Posted on 04/19/2010 7:01:38 PM PDT by for-q-clinton
Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Googles crown jewels, a password system that controls access by millions of users worldwide to almost all of the companys Web services, including e-mail and business applications.
(Excerpt) Read more at nytimes.com ...
It's amazing how success breads attention and hackers.
tech ping please.
the article doesn’t say it, but reading between the lines, it may be implied, based on google’s reaction wrt china, that this was a state-sponsored theft/infiltration.
I wish I could confidently say use vender X for secure web based applications, but I’m sure all companies are susceptible to such an attack.
Does anyone know if Microsoft’s web based platform has been hacked yet?
> Just a couple years ago Apple was considered by their users/fans as impenetrable and google was the darling of the IT world.
As many objective people tried to point out, the low incidence of hacks on Linux, Mac and other systems was partly due to their low numbers. Also, MS has pushed hard on security for quite a few years now. None of it stands still.
I agree. I know EDS had to set up a completely different network for GM to firewall China from the rest of the company. It is well known fact that China tells companies that certain people (communist party officials) will be put in certain positions. And their sole job is to steal patent info and trade secrets from the company.
And China’s culture teaches it’s good to steal from the rich...not by theft, but by trickery and deceit. Google being fairly new to the global market may not have known this and went into China as they did all other countries and gave the keys to the kingdom to the communist official not realizing he was there to steal their info for the state.
I’m tired of the Chicoms reading my emails!
But what about the DOJ? They are trying to get Yahoo to turn over emails withOUT a search warrant!
You may not have heard about it since GW is no longer President.
If you RTFA, you’ll see that the initial penetration was via a Microsoft software package, Messenger, then stealing Google source code via what sounds like a Windows penetration.
I quote thusly:
“The theft began with an instant message sent to a Google employee in China who was using Microsofts Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.
By clicking on a link and connecting to a poisoned Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Googles headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team. “
Do you know what OS the user clicked on was? Was it linux, Windows, OS X, or some other OS?
I believe Google has a lot of Linux in their envirnment. And if it was an inside job they would have known about the version and patch level of Linux.
Just becasue they used messenger to send the link doesn’t mean messenger was the vulnerability.
And if it was Windows (or any OS for that matter) was it a known vulnerability with a fix already available and Google didn’t push it to all their desktops? If so, that is a real concern as Google isn’t properly maintaining their inside environment with current security patches.
ChiCom war-hackers showing Google the price for disobeying dear leader.
One of the biggest problems with “computing in the cloud.”
Well that and the fact that the government claims to have rights to view your information without a search warrant!
That is really the killer. How can a company rely on cloud computing if the DOJ is claiming they get free access to all cloud based emails and IM sessions without a search warrant?
Need to move to digital certs and pin numbers.
But if their is a backdoor that will do you no good.
Google’s source repository is probably on some variant of Unix - perhaps Linux, perhaps something else. Most all serious s/w shops use some variant of Unix for their servers and their SCM repositories.
Here’s more information on the widespread source-code filching operation out of China:
http://www.wired.com/threatlevel/2010/01/google-hack-attack
The Windows machine penetrated most likely had a SCM client installed, so there was no need to penetrate the Linux/Unix/whatever machine that holds the SCM repository. If you penetrate an authorized client machine, you just invoke the client s/w and use scammed passwords to get in. You really don’t care what the other end of the SCM pipe is - or where it is.
There are known keystroke loggers on Windows XP that MSFT has yet to fix. There are many root kits for Windows you can buy off the shelf once you find a hole - and finding a hole in the Windows platform or third party s/w (in this case, Adobe’s s/w) on Windows isn’t difficult. The phrase “shooting fish in bucket with a shotgun” comes to mind.
This was a classic phishing attack. The user was duped into clicking on a link that took them to a hostile website that took advantage of a BROWSER flaw. While the browser issue is problematic, it wouldn’t have been an issue if the user was more vigilant. It’s very hard to defend against social-engineering attacks since they involve trusted people doing secure things.
Your point about patches is a good one. The browser should have been up-to-date. I doubt Google fell prey to a zero-day attack.
DOH! I followed the time-honored tradition of posting before actually reading the article. Google did in fact fall prey to a zero-day attack on Adobe Reader.
Apache’s issue tracking site also got hit recently by a targeted XSS attack.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.