Google has reportedly stopped censoring Chinese search results for its Google.cn property, in response to what it said earlier this week were targeted attacks against its corporate infrastructure aimed at Chinese dissident groups. But a security research firm claims the attack that hit Google was part of a larger, unusually sophisticated assault aimed at stealing source code from Google and at least 30 other Silicon Valley firms, banks and defense contractors.
Also, Google switches to “always on” encryption for all Gmail users. And some pundits see ulterior motives in Google’s Chinese hacking disclosure. More after the jump.
In a report released shortly after Google’s disclosure Tuesday evening, Sterling, Va. based iDefense cited two independent, anonymous sources in the defense contracting and intelligence consulting community as saying that Google traced the attack back to a “drop server” used as a repository for stolen files, where Google discovered its own data as well as proprietary data suggesting that at least 33 additional companies had been hit.
iDefense said the attack bears “significant resemblance” to a July 2009 attack in which assailants launched targeted e-mail campaigns against approximately 100 IT-focused companies. That attack employed a PDF file that exploited a then-undocumented vulnerability in Adobe Reader, and that a similar leveraging booby-trapped PDFs-as-attachments was used in the attack against Google, the report notes.
Kim Zetter at Wired.com’s Threat Level blog has a great deal more information in her thorough story on this.
Cynics see all kinds of ulterior motives in Google’s announcement that it got hacked and the subsequent arm-twisting with the Chinese government. Foreign Policy‘s Evgeny Morozov has penned a pair of incisive and trenchant opinion pieces speculating that Google’s move was little more than a calculated PR and business bid to gain market share vis-a-vis China’s dominant Baidu search engine. Krebsonsecurity.com reader and fellow security blogger Gunnar Peterson pointed my attention to a piece by Motley Fool‘s Tim Hanson that echoes those sentiments.
In apparently related news, Google has switched to “always on” encryption for all Gmail users, not just for those who have gone out of their way to select the “always use https://” option. By default, Google has always forced users to transmit their credentials over an encrypted (https://) connection when logging in, but after that Gmail users were popped back into an unencrypted connection unless they had changed the default option in the Gmail user settings to encrypt all Gmail communications.
The danger is that there are now free tools that help attackers steal the session cookie that most Webmail providers use to indicate users have already authenticated. Armed with these tools, anyone recording the traffic on the local network would be able to access your Gmail inbox by simply loading that cookie on their machine. While these tools assume the attacker is on the same network as the target, most users do not sign out of Web mail services, and any session cookies that keep users logged in to their Webmail will most likely be transmitted periodically when roving users connect to a wireless network, for example.
Alas, Google has many properties that still do not enjoy this always-encrypted setting. In mid-2009, a Who’s Who of more than three dozen high-tech and security experts from industry and academia urged Google to encrypt all Google services by default, noting that tens of millions of consumers now rely on Google for a wide array of services that include sensitive data, such as Google Adsense, Adwords, Google Health. Still, this is a welcome step that hopefully will be emulated by the likes of Microsoft and Yahoo!, the other two major Webmail providers.