Google Hackers Stole Global Password System

Report: Google Hackers Stole Source Code of Global Password System

By Kim Zetter

The hackers who breached Google’s network last year were able to nab the source code for the company’s global password system, according to The New York Times.

The single sign-on password system, which Google referred to internally as “Gaia,” allows users to log into a constellation of services the company offers — Gmail, search, business applications and others — using one password.

The hackers, who are still unknown, were able to steal the code after gaining access to the company’s software repository, which stores the crown jewels for its search engine and other programs.

Because the hackers grabbed the software, and do not appear to have grabbed customer passwords, users aren’t directly affected by the theft. But the hackers could study the software for security vulnerabilities to devise ways to breach the system that could later affect users.

Google announced in January that it and numerous other companies had been hacked in a sophisticated attack. The hackers had targeted source code repositories at many of the companies, including Google.

According to the Times, the theft began when an instant message was sent to a Google employee in China who was using Windows Messenger. The message included a link to a malicious website. Once the employee clicked on the link, the intruders were able to gain access to the employee’s computer and from there to computers used by software developers at Google’s headquarters in California.

The intruders seemed to know the names of the Gaia software developers, according to the Times. The intruders had access to an internal Google corporate directory known as Moma, which lists the work activities of every Google employee.

They initially tried to access the programmer’s work computers and “then used a set of sophisticated techniques to gain access to the repositories where the source code for the program was stored.”

The Times doesn’t elaborate on the set of sophisticated techniques the hackers used to access the source code, but in March, security firm McAfee released a white paper in relation to the Google hack that describes serious security vulnerabilities it found in software configuration management systems (SCMs) used by companies that were targeted in the hacks.

“[The SCMs] were wide open,” Dmitri Alperovitch, McAfee’s vice president for threat research told Threat Level at the time. “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting.”

Many of the companies that were attacked used the same source-code management system made by Perforce, a California-based company, according to McAfee. The paper didn’t indicate, however, whether Google used Perforce or had another system in place with vulnerabilities.

According to McAfee’s earlier report, the malicious website the hackers used in the Google hack was hosted in Taiwan. Once the victim clicked on a link to the site, the site downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user’s Internet Explorer browser.

A binary disguised as a JPEG file then downloaded to the user’s system and opened a backdoor onto the computer and set up a connection to the attackers’ command-and-control servers, also hosted in Taiwan.

From that initial access point, the attackers obtained access to the source-code management system or burrowed deeper into the corporate network to gain a persistent hold.

According to the paper, the hackers were successful at accessing source code because many SCMs are not secured out of the box and do not maintain sufficient logs to help forensic investigators examining an attack.

“Additionally, due to the open nature of most SCM systems today, much of the source code it is built to protect can be copied and managed on the endpoint developer system,” the white paper states. “It is quite common to have developers copy source code files to their local systems, edit them locally, and then check them back into the source code tree…. As a result, attackers often don’t even need to target and hack the backend SCM systems; they can simply target the individual developer systems to harvest large amounts of source code rather quickly.”

Alperovitch told Threat Level his company had seen no evidence to indicate that source code at any of the hacked companies had been altered.

Google password system was target of Chinese hackers

Charles Arthur

Web giant quit Chinese mainland after attack on internal system allowing people to use single password to access its services

Google's internal system which lets people access its services via a single password was the target of the Chinese hacking attack last December that led the company to withdraw from the mainland, according to the New York Times.

The system, known internally as "Gaia" – after the overarching planetary consciousness posited by James Lovelock – is behind the interface which lets not just users but also Google developers to log in and gain access to the company's resources. Millions of people use that interface to access documents and email from anywhere in the world using Google's "cloud" services. However, users' passwords have not been compromised: Google is understood to follow standard security practice, by which passwords are only stored in encrypted form known as a "hash". When a user logs in, the password they supply is encrypted using the same method and compared to the hash. If the two match, access is allowed. Reversing the process is computationally unfeasible.

But if the hackers could gain uncontrolled access to Gaia, they might be able to change the emails to which password resets are sent (for instance when people forget their original one), and then trigger a password reset – effectively capturing the account. They might also be able to limit or expand what an account was allowed to access.

The hacking was a two-stage process. First the hackers gained access to an internal Google system called Moma, which holds information about the work activities of each Google employee: the hackers may have used that to find specific employees. Then a China-based member of Google's staff was sent a link via Microsoft's instant messenger system to a website which infected their computer and gave the hackers access to the company's internal network.

The New York Times said that a person with "direct knowledge of the investigation" had provided the details of the hack, which it said lasted less than 48 hours. Google had no comment today, referring enquiries to its original blogpost from 12 January in which it revealed that it had been attacked, when it called the hack "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google."

It also said then that "we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists".

Google began making "significant" changes to its internal systems as soon as it discovered the attack. But the hackers seem to have had access to the actual program code that is used to run Gaia – which security experts said could, in theory, lead them to weaknesses in it that they could exploit which Google would not be able to detect.

