Sophistication, severity of attacks on Google raise visibility of advanced persistent threat

The recently disclosed hacking attacks suffered by Google and many other companies are noteworthy not just for the high profile of the victims, but also for the sophistication of the attacks, which have been described as a combination of highly targeted phishing attempts coupled with exploits of software vulnerabilities in popular programs Microsoft Internet Explorer (to be clear, while Microsoft has acknowledged IE vulnerabilities were likely used, no confirmation exists that Adobe products were exploit vectors in the attack; iDefense originally asserted that Adobe Reader was used to effect the attack, but upon further investigation subsequently withdrew their claim). Even without the use of zero-day exploits in the attacks, the specificity of the phishing messages and the recipients to whom they were addressed apparently greatly enhanced the success of the attack. The reported use of different malware payloads sent to different intended victims and the advance step of gathering specific recipient email address lists both differentiate these “spear-fishing” attacks from run-of-the-mill phishing attempts using mass distribution.

Some security experts have pointed to the Google-China incident as the most visible recent example of the “advanced persistent threat,” in this case represented by whatever hacking capacity (whether explicitly government-sponsored or otherwise) was able to carry out the attacks. Taosecurity blogger Richard Bejtlich is among the leading online voices drawing attention to the problem of the advanced persistent threat, having noted in the past that even where this sort of threat is acknowledged it is not always specifically identified or described with the same terminology. As described by security services and incident response product vendor Mandiant, the advanced persistent threat is characterized more by its “perseverance and resources” than by its use of special or unique attacks, requiring a commensurate level of sustained defensive and responsive activity from organizations targeted by the advanced persistent threat. The attacks on Google show evidence of significant resources dedicated preparing for and executing intrusions, and perhaps more troubling show a level of creativity in crafting new and unique attacks that may them even harder to defend against. Lastly, the key weaknesses exploited in the attacks on Google and others were not in the target organizations’ network or systems infrastructure, but instead were both human (user) and technical vulnerabilities exploited through ancillary attack vectors. The continued analysis of and response to this incident, including the U.S. intention announced by the State Department to issue an official protest, suggests that these attacks have raised the bar on cybersecurity, likely for the foreseeable future. Only time will tell if this results in permanent, tangible changes in the use of tools, tactics, or approaches on cybersecurity.

Chinese cyber attacks on Google and others may accelerate Congressional action on cybersecurity

One effect of Google’s public disclosure of hacking attempts ascribed to the Chinese government appears to be a greater sense of urgency in Congress to enact new cybersecurity legislation. While a strong response from the administration may or may not be forthcoming, lawmakers who had already been working on security bills see the Google-China incident as only the latest in a long line of compelling reasons to act. Sen. Jay Rockefeller of West Virginia, who, along with Maine’s Sen. Olympia Snowe has co-sponsored the draft Cybersecurity Act of 2009, has indicated in public statements that he intends to prioritize getting the bill out of committee and under consideration by the full Senate. The bill, introduced as S. 773, includes a broad-ranging set of provisions for standardizing approaches and oversight for security controls, monitoring, vulnerability disclosure, threat assessment, and risk management. The bill as drafted would greatly expand the authority and role of the Department of Commerce, including but not limited to responsibilities for NIST not only to establish and promulgate cybersecurity standards, but also to enforce compliance.

China’s not the only country that reads email

The follow letter was written in response to an editorial published in the January 14 edition of the Washington Post:

Regarding the editorial “Google vs. China” in the January 14 edition of the Washington Post, the efforts of the Chinese government to “snoop on the private emails of its citizens,” while certainly behavior worthy of being denounced, are fundamentally no different than the rights asserted by our own U.S. government to inspect the content of Internet traffic in the name of national security. The operational scope of the Einstein 3 program managed by the Department of Homeland Security is typically characterized to include both the technical ability to allow email and other Internet communications traffic to be read, and the authority to do so under the USA PATRIOT Act when the content of the communications relates to terrorism or to computer fraud and abuse. There is of course a world of difference between what we would consider “related to terrorism” and the electronic speech of human rights activists who were reported among the victims of the attacks on Google’s email service. However, it is not always so easy to draw this distinction, especially when dealing with individuals whose identities exist online. I’ve little doubt that the Chinese might characterize pro-democracy advocates as potential threats to Chinese national security; the fact that they represent such a threat is one reason the United States objects to their censorship. The point is, the Post is not in the best position to be decrying Chinese state-sponsored snooping into email communications of private citizens, unless it wants to paint the U.S. government with the same brush.

China, Google, privacy and security

With the widely reported attacks on Google and other companies doing business in China and Google’s planned and threatened actions in response, opinions are coming fast and furious on all sides, although official statements from U.S. government officials have been a bit more tentative, at least until more explicit evidence is brought to light revealing the Chinese government’s role in the attacks. With all the attention focused on the significance of the attacks and the potential economic ramifications of a possible Google pull-out from China, some other aspects of the whole situation seem to be getting overlooked. Herewith then are a few observations on some of the tangential elements of the story.

