Google China

Google China

If you haven’t yet seen the news that Google was hacked by someone looking (in part) for info on Chinese human rights activists,  then you might check out this summary on the SANS Newsbits.  SANS reliably provides sober assessments of incidents like this.  (Don’t mind the weary “I told you so” tone of the articles, it is difficult to continue beating the security drum when few decision makers are listening.)

It is romantic to think that Google might try to live up to it’s unofficial motto of “don’t be evil” by pulling out of China.  However, if Google pulled out it wouldn’t serve to  tighten up their corporate information security.   Also, Google pulling out of China will just give Chinese consumers one less search engine to choose from.  The wrong people would be punished.  It might make a fine display on the world technology stage to “take a stand” against the Chinese government, but it will almost certainly hurt Google’s profits. [ UPDATE 1/19/2010 – Google now denies they will leave China, but want to negotiate a non-censored search (?)]

The biggest payoff might have already been achieved.  Simply announcing the incident and the possible intention to leave China has had a huge impact online.  In the first place, very few corporations are even aware when they have been compromised, let alone announce it willingly to the world.  This sets an excellent standard of transparency.  If other corporations followed this example, it would raise the visibility of information security and hopefully lead to more attention (and budget) being devoted to protecting corporate information systems.  If other companies do not follow this example, it makes Google appear more honest, not less secure.  (This last was accomplished by revealing that as many as 30 other companies had also been hacked.)  In the second place, Google is hurting the reputation of the Chinese government by their announcement alone.  This may or may not be fair given that it’s difficult to prove exactly who hacked Google, but it focuses attention of the issue of Chinese “cyberspying“.

The actual attack vector was probably a previously unknown IE vulnerability (zero day attack).  It makes sense to start switching to a different browser, preferably one that has a Flash blocker plug-in available.  IE might be so vulnerable because it’s still got ~60% of the market.  It’s a high value target for hackers.  Having more browsers to divide up the attention of the hacker population might give browser developers a relative advantage.  The fact is that all software contains bugs and the more people you have beating on your software, the more bugs are revealed and the more robust your software becomes as you patch those bugs.

This incident highlights the general trend that client machines are becoming the most common attack vector.   Here is a quick summary of my current thinking in this regard:

  1. Switch your primary browser to anything but IE.
  2. Definitely use a Flash blocker.  Flash is too dangerous to use indiscriminately.  You can always choose to play flash video on sites you trust. For Firefox I use the aptly named “Flashblock” add-on: https://addons.mozilla.org/en-US/firefox/addon/433
  3. Try to keep Adobe Acrobat patched and don’t open Acrobat files unless necessary.
  4. Keep client apps patched  (i.e. MS Office, Quick Time,  etc.).
  5. Explore using a browser proxy service.

What do you think? All comments are welcome.

[UPDATE 2/14/2010]
I just saw this other blog which suggests that one of these attacks exploited “a system used to help Google comply with search warrants by providing data on Google users.” Also, Spint apparently served 8 million GPS requests within a year and “someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response.” Nice. Automating government access to user data seems problematic to me. Ideally, each search warrant request should be validated, but I don’t see how that can realistically be done. So we end up with systems designed to help US law enforcement catch criminals and terrorists than can be hacked to spy on practically anyone. We trade one form of security for another and privacy goes in the garbage. What a conundrum!.