The attack on Google was not an isolated incident: the company said at the time that it had evidence that "at least 20" other US companies in internet, finance, technology, media and the chemical sectors had also been infiltrated and their intellectual property stolen. The attack was dubbed "Aurora" by the internet security company McAfee, which said that it had been done through a weakness in Microsoft's Internet Explorer browser.

Observers have suggested that the Chinese government was behind the attacks because of the profile of the companies and the information that was targeted. While Google has never publicly backed this view, its decision upon discovering the attack to cease censoring its search results in China – and withdraw its operations from the Chinese mainland to Hong Kong – suggest it thinks the attacks were done on the orders of government.

The latest details may make some businesses wary of using so-called "cloud" computing, where high-value data or important personal information is stored online rather than on individual computers under the owner's control. But the fact that it was not just Google that was affected, but internet-connected machines in other companies too, suggests that organisations will need to reconsider the threat from government-inspired hackers.

WikiLeaks

International man of mystery

BERNARD LAGAN

http://wikileaks.org/

April 10, 2010

Julian Assange, who is behind the website WikiLeaks.

The founder of WikiLeaks lives a secret life in the shadow of those who blow the whistle, writes Bernard Lagan.

On the Al Jazeera television network, an overbearing host was grilling Julian Assange, one of the founders of WikiLeaks, the online drop zone for whistleblowers.

Assange, an Australian who rarely makes public appearances and shuffles around the world with little more than a rucksack and a laptop, quickly dealt with his haughty inquisitor. Lean and tall with a handsome, distant face, long grey locks and dressed in a a dark suit, Assange, in his late 30s, is a commanding presence.

He has a deep broadcaster's voice and gave measured, drum-tight answers about the blow he had just dealt the US military with WikiLeak's release of footage of an American helicopter gunship killing Iraqi citizens and two Reuters journalists on a Baghdad street in July 2007.

The video, shot from the helicopter, includes the voices of soldiers urging a gravely wounded Reuters photographer to pick up his weapon (they apparently did not realise it was a camera) so he could be lawfully finished off with the aircraft's deadly 30mm cannon. When a beaten-up van slithers to a halt and its passer-by occupants tumble out to aid the wounded, they too are gunned down. Only two maimed children survive.

It becomes clear why the military has resisted the demands of Reuters and others for the release of the video; the military had long claimed it did not know how the Reuters journalists had died and it initially withheld the fact that children were present.

Assange resisted Al Jazeera's invitation to savage US authorities for their years of dissembling, remarking simply: ''There was certainly spinning the message and it does seem like there has been a cover-up.''

He didn't need to say more; by week's end the video had been viewed 4.8 million times. Its impact upon the reputation of US servicemen in Iraq is devastating. Another US military video - showing last year's bombing of Afghan villages as they siphoned fuel from a tanker hijacked by the Taliban - is also coming to WikiLeaks.

Clearly someone inside the military has begun leaking, elevating WikiLeaks and Assange overnight from mainstream journalism's fringes to a must-see news breaker. ''This is a whole new world of how stories get out,'' declared Sree Screenivasan, a professor of digital media at the Columbia University journalism school in New York.

Yet for all its ideals in support of openness and freedom of information, those behind WikiLeaks - especially its key founder, Assange - dwell in shadows and intrigue.

They have no headquarters, no offices and the barest of a formal structure. Assange is particularly elusive, part obviously through necessity and part mercurial make-up. Home - or the nearest he has to one - is said to have been eastern Africa for the past two years or so.

He has rarely spoken of his upbringing in Australia or life outside of his work, arguing that to do so may assist those who want him and WikiLeaks silenced.

But the trail of his life is across the internet, as coded and mysterious as the man he is today. It begins - publicly at least - in October 1991 when Assange, then a teenager, was charged with 30 computer hacking offences.

Prosecutors alleged he and others hacked the systems of the Australian National University, RMIT and Telecom. They had even managed to remotely monitor the Australian Federal Police investigation into their activities, Operation Weather.

Assange admitted 24 hacking charges and was placed on a good behaviour bond and ordered to pay $2100. The investigation in Australia began after an audacious attack on NASA's computers in 1989.

The word ''WANK'' appeared in big letters on NASA monitors, an acronym for Worms Against Nuclear Killers. Underneath was an Australian connection - lines from a Midnight Oil song. Whoever did it was never identified.

In 1997 an astonishing book was published in Melbourne. It sold a respectable 10,000 hard copies but, when it was made available free on the internet it was downloaded 400,000 times within two years.

Underground told the riveting inside story of the city's computer hackers and Assange was prominently billed in it as a researcher for the book's author, Dr Suelette Dreyfus, now an academic researcher. It opened with a detailed account of the NASA attack.

Dreyfus wrote glowingly of Assange's efforts: ''Julian had worked thousands of hours doing painstaking research; discovering and cultivating sources, digging with great resourcefulness into obscure data bases and legal papers - not to mention providing valuable editorial advice.''

