Last evening's headline news that Google was considering an exit from China in the wake of certain hacking activities may finally shake us out of cyber security complacency. Before getting into the story I have 3 points to make:
- According to Google it appears phishing emails were used as part of the attack, and we have no good way of authenticating email today without having DNSSEC in place. Gmail just made https a default email setting, which helps to close an encryption gap. But https, SSL, and VPN are not foolproof without DNSSEC (see earlier posts here and here). Tools to make email much more secure are at hand, but few take them seriously. We can do better to secure email and stop SPAM with minimal cost.
- According to Google an attack vector may have been malware or "malicious software" placed on victims computers. How did the malware get there? Possibly by visiting a spoofed site. Without authentication you can't be sure a site is real or that there is no "man in the middle" spying on you while you visit a legitimate site (which would enable them to steal your login credentials or other data). DNSSEC is the only internet-wide authentication method we have and it could virtually eliminate this problem. DNSSEC is not expensive or difficult to install, yet adoption is incredibly slow and non-existent in the financial sector or health care.
- We have no leadership on cyber security. There is a lot of posturing and policy, but real money spent on actual solutions - secure software and hardware, rather than "band aids and bodyguards" - is quite low. I have built a company around the premise that malware-immune software is required for mission critical functions, but security features are very difficult to sell in the market - even to the US government. Performance and ease of use is what gets us sales and security is an afterthought.
Most US Government agencies have yet to adopt DNSSEC despite a requirement to do so by the end of 2009. Someone needs to step up in government. Industry is "milking the cow" on security by selling insecure products and then making money trying to protect us. Are product liability attorneys listening?
The Wall Street Journal Headline on the Google attack:
Google Warns of China Exit Over Hacking
Cyber Attack Targeted as Many as 34 Firms, Email of Human-Rights Activists; Investigators Probe Link to Chinese Government
I'd like to know a little more about the 34 other firms, one of whom appears to be Adobe. Adobe released a huge update for reader today covering several critical vulnerabilities.
Google's explanation is posted on their blogs: A new approach to China and Keeping your data safe.
Excerpt from the official Google blog (my bold):
Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.
First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.
Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.
Third, as part of this investigation but independent of the attack on Google,we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties.These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.
We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more hereabout our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this report (PDF) by the U.S.-China Economic and Security Review Commission, as well as a related analysis (PDF) prepared for the Commission, Nart Villeneuve's blog and thispresentation on the GhostNet spying incident.
Note that Google is telling users "get to work to protect yourself and be careful". That is great if you are a network administrator. Is Steve Jobs the only one who has figured out that people just want it to work? Consumer and business focused systems should pass the grandmother test of usability. That should be our goal.
From the Google Enterprise blog:
This was not an assault on cloud computing. It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers. Any computer connected to the Internet can fall victim to such attacks. While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure.
So what's up with the chemical companies? That's a bit unsettling to me.
As this and other attacks demonstrate, even the most secure systems can be compromised if the people accessing the system can be compromised. Therefore cloud computing is no more secure than the weakest user's PC. A scary thought.
I believe more details about the Google hack and the other victims will emerge over the coming days.
Stay tuned.
Comments