Saturday, January 16, 2010

Google's Counter Attack

Two interesting articles, one in the New York Times and one in the San Jose Mercury News, discuss how Google officials investigated the cyber attacks against Google's infrastructure and users of the company's services.

According to the New York Times Google
managed to gain access to a computer in Taiwan that it suspected of being the source of the attacks. Peering inside that machine, company engineers actually saw evidence of the aftermath of the attacks, not only at Google, but also at at least 33 other companies, including Adobe Systems, Northrop Grumman and Juniper Networks, according to a government consultant who has spoken with the investigators. Seeing the breadth of the problem, they alerted American intelligence and law enforcement officials and worked with them to assemble powerful evidence that the masterminds of the attacks were not in Taiwan, but on the Chinese mainland.
The San Jose Mercury News writes
When Tenzin Seldon, a 20-year-old sophomore at Stanford, logged onto her Gmail account from New York over winter break, she may have helped Google understand the widespread penetration of its network by unidentified hackers in China.Unknown to Seldon, a regional coordinator of Students for a Free Tibet, at the same moment she was reading her e-mail in Queens, someone in China was logged into her account as well. Top Google officials, including chief legal officer David Drummond, later told Seldon that the suspicious situation alerted them that she was one of the human rights activists whose electronic mail was routinely being spied upon by someone in China.
The San Jose Mercury News article continues,
According to Google officials, her black Hewlett-Packard laptop with the red Stanford "S" sticker on the outside was one of perhaps two machines Google examined for signs of malicious software, or "malware," that would have allowed cyberspies entry to her Gmail account. Despite spending six days going through her laptop in early January, Google was unable to find any signs of malware on it. An industry source familiar with the case said her laptop may have been infected with a sophisticated form of malware programmed to harvest and relay back Gmail passwords, before erasing itself from her hard drive.
These accounts raise two interesting questions. First, should private companies like Google be empowered to respond to cyber attacks with attacks of their own? In many cases, the attacking system may belong to a private citizen or company that has no idea their system has been compromised and is participating in an attack. Further, a counter strike, even one that is designed only to gather information and not destroy the attacking machine, may cause unintentional damage and have unintended consequences.

For example, there have been previous cases of computers in hospitals hosting malicious bots. Breaking into these computers, without consultation with the system owner, may break the machine. In the case of the infected hospital computer this may adversely affect the doctors and patients that rely on the computer. Remember just because a computer is infected doesnt mean that it cant perform its other programmed functions.

Second, even though Google broke into a server participating in the attack against it, Google officials could not say with certainty who was responsible for the attack. The New York Times noted,
But while much of the evidence, including the sophistication of the attacks, strongly suggested an operation run by Chinese government agencies, or at least approved by them, company engineers could not definitively prove their case. In interviews in which they disclosed new details of their efforts to solve the mystery, Google engineers said they doubted that a nongovernmental actor could pull off something this broad and well organized, but they conceded that even their counterintelligence operation, taking over the Taiwan server, could not provide the kind of airtight evidence needed to prove the case.

No comments: