Why Google and Microsoft, not cloud computing, were at fault for the Google hack

By now, much has been written about last week’s attack on Google, Yahoo, and more than 30 other companies. Google’s stark reaction to the attack has put the company at the forefront of this news story. At stake is one of the world’s largest Internet markets, as well as the already tenuous relationship between US and China - it is no wonder this attack is drawing the attention of headlines worldwide.

Why isn’t this an attack on cloud computing?

First of all, the mechanics of the attack, though not entirely clear, have nothing to do with cloud computing. What we do know is the following: A Microsoft browser vulnerability was exploited, some employees’ desktops were compromised, and the attacker used the compromised desktops via Google’s VPN to get to some of the servers. As a result, Google apparently issued an emergency refresh of the entire corporate VPN infrastructure last week, which lasted more than 24 hours, leading to more than a little bump in the road of employee productivity.

So, let’s look at the facts here. Exploiting browser vulnerabilities is a familiar attack method, one that has nothing to do with cloud computing. Compromising desktops and using VPN to further compromise servers is again nothing new. What is at the root of the problem here is a vulnerability from everybody’s “favorite” software company (more about this vulnerability to come later today), not the fact that the target of the attack is a prolific cloud computing company.

However, some of my clients (and many others) were asking why they would want Google to host their applications/data if Google is a bigger attack target than themselves. This is indeed an interesting question, one that is worth exploring. This question is particularly interesting when you consider that the attack in question involved exploiting vulnerabilities in IE 6. Why would Google employees still be running IE 6, an outdated browser? Clearly Google’s corporate IT isn’t doing a good job. But the fact that the attacker used VPN to further its attack suggested that the initial victim machine may not be a corporate managed machine. However, we do not know for sure. In any case, Google is at fault here for not managing its risks adequately. And being one of the biggest cloud computing companies, they should know better.

I will be uploading another entry on the specifics of the Microsoft vulnerability after 10:00 a.m. PST today. Stay tuned. In the meantime, let me know what you think of the attack and its implications.

This entry has been cross-posted to Chenxi's blog

Categories:

Comments

IE6

I think it's a fair question to ask why Google employees are still using IE 6.0? It doesn't really make a difference if the utilization was for testing or not. The reality is simple: their IT department is not doing a good monitoring or upgrading job. If a computer is for testing, leave it in a testing pool and do not connect it with your live network. Even though it's not a 'cloud computing' issue, I would still be concerned with a provider not being able to stay on top of their services. It takes only a single mistakes and consumers credit cards numbers risk being stolen. Let's consider a hypothetical example where that machine loaded with IE 6 had confidential data in it. The hacker who took control of that machine could have done more damage to the owner of that data. I just think Google should learn from this incident and be cautious in the future.

re: Why Google and Microsoft, not cloud computing, were at faul

Why would Google employees still be running IE 6, an outdated browser?

I'm a developer and from that perspective would wanna justify why google is still using IE 6.

According to w3 schools stats, until dec 2009 the 10.9% of the world net users still use IE6. Which is not a small number to be ignored.

May be for testing purposes they are using IE6. Can't blame google for tat. :)

re: Why Google and Microsoft, not cloud computing, were at faul

Agreed that this is not a cloud issue! This "hack" looks to be an endpoint security exploit and not a cloud issue. http://cloudsecurity.trendmicro.com/google-attack-not-the-cloud/ has a Trend Micro perspective & some nice details.

re: Why Google and Microsoft, not cloud computing, were at faul

Why would Google employees still be running IE 6, an outdated browser?

Because unfortunately, there are still IT departments that haven't updated IE and Google needs to check how their services render in different browsers and platforms. That's like asking why would Microsoft employees be running Linux.