Attack on Google In January Supposedly Targeted Critical Password System

Passwords Not Taken, But Password System Source Code Said Stolen

2 min read

Attack on Google In January Supposedly Targeted Critical Password System

In today's New York Times, there is a fascinating and disturbing story shedding more light on the hack attack on Google that occurred in January and led to its pullout from China. According to the story, hackers stole the source code to Gaia, which the Times says is, "one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications."

The Times story, citing "a person with direct knowledge of the investigation", reports that Google's passwords were not taken, but the worry is that the hackers will now be able to find a weak spot in the password system that Google does not know about and exploit it. Google has taken measures to protect against that threat, but unless it completely rewrites Gaia (something very unlikely), a risk remains.

The Times says that "The theft began with an instant message sent to a Google employee in China  who was using Microsoft’s Messenger program ...  By clicking on a link and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."

The story says that it appears the hackers targeted specific Google's Gaia software developers, implying a sophisticated intelligence operation was behind it, i.e., the hack had "unknown" but suspected Chinese governmental support.

As a side note, I am always amazed by the US government agencies - especially the Department of Defense - who are more than happy to publish the photos, names and operating locations of students/employees/service members taking advanced cyber security courses. Nice intelligence target list you are providing. If you are going to be handing the future keys to the kingdom to these folks, you should at least protect their identities like you do intelligence operative recruits.

Anyway, the Times story also indicates that the January hack attack, which targeted not only Google but several other companies, wasn't a quick strike. Evidence was found at some of the companies hit that they had been hacked into for a couple of years, and didn't know it. This seems to support the findings described in the Wall Street Journal article in February about a massive, coordinated attack focusing on thousands of companies over the past two years. 

Finally, the story points out that companies that offer cloud computing will increasingly be the organized hacking communities' - both government-sponsored and criminal - sought after of gold in the future since the reward/risk ratio is so tempting. The attack on Google is merely a prelude.

The Conversation (0)