Google attacks began with an employee’s click, reports say

Hackers gained access to password system for millions of users

The sophisticated cyber attacks late last year on Google and about 30 other companies began with one of the oldest tricks in the Internet crime book – getting a user to click on a link in a message, according to several reports. The attacks gained access to Google’s password system, which handles access for millions of users, the reports said.

The New York Times, citing someone with direct knowledge of the incident, said the attack last December started when a Google employee in China, using Microsoft Messenger, received an instant message and clicked on a link to a malicious Web site. Hackers then gained access to the employee’s computer and, eventually, the software repository used by Google’s development team at its Mountain View, Calif., headquarters, the story said.

The attack compromised the company’s password system, then code-named Gaia and since renamed Single Sign-On. Google disclosed the attacks in January and said it had made changes to its systems, including the addition on an extra layer of encryption for it s Gmail service. The Times said that the password of Gmail users apparently weren’t stolen in the attack.


Related: Lessons from Google attacks could help U.S. bolster cyber defense


The Washington Post reported that this type of attack, particularly when it targets network administrators or officials with access to sensitive lists, is becoming more common.

"Once you gain access to the directory of user names and passwords, in minutes you can take over a network," George Kurtz, worldwide chief technology officer for McAfee, told the Post.

The attacks themselves are sophisticated, even if the lure of an attachment or link is familiar.

Kurtz told the Post that attacks have moved away from trying to penetrate networks from the outside. "Now, in essence, what they're doing is having good people on the inside unwittingly connect out to a malicious Web site where their machines can be infected," he said.

The nature of the attack could rekindle the debate over the security of centralized repositories such as Google’s. The password system, which Google has largely kept under wraps, lets users use a single password to access its e-mail and other systems, such as Gmail, Google Wave and Google Docs. Government agencies increasingly have been moving toward cloud computing cut costs and increase efficiency, and some have considered single sign-on systems.

Google has blamed China for the attacks, and recent reports have linked two Chinese universities to the attacks. The company also has been feuding with china over censorship of its searches, and recently began redirecting its Chinese traffic to its Hong Kong site in order to provice uncensored search.

Reader Comments

Thu, Apr 22, 2010

Microsoft confirms IE zero-day vulnerability behind Google attack http://www.computerworld.com/s/article/9144938/Microsoft_confirms_IE_zero_day_behind_Google_attack Microsoft knew about IE6 flaw for months http://www.theinquirer.net/inquirer/news/1588200/microsoft-ie6-flaw-months Many companies that use IE6 and IE7 or support users environments using the browser were attacked as a result including defense firms. Source code apparently was stolen from more than 30 Silicon Valley companies targeted in the attacks. IE7, IE8 vulnerable to Google hack exploit http://news.techworld.com/security/3210619/ie7-ie8-vulnerable-to-google-hack-exploit/

Thu, Apr 22, 2010

McAfee Probing Bungle That Sparked Global PC Crash http://www.wired.com/threatlevel/2010/04/mcafeebungle/ "McAfee said Thursday it was trying to determine how it bungled a security update that crashed perhaps tens of thousands of PCs across the globe." So how is sending updates and patches to distributed systems that have a vulnerability a better model?

Thu, Apr 22, 2010

Defense contractor attacks and breaches also began with a single click. Forbes: For Pentagon Contractors, Cyberspying Escalates, As cyberspies multiply and evolve, the military says many defense firms remain woefully unsecure. See http://www.forbes.com/2010/02/17/pentagon-northrop-raytheon-technology-security-cyberspying.html Excerpts: "But military contractors General Dynamics and Northrop Grumman have both been successfully breached by cyberspies in the last two years, according to sources familiar with the security situations of those companies. It's also likely that many other major defense contractors have recently had data stolen by hackers." "As early as 2003 Sandia National Laboratories and its managing company, Lockheed Martin,were penetrated by cyberspies, seemingly based in China, who pilfered plans for the Mars Reconnaissance Orbiter, a class of technology with potential military uses. In 2007 Forbes reported that cyberspies, again seemingly based in China, had breached the largest 10 military contractors, including Lockheed Martin, Northrop Grumman, Raytheon, and Boeing." "The Pentagon's forensics-focused Cyber Crime Center, where Shirley is executive director, found that between August 2007 and August 2009, 71 government agencies, contractors, universities and think tanks with connections to the U.S. military had been penetrated by foreign hackers, in some cases multiple times. In total, Shirley told Forbes, the center performed 116 investigations following spying breaches and found that in all but 14 of those cases the intruders had gained complete administrator-level access to the victim's network."

Thu, Apr 22, 2010

OSD's SBU email system, a traditional behind the firewall system, was hacked from a single employee click of an attachment and sensitive data stolen including user names and passwords. Defense officials still concerned about data lost in 2007 network attack. See http://www.governmentexecutive.com/story_page.cfm?articleid=39456&dcn=todaysnews Defense and industry officials describe DOD networks as the Achilles' heel of the powerful U.S. military. See http://fcw.com/articles/2005/08/22/the-new-trojan-war.aspx Hackers Stole Data on Pentagon’s Newest Fighter Jet, CNN, April 21, 2009, http://www.cnn.com/2009/US/04/21/pentagon.hacked/index.html Chickowski, Ericka, “Naval War College Network Shuts Down After Chinese Attack,” SC Magazine, December 9, 2006, http://www.scmagazineus.com/Naval-War-College-network-shuts-down- after-Chinese-attack/article/34305/ According to the one Cyber Report released last October, all the cited breaches and hacks were of single tenant enclave systems. Defense Cyber Crime Center analyses of 102 incidents shows that distributed single enclave systems are as vulnerable if not more vulnerable due to people, processes, and technology, not to mention the patch challenges on all those system. If one looks at the NIST National Vulnerability Database, most of the serious vulnerabilities listed are for traditional client server enclave architectures.

Thu, Apr 22, 2010

Any SSO system using a centralized store of Passwords is going to be a prime target. Its a good thing we have HSPD-12 PIV credentials and Federated Identity Systems for the Federal Agencies... What's that? Agencies aren't using PKI yet? DOH!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above