Posted by Andrew Jaquith on January 15, 2010
Unless you have been living under a rock for the past few days, you probably have heard about some big changes Google has made regarding an attack on its infrastructure. Here is what we know:
- First, the Who and What: Google detected a coordinated attempt by Chinese entities to compromise the accounts of Chinese dissidents. David Drummond, Google’s chief counsel, said, “A primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.” According to George Kurtz at McAfee, the attacks were part of a large-scale, well-organized operation called Aurora. As a result, Google has stopped censoring its search results in China, and has considered pulling out of the country entirely.
- Second, the How: as this story has played out, a second wave of stories emerged about the attack vectors. Microsoft has released a bulletin stating that a zero-day exploit in Internet Explorer 6 and higher was the attack vector. McAfee's George Kurtz confirms that IE 7 and 8 vulnerabilities were used. iDefense speculated that PDF-phishing may have been a vector too. But it has not been shown definitively to be an attack vector yet.
- Third, the attacks were not just about dissidents. The attacks appeared to be part of a coordinated campaign that targeted the intellectual property of a wide swath of the US industrial base, including Dow Chemical, Symantec, Yahoo!, Northrop Grumman, and Juniper Networks.
- Fourth, many affected parties are collaborating on the investigation and post-mortem analysis. Google, Adobe, Microsoft, McAfee, and others are all sharing information about the attack. No doubt the FBI and agencies are in the mix, too.
- The threat landscape has not changed; but our perception of it has. Mikko Hypponen — who never misses an opportunity to chase an ambulance when he hears one coming — gets it right when he says that “This wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly.” Targeted zero-day attacks are routine, particularly against government agencies and in the aerospace and defense sectors. What is new is that we are now seeing headlines about it. Companies were spilling credit card numbers and SSNs long before it became headline fodder. And so it is with this class of attack, too.
- The attack will spur more collaboration between the US private and public sectors. Dispassionate observers will recall reports in the news from last year about large-scale industrial attacks against the US government and critical infrastructure. If these more recent attacks against private companies are also felt to be coming from similar sources (the PRC government, PLA red teams etc.), it won't take a genius to start connecting the dots. A formal public/private attack data sharing program, with generous safe-harbor exemptions, would be a good start. Re-invigorating the ISACs would be another.
- Multinationals will see the need to pay more attention to protecting their secrets, not the just “toxic data” like PII or PHI. Our most recent annual IT security survey, which we are busy analyzing, shows that “compliance” (big-C compliance like PCI and HIPAA, and little-C compliance with security policies) is the motor that drives security budgets in large corporations. Enterprises have gotten used to the idea that they need full-disk encryption and DLP to keep toxic customer and payment data from spilling. But two-thirds of the value of the information enterprises protect resides in the secrets they keep that confers long-term competitive advantage. Google’s admission that they lost some of their secrets in this hack shows that securing trade secrets deserves just as much attention as the toxic stuff.
- Relying on one browser is a liability. As we have seen, this attack succeeded because of flaws in Internet Explorer. Browsers are complex pieces of software. By one measure, Firefox is 2.5 million lines of code. By contrast, the Apache web server is just one-tenth of the size, at less than 300,000 lines of code. Who knows how big IE is? Certainly, it is several million lines of code at least. Complex systems fail complexly, which is why browsers continue to be favored targets for zero-days. In this day and age, it is shameful that I still see many corporations (including Forrester) whose business processes rely on web page formats and ActiveX controls that chain them to a specific browser. It should not be that way. Enterprises should strive to deploy web-based applications that are browser-independent; when one browser is targeted, enterprises can mitigate their risk by switching.
- Humans remain the weak link. I spoke with a contact at an aerospace company who knew something about the Adobe PDF attacks. He was surprised that good old fashioned phishing attacks still work. “This kind of stuff is driving the defense contractors nuts. They should know better, and yet, they are still affected.” It bears repeating, one more time: attachments from strangers are bad. CISOs should dust off their social engineering playbooks and do some internal phishing testing on their employees to make sure their staffs get the message.
As always, I welcome your comments.