thoughts on the google/china incident of 2010

Praetorian Prefect has a video posted demonstrating the Aurora attack against IE6. It also shows how easy Metasploit is to use once you get some experience with it. While nothing new to sec geeks, I think it is mind-boggling to norms who have no idea how slickly you can own a system.

This incident centering around Google has raised tons of discussion. I really can’t add too much more to what has already been said in various corners of the net, but I can at least add my own voice to the cacophony…

First, Google is a large, public company. They, like most any company, will not come out with a declaration like this without a firm economic reason to do so. I think the best response I’ve seen was Moxie’s over on the DailyDave list.

Second, lots of people rightly diss on these companies for probably using IE6 widely. This is an easy argument (just like saying ‘why are you insecure?’ after someone is hacked…), but not one I tend to take too deeply because, quite honestly, it takes time and effort (i.e. MONEY!) to change things in an IT environment. Good point, but don’t bandy this too hard.

Third, stop being surprised that Google has automated systems to dump your data to authorities. Don’t be naive, both about Google and about economic entities.

Fourth, Google uncovered several attacks to something like 30 other large companies. Wait…does that mean all of them didn’t detect the attacks? Pass the whiskey…

Fifth, defense in depth and detection helps. Having operators/analysts keeping their fingers on the pulse of networks and systems helps (or more appropriately properly augments automated tools). Signatures (and automation) do help and have their place, but nothing will be able to interpret suspicious or strange behavior like a human.

Sixth, speaking of defense in depth, we’ve all seen the vectors of initial attack. We’ve all heard rumors about just how deeply that attackers got inside their targets. But who is connecting the dots? Exactly how did owning the clients pivot over to the servers or systems? I’m not saying I don’t believe those rumors, but I am saying it sounds like we still have a non-secure interior. I know security is reactionary in nature and economically-bound, but what the hell?

Sixth, attackers were originally curious and self-serving in a non-financial way. Then they realized they can make money stealing directly from accounts in a very liquid fashion, and a subset who directly utilized CPU cycles collectively. I think now we’re seeing more realization that there is value in information held by corporations; on the level of corporate espionage. This is far less liquid to most people, but to nation-states or other corps… I’m not saying this is cyberwarfare! But less-liquid espionage is the next natural step…should we be surprised that Google reportedly had a team ready to attack the attackers? Shadowrun, anyone?