In today's New York Times, there is a fascinating and disturbing story shedding more light on the hack attack on Google that occurred in January and led to its pullout from China. According to the story, hackers stole the source code to Gaia, which the Times says is, "one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications."
The Times story, citing "a person with direct knowledge of the investigation", reports that Google's passwords were not taken, but the worry is that the hackers will now be able to find a weak spot in the password system that Google does not know about and exploit it. Google has taken measures to protect against that threat, but unless it completely rewrites Gaia (something very unlikely), a risk remains.
The Times says that "The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program ... By clicking on a link and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."
The story says that it appears the hackers targeted specific Google's Gaia software developers, implying a sophisticated intelligence operation was behind it, i.e., the hack had "unknown" but suspected Chinese governmental support.
As a side note, I am always amazed by the US government agencies - especially the Department of Defense - who are more than happy to publish the photos, names and operating locations of students/employees/service members taking advanced cyber security courses. Nice intelligence target list you are providing. If you are going to be handing the future keys to the kingdom to these folks, you should at least protect their identities like you do intelligence operative recruits.
Anyway, the Times story also indicates that the January hack attack, which targeted not only Google but several other companies, wasn't a quick strike. Evidence was found at some of the companies hit that they had been hacked into for a couple of years, and didn't know it. This seems to support the findings described in the Wall Street Journal article in February about a massive, coordinated attack focusing on thousands of companies over the past two years.
Finally, the story points out that companies that offer cloud computing will increasingly be the organized hacking communities' - both government-sponsored and criminal - sought after of gold in the future since the reward/risk ratio is so tempting. The attack on Google is merely a prelude.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