Google originally agreed to censor some of its search results in China as a condition of being allowed to operate in the company at all. With Google’s Gmail service the reported target of the attacks — specifically the accounts of known Chinese human rights activists — the company characterized the attacks as more than just a security incident. The nature of Google’s responses to the attacks has both political and practical drivers. Apparently prompted by the seriousness of the attack, Google now says if it continues to operate in China, it will only do so with uncensored results. It’s not entirely clear if the Chinese might be able to put an intermediary filter between Google’s servers and Chinese Internet users that would leave users with the same net result, but in any case Google says that if it can’t run uncensored, it won’t continue in China at all. No argument with the principle here, but it seems a little disingenuous for Google to say that some censorship (and widely suspected state-sponsored hacking) was fine, but now the Chinese have crossed the line, and Google just won’t operate on their terms anymore.

Google went public with the attacks for several reasons, but to date hasn’t shared a lot of technical details about the nature of the attack or the exploits that might have been attempted or succeeded, other than to declare there were no security breaches of Google itself, so the accounts were most likely compromised through the use of phishing or malware surreptitiously loaded onto client computers. Almost at the same time, Google made a change to Gmail’s default security settings and now connections to Gmail are HTTPS by default — a security improvement over the previous approach of letting users enable this option, but having it off by default. Use of webmail without some sort of transport layer security, especially during login, makes compromising an individual email account incredibly easy for an attacker, so while there may be no indication that anyone sniffed one of the victimized account holder’s credentials, it would have been a more credible declaration had this setting already been in place.

On the Chinese end, a seemingly landmark development in Chinese individual privacy rights has gone virtually unnoticed outside the legal community, in the form of the Peoples Republic of China Tort Liability Law, passed in late December to go into effect in July. As thoroughly yet succinctly summarized by privacy law experts Hunton & Williams LLP, law includes a statement of a right to privacy, and establishes private rights of action for Chinese citizens to bring tort litigation among Internet service providers, medical institutions, employers, and other parties who mishandle personal information or otherwise infringe on privacy rights. Admittedly, it’s easy to dismiss out-of-hand the notion that a single-party socialist regime long marked by suppression of fundamental human rights would recognize and respect personal privacy protections. Given the nature of the attacks on Google, however, it is ironic that this new law would ostensibly offer a legal remedy to the individuals whose accounts were hacked, if in fact the attackers could be accurately identified.

On a more general note, there’s a cautionary lesson to be learned here about the perceived and actual security protections afforded to users of online communications services, whether webmail, social networking, or cloud computing services. There is a phrase repeated so often it has become a little maxim in itself: there is no privacy without security. It is also argued that the reverse is true too, especially in cases where “security” is understood to mean “confidentiality.” Current discussions about moving into the cloud, for instance, focus first on what security measures can be used to help ensure confidentiality and integrity (and availability too while we’re at it) are maintained , but in an environment like China where privacy is not universally championed, focusing on better or more security measures can’t solve the problem. The most favorable way to interpret Google’s statements and actions about the China situation give the company credit for understanding that.

Government emphasis on compliance drives another security acquisition

Enterprise security giant Symantec announced yesterday that it will acquire the privately held vulnerability assessment and security compliance vendor Gideon Technologies. While Gideon focuses on commercial markets such as financial services and health care as well as the public sector, Symantec’s press release makes it clear that what it finds most attractive about Gideon’s SecureFusion product is its capabilities to scan networks and assess compliance with key federal regulations, including FISMA and Federal Desktop Core Configuration (FDCC) standards, using the Secure Content Automation Protocol (SCAP). Gideon has made support for federal standards compliance a priority, building in a variety of control standards from NIST and even aligning to the Consensus Audit Guidelines (CAG), which are not mandated but which have been embraced by many current and former government IT executives. SecureFusion appears to be a good fit with the rest of Symantec’s security management and monitoring toolset, and the combined product offering should appeal to government agencies seeking to establish or enhance situational awareness.

This move by Symantec demonstrates once again the market influence the federal government has, in particular the way the federal emphasis on compliance-based security management continues to drive market opportunities for commercial security vendors. In much the same way as EMC’s recent decision to acquire Archer Technologies, the clear and present need for federal agencies to procure and implement tools to assess and monitor compliance in an automated fashion seems to outweigh any potential move away from compliance-based security in favor of effectiveness-based alternatives. In Gideon’s case, it’s not a coincidence that its core commercial markets are the industries with the broadest and most complex set of regulations. Even with a steady stream of suggestions coming from Capitol Hill that major compliance-mandating regulations like FISMA, HIPAA, Sarbanes-Oxley, and the Privacy Act are in need of substantial revision, it seems safe to infer that Symantec’s due diligence and market research on the Gideon acquisition must have left the company confident that regulatory assessment and compliance solutions will remain a lucrative market for the foreseeable future.