Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Cyberattack on Google Said to Hit Password System
NY Times ^ | 19 Apr 2010 | JOHN MARKOFF

Posted on 04/19/2010 7:01:38 PM PDT by for-q-clinton

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.

(Excerpt) Read more at nytimes.com ...


TOPICS: Business/Economy; Extended News; News/Current Events
KEYWORDS: attack; cyberattack; google; hack; password; security; system
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-86 next last
To: for-q-clinton

You could use a RSA prime generator as the means to a one time pad.

The idea behind a one-time pad is that you create a cipher key so long that you use pieces of the key XOR’ed with your plaintext, and never, ever use that piece of the key again. The Soviets pioneered use of this in the field with the Verona ciphers, famous during the Cold War for frustrating MI-5 and the NSA for years and years.

The idea behind a OTP password generator card is that the card has a password. You enter that password to activate the card. Once your PW to the card is accepted, you tell it “generate a password string for me.” It does. You enter that password to whatever server or machine you’re logging into. If the algorithm on the server and your OTP card are in agreement as to your sequence of passwords, you’re in.

As soon as you use a password generated by the OTP card (ie, you use it to log into any server tied into the password generator service), that password is “burned” - it may never be used again. You can set an option on these OTP systems to either lock down the account upon receipt of a burned p/w, or to merely prompt for another one.

If you get out of sync (let’s say you bungle the entry of a password), you merely ask the OTP card to generate you a new password again. The server s/w generated ‘n’ passwords ahead of your current OTP card’s sequence. Once it accepts a password in that window of passwords, the password and all passwords prior to the password accepted are ‘burned’ and can never be used again.

The way this prevents attacks is this: OK, you (the hacker) log the keystrokes in a situation like this. That’s nice. You, the hacker, don’t have the OTP card or the algo, so you can’t generate a new password to log in at your own time and choosing. You can hijack a session once the user enters a password, but that means you’re going to be detected, because the user is sitting there, watching his computer be taken over.


41 posted on 04/19/2010 8:35:39 PM PDT by NVDave
[ Post Reply | Private Reply | To 28 | View Replies]

To: for-q-clinton

What the point is about XP: a lot of large companies and installations sat out Vista, and they’ve not yet upgraded to 7. Microsoft has a KNOWN VULN, with a KNOWN EXPLOIT, in the wild, and they have not yet issued a patch for it.


42 posted on 04/19/2010 8:36:39 PM PDT by NVDave
[ Post Reply | Private Reply | To 40 | View Replies]

To: for-q-clinton
> Really you didn’t hear about OSX being the first one hacked at the latest round of a hacking contest? I could have sworn we had a few threads about that and you participated in it. And let’s not forget the iPhone exploits.

Nobody with an ounce of computer security experience pays the least attention to those hacking "contests". They're just ad campaigns for the tech journals who sponsor them, and they set them up so that they make headlines to draw hits. Don't be so naive, you can't be that ignorant of how they work.

It's news when an Apple machine gets compromised first, and they know it. (Who would bother to read their pages, with a headline, "Windows falls first in hacking contest!"??? YAWN.)

So they set them up so that the long-practiced, completely-scripted, well-rehearsed exploits for the Apple products get done first. Well, duh -- they want to be able to write that headline with "APPLE" in it.

Besides, who gives a damn about such exploits unless they turn into REAL viruses??? How many of the Apple exploits have turned into real Mac viruses in the wild?

Ummm, none.

You can do better than that answer. Please try harder.

43 posted on 04/19/2010 8:37:14 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 32 | View Replies]

To: for-q-clinton

You don’t find SCM clients on smartphones. It was at least a laptop.


44 posted on 04/19/2010 8:37:18 PM PDT by NVDave
[ Post Reply | Private Reply | To 39 | View Replies]

To: for-q-clinton

The hackers have found that the iPhone is the target of choice now. Easily hacked and used by millions that have no clue.


45 posted on 04/19/2010 8:37:58 PM PDT by ColdWater ("The theory of evolution really has no bearing on what I'm trying to accomplish with FR anyway. ")
[ Post Reply | Private Reply | To 1 | View Replies]

To: NVDave

And is google in that lot of companies that use XP?


46 posted on 04/19/2010 8:37:59 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 42 | View Replies]

To: for-q-clinton
One could theorize about such exploits on Linus or any other OS for that matter.


47 posted on 04/19/2010 8:39:05 PM PDT by Richard Kimball (We're all criminals. They just haven't figured out what some of us have done yet.)
[ Post Reply | Private Reply | To 40 | View Replies]

To: dayglored

Wow so 0-day exploits don’t count now. Very interesting.

Ok, so now apple zealots are saying 0-day exploits don’t count. Well I guess we can erase half of Windows vulnerabilities.


48 posted on 04/19/2010 8:39:29 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 43 | View Replies]

To: Richard Kimball

I knew that was coming. Once I re-read my post I see I typed s instead of x. Too bad FR doesn’t allow for edits.

But if it did we wouldn’t have hugh and series (plus the stune that I was recently made aware of).


