April 19, 2010
Cyberattack hit heart of Google system
The hackers got access to the coding in the password system that controls millions of users' access to many Google services.
Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google's crown jewels, a password system that controls access by millions of users worldwide to almost all of the company's Web services, including e-mail and business applications.
The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days in December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.
The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.
A vast amount of info in one place
The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google's that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in one place, a single breach can lead to disastrous losses.
The theft began with a single instant message sent to a Google employee in China who was using Microsoft's Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition he not be identified.
By clicking on a link and connecting to a "poisoned" website, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.
The details of the theft have been a closely guarded secret. Google first publicly disclosed it in a Jan. 12 posting on the company's website, which stated that the company was changing its policy toward China in the wake of the theft of unidentified "intellectual property" and the apparent compromise of the e-mail accounts of two human rights activists.
Company executives on Monday declined to comment about the new details of the case.
Subtle vulnerabilities
Having access to the original programmer's instructions, or source code, could provide technically skilled hackers with knowledge about subtle security vulnerabilities in the Gaia code that may have eluded Google's engineers.
"If you can get to the software repository where the bugs are housed before they are patched, that's the pot of gold at the end of the rainbow," said George Kurtz, chief technology officer for McAfee Inc., a software security firm that was one of the companies that analyzed the illicit software used in the intrusions at Google and at other companies last year.
Rodney Joffe, a vice president at Neustar, a developer of Internet infrastructure services, said, "It's obviously a real issue if you can understand how the system works."
http://www.startribune.com/science/91565044.html?page=2&c=y
