroke loggers on Windows XP which Microsoft has yet to respond to. They have on other more recent variants of Windows, but not XP.
In this type of attack (cross-platform, cross-site scripting), a keystroke logger is the easy way to gain access to the server. Just log the keystrokes for the user’s server password on the Windows client platform, then use that with a trojan attack. Done deal.
So do we know what client OS was used in this case. I could guess some variant of windows because they used messenger, but there are messenger clients for non-windows machines.
Heck for all I know it could be a smartphone OS that was used.
BTW: What’s the point of talking about Xp if that wasn’t the exploit vector? One could theorize about such exploits on Linus or any other OS for that matter.
You could use a RSA prime generator as the means to a one time pad.
The idea behind a one-time pad is that you create a cipher key so long that you use pieces of the key XOR’ed with your plaintext, and never, ever use that piece of the key again. The Soviets pioneered use of this in the field with the Verona ciphers, famous during the Cold War for frustrating MI-5 and the NSA for years and years.
The idea behind a OTP password generator card is that the card has a password. You enter that password to activate the card. Once your PW to the card is accepted, you tell it “generate a password string for me.” It does. You enter that password to whatever server or machine you’re logging into. If the algorithm on the server and your OTP card are in agreement as to your sequence of passwords, you’re in.
As soon as you use a password generated by the OTP card (ie, you use it to log into any server tied into the password generator service), that password is “burned” - it may never be used again. You can set an option on these OTP systems to either lock down the account upon receipt of a burned p/w, or to merely prompt for another one.
If you get out of sync (let’s say you bungle the entry of a password), you merely ask the OTP card to generate you a new password again. The server s/w generated ‘n’ passwords ahead of your current OTP card’s sequence. Once it accepts a password in that window of passwords, the password and all passwords prior to the password accepted are ‘burned’ and can never be used again.
The way this prevents attacks is this: OK, you (the hacker) log the keystrokes in a situation like this. That’s nice. You, the hacker, don’t have the OTP card or the algo, so you can’t generate a new password to log in at your own time and choosing. You can hijack a session once the user enters a password, but that means you’re going to be detected, because the user is sitting there, watching his computer be taken over.
What the point is about XP: a lot of large companies and installations sat out Vista, and they’ve not yet upgraded to 7. Microsoft has a KNOWN VULN, with a KNOWN EXPLOIT, in the wild, and they have not yet issued a patch for it.
Nobody with an ounce of computer security experience pays the least attention to those hacking "contests". They're just ad campaigns for the tech journals who sponsor them, and they set them up so that they make headlines to draw hits. Don't be so naive, you can't be that ignorant of how they work.
It's news when an Apple machine gets compromised first, and they know it. (Who would bother to read their pages, with a headline, "Windows falls first in hacking contest!"??? YAWN.)
So they set them up so that the long-practiced, completely-scripted, well-rehearsed exploits for the Apple products get done first. Well, duh -- they want to be able to write that headline with "APPLE" in it.
Besides, who gives a damn about such exploits unless they turn into REAL viruses??? How many of the Apple exploits have turned into real Mac viruses in the wild?
You can do better than that answer. Please try harder.
You don’t find SCM clients on smartphones. It was at least a laptop.
The hackers have found that the iPhone is the target of choice now. Easily hacked and used by millions that have no clue.
And is google in that lot of companies that use XP?
Wow so 0-day exploits don’t count now. Very interesting.
Ok, so now apple zealots are saying 0-day exploits don’t count. Well I guess we can erase half of Windows vulnerabilities.
I knew that was coming. Once I re-read my post I see I typed s instead of x. Too bad FR doesn’t allow for edits.
But if it did we wouldn’t have hugh and series (plus the stune that I was recently made aware of).
Could well be. Dunno. They’re big enough, certainly. And for most of what people who work with Google’s code base do, XP would do everything they ever need.
I’ve long maintained that Win XP, if all the patches are applied, does most everything everyone wants to do with a PC.