49 posted on 04/19/2010 8:40:31 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 47 | View Replies]

To: for-q-clinton

Could well be. Dunno. They’re big enough, certainly. And for most of what people who work with Google’s code base do, XP would do everything they ever need.

I’ve long maintained that Win XP, if all the patches are applied, does most everything everyone wants to do with a PC.


50 posted on 04/19/2010 8:41:03 PM PDT by NVDave
[ Post Reply | Private Reply | To 46 | View Replies]

To: ColdWater

sshhh...don’t let the apple zealots know about that. They will deny it to no end. Or just deflect as needed. It’s one of those if a tree falls in the forest and the guy standing their is deaf, dumb and blind...did the tree really fall?


51 posted on 04/19/2010 8:42:20 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 45 | View Replies]

To: NVDave

Except for directX 11. Yeah I’m a gamer. but even then there aren’t many games that take advantage of DX10 even...but we have to push the technology along or we’ll be stuck with DX9.


52 posted on 04/19/2010 8:43:45 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 50 | View Replies]

To: for-q-clinton

Well according to this...http://blogs.technet.com/keithcombs/archive/2007/06/02/do-google-employees-use-windows.aspx

It looks like google encourages Mac OSX and pretty much everything not microsoft. I wonder if this is one of those in the wild exploits the OSX guys deny exist.


Keith, A former colleague of mine has not long joined Google. On Day 1 he was asked the following questions:

1) Would you like a MAC or PC? Given he’d spent 8 years at MSFT and had no idea how to use a MAC he obviously opted for the PC. Needless to say there were a few raised eyebrows.

2) MS Office or OpenOffice? Unsurprisingly he chose Office having never used OO. Again more frowns.

3) IE of Firefox? Having never used FF he chose IE and was told tough he’d need to get used to it.

It’s available but actively discouraged.


53 posted on 04/19/2010 8:48:07 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 52 | View Replies]

To: NVDave

Location-Aware Printing. Windows 7 utilizes different default printers for each of the network locations you’ve configured on the system so you won’t mistakenly print a child’s school project to the work printer. When you’re at work, you’ll print to the work printer, and when you’re at home, you’ll print to the home printer.


54 posted on 04/19/2010 8:48:28 PM PDT by ColdWater ("The theory of evolution really has no bearing on what I'm trying to accomplish with FR anyway. ")
[ Post Reply | Private Reply | To 50 | View Replies]

To: for-q-clinton; NVDave

But then again they could have ran windows on their Mac. So who knows.


55 posted on 04/19/2010 8:53:36 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 53 | View Replies]

To: for-q-clinton
But then again they could have ran windows on their Intel powered Mac.
56 posted on 04/19/2010 8:54:40 PM PDT by ColdWater ("The theory of evolution really has no bearing on what I'm trying to accomplish with FR anyway. ")
[ Post Reply | Private Reply | To 55 | View Replies]

To: ColdWater

I’m pretty sure Mac has had emulation before Intel. It just runs better on Intel.


57 posted on 04/19/2010 8:55:56 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 56 | View Replies]

To: for-q-clinton
> Wow so 0-day exploits don’t count now. Very interesting. Ok, so now apple zealots are saying 0-day exploits don’t count. Well I guess we can erase half of Windows vulnerabilities.

Don't put words in my mouth. I didn't say they didn't count. I just said, "Besides, who gives a damn about such exploits unless they turn into REAL viruses???" -- in other words, unless the exploit is actually exploitable by a virus writer, it's just another proof-of-concept laboratory curiosity.

Answer my question. How many of your precious Apple "contest" exploits have turned into real viruses?

For that matter, how many Windows "contest" exploits have turned into real viruses?

Don't confuse headline-grabbing tech journal "contest" crap with actual security issues. Given that all operating systems can have vulnerabilities, what counts to the REAL world are real viruses in the wild.

Zero-day or 12th-day or next-year, is just jerking off in a laboratory, unless the flaw is exploited in a real virus that makes a real botnet.

I'm saying this about Windows as much as MacOS, too -- it has nothing to do with OS. It's about REALITY. Your eagerness to pick up the mantle of the crap tech journalists is unbecoming, and I'm calling you on it.

58 posted on 04/19/2010 8:57:11 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 48 | View Replies]

To: for-q-clinton
> I’m pretty sure Mac has had emulation before Intel. It just runs better on Intel.

Yes on the first half, and a very silly statement in the second hals.

What they had before the Intel Macs was software emulation. Now they have "virtualization" (in the form of VMware Fusion, Parallels, and others).

Now shock me and admit you don't know the difference between "emulation" and "virtualization".

59 posted on 04/19/2010 9:01:55 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 57 | View Replies]

To: DeltaZulu
Google did in fact fall prey to a zero-day attack on Adobe Reader.

I use Preview and the Firefox Plugin on the Mac and Foxit on Windows. I abandoned Adobe Reader on both platforms not because of security but because of bloat.

I also use 7-Zip on Windows instead of WinZip. More functionality, less vulnerability to security holes.

60 posted on 04/19/2010 9:12:23 PM PDT by cynwoody
[ Post Reply | Private Reply | To 19 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-86 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson