January 14, 2010

Google has reportedly stopped censoring Chinese search results for its Google.cn property, in response to what it said earlier this week were targeted attacks against its corporate infrastructure aimed at Chinese dissident groups. But a security research firm claims the attack that hit Google was part of a larger, unusually sophisticated assault aimed at stealing source code from Google and at least 30 other Silicon Valley firms, banks and defense contractors.

Also, Google switches to “always on” encryption for all Gmail users. And some pundits see ulterior motives in Google’s Chinese hacking disclosure. More after the jump.

In a report released shortly after Google’s disclosure Tuesday evening, Sterling, Va. based iDefense cited two independent, anonymous sources in the defense contracting and intelligence consulting community as saying that Google traced the attack back to a “drop server” used as a repository for stolen files, where Google discovered its own data as well as proprietary data suggesting that at least 33 additional companies had been hit.

iDefense said the attack bears “significant resemblance” to a July 2009 attack in which assailants launched targeted e-mail campaigns against approximately 100 IT-focused companies. That attack employed a PDF file that exploited a then-undocumented vulnerability in Adobe Reader, and that a similar leveraging booby-trapped PDFs-as-attachments was used in the attack against Google, the report notes.

Kim Zetter at Wired.com’s Threat Level blog has a great deal more information in her thorough story on this.

Cynics see all kinds of ulterior motives in Google’s announcement that it got hacked and the subsequent arm-twisting with the Chinese government. Foreign Policy‘s Evgeny Morozov has penned a pair of incisive and trenchant opinion pieces speculating that Google’s move was little more than a calculated PR and business bid to gain market share vis-a-vis China’s dominant Baidu search engine. Krebsonsecurity.com reader and fellow security blogger Gunnar Peterson pointed my attention to a piece by Motley Fool‘s Tim Hanson that echoes those sentiments.

In apparently related news, Google has switched to “always on” encryption for all Gmail users, not just for those who have gone out of their way to select the “always use https://” option. By default, Google has always forced users to transmit their credentials over an encrypted (https://) connection when logging in, but after that Gmail users were popped back into an unencrypted connection unless they had changed the default option in the Gmail user settings to encrypt all Gmail communications.

The danger is that there are now free tools that help attackers steal the session cookie that most Webmail providers use to indicate users have already authenticated.  Armed with these tools, anyone recording the traffic on the local network would be able to access your Gmail inbox by simply loading that cookie on their machine. While these tools assume the attacker is on the same network as the target, most users do not sign out of Web mail services, and any session cookies that keep users logged in to their Webmail will most likely be transmitted periodically when roving users connect to a wireless network, for example.

Alas, Google has many properties that still do not enjoy this always-encrypted setting. In mid-2009, a Who’s Who of more than three dozen high-tech and security experts from industry and academia urged Google to encrypt all Google services by default, noting that tens of millions of consumers now rely on Google for a wide array of services that include sensitive data, such as Google Adsense, Adwords, Google Health. Still, this is a welcome step that hopefully will be emulated by the likes of Microsoft and Yahoo!, the other two major Webmail providers.

7 thoughts on “The Wire: Google Security Edition

  1. d

    Yea, for Google! I was about ready to dump them. Their lack of providing constant encryption has always bothered me. So much so, that I still have yet to try their other products. Much like the poll you just conducted Brian, some people don’t care what’s lurking out there and some do. I have been a user of NoScript and took your advice about RequestPolicy. Lately, every time I log in to gmail there seems to be yet another cookie. Giving their cookies a short expiration date would be another step in the right direction.

  2. f

    Could you explain to me the effect this is having on Symantecs Norton Anti Virus 2010?I have noticed a change in the way Norton is working.Am I still protected while using Norton?What should I do?Thank you very much.

  3. JohnJ

    When using a webmail service, is there any security difference between logging on at the e-mail web site, and sending/retrieving your mail using Outlook?

    1. Captain Canuck

      Outlook isn’t the best email client there is in the security sense. Try Mozilla Thunderbird instead.

      Security-wise, I can think of two advantages for using an email client instead of the web interface:

      – cuts out your middleman (your browser) incase it has any security issues
      – if your email server’s go offline, you have backups on your computer.

      1. BrianKrebs Post author

        Cpt Canuck is right. There’s no security advantage to adding another app to checking your email. That said, newer versions of Outlook are much more secure than older Outlook and OE versions (for example, active scripting restrictions). And yes, Thunderbird is probably safer.

  4. M Henri Day

    Like Brian, I do hope that Google will make https encryption the default, if not mandatory, on all its many services ; myself, I turned the «always used https» feature on in my Gmail as soon as the bug that prevented the «Send to Gmail» feature on the Google Toolbar for Firefox from working with this setting. But let me say that this is not due to any suspicion that the Chinese government reads my email – those interested in doing so lie, I suspect, much closer to home….

    With regard to Cpt Canuck’s analysis of the possible advantages of using an email client rather than accessing one’s email directly on the web, let me point out that email clients can also be targetted by the baddies, as we know from experience with Outlook. And that Gmail now offers an offline option, which means that, as in the case of an email client, already downloaded mail is available if your internet connexion fails….


  5. JCitizen

    The news that Gmail is planning more secure ‘always on’ https:\\ communication, is heartening, but they have a lot of work to do on that.

    From what I understand, many of the hops a typical Gmail message takes are between servers that do not encrypt the messages.

    If this is true, and Google plans on battening down the hatches; I applaud them. But all my clients plan on using encrypted attachments anyway. They have a healthy, “wait and see” attitude.

Comments are closed.