The book did not name the Melbourne hackers but used their online identities and told their story. The records of Assange's court case and his biographical details on WikiLeaks match the story of Mendax - one of the hacker's online identities in Underground.

Mendax is described as a super intelligent child who never knew his father and was dragged from state to state by his mother who pursued a series of turbulent relationships.

In 1988, Mendax was 16 years old and living in Emerald in central Queensland - the age Assange was at that time. Dreyfus wrote: ''For a clever 16-year-old boy the place was dead boring. Mendax lived there with his mother; Emerald was merely a stopping point, one of dozens, as his mother shuttled her child around the continent trying to escape from a psychopathic former de facto.''

Dreyfus continued: ''Sometimes Mendax went to school. Often he didn't. The school system didn't hold much interest for him. It didn't feed his mind … The computer system was a far more interesting place to muck around in.''

She also wrote that Mendax had a deep voice for his age. Assange has a distinctively deep voice. Mendax fathered a son in his teens. Assange has said he has a son at university. Mendax suffered a breakdown after he was arrested by the police, and after a period in hospital he lived rough in the Dandenong Ranges outside Melbourne. When he finally appeared in court on the hacking charges, Assange was living in the Dandenongs.

Was this the story of Assange's life? Was he Mendax? Dreyfus will not say, citing the promise she made to the young hackers who had helped her with her book, that she would not disclose their identities. She is protective of and still obviously close to Assange.

She told the Herald this week: ''He is not politically motivated. He is more concerned with truth and the quest for it. He is certainly not party political. I think he sees that there are good people on both sides of politics and definitely bad people. He is a very brave person. He is absolutely convinced that it is worth taking high personal risks in exchange for getting truth out to the community.''

Among WikiLeaks' volunteers, those who are close to Assange are similarly protective and reluctant to speak on the record. They described on background this week a man whose traits would not be unexpected if they evolved from Mendax's turbulent and nomadic formative years. Assange, they say, is noticeably self reliant, self contained, resourceful and apt to keep a distance from others.

After his conviction, he stayed in Melbourne and built up his computer skills as programmer and as a developer of freeware.

He read widely on science and maths - he is largely self taught in most of his endeavours. He did enrol for a period at Melbourne University but did not complete his studies in mathematics.

Less convincingly answered by those who know him is whether Assange's quest to reveal secrets is the destiny of man moved by social conscience, or the natural progression of a highly intelligent child raised on the run, who found solace alone on a computer and anonymous camaraderie in cyber space.

For his epigraph in the online edition of Underground, Assange used an Oscar Wilde quote: ''Man is least himself when he talks in his own person. Give him a mask, and he will tell you the truth.''

Is Mendax the real Julian Assange?

Cyber War is comming, Richard Clarke

'Cyber War' author: U.S. needs radical changes to protect against attacks

By Ellen Messmer

In his new book, Cyber War, Richard Clarke says nations are building up their online armies and weapons largely far from public view, increasing the danger of a deliberate or accidental cyberwar, which in turn could trigger violent conflicts across the globe.

"Cyber war has already begun," Clarke writes. "In anticipation of hostilities, nations are already preparing the battlefield.' They are hacking into each other's networks and infrastructures, laying in trapdoors and logic bombs -- now, in peacetime. This ongoing nature of cyberwar, the blurring of peace and war, adds a dangerous new dimension of instability."

The United States, he says, has a weak cyber-defense posture and should make radical changes, such as regulating ISPs to be able to play a role, under government supervision, in defending the country should a serious cyberattack strike.

Is the U.S. the nation most vulnerable to cyberattack?

Clarke, turning 60 this year, served as special advisory to the president for cyber security in 2001 and now teaches at Harvard's Kennedy School for Government and works at Good Harbor Consulting. He tapped Robert Knake, international affairs fellow at the Council on Foreign Relations, with a specialty studying cyberwar, as co-author of the new book, expected out April 20. (See exclusive excerpt here.)

But Cyber War at heart is Clarke's passionate view on the dangers lurking just below the surface and what steps might be taken to prevent cyberwar. With a background decades ago in nuclear arms control and espionage in the Cold War, he compares that era with today's secretive world of military cyber commands operating over the Internet where attacks, such as disruptive denial-of-service attacks, break-ins and dangerous Trojans that could steal or alter data, are extremely difficult to trace back to their source.

"The force that prevented nuclear war -- deterrence -- does not work well in cyber war," Clarke says. "The entire phenomenon of cyber war is shrouded in such government secrecy that it makes the Cold War look like a time of openness and transparency."

With considerable detail, Clarke and Knake render vivid accounts of how significant waves of cyberattacks in the past few years have hit Estonia, Georgia, South Korea and the United States, among other places, and why some in particular bear the hallmarks of state-sponsored efforts to disrupt an adversary's Internet-based banking, media and government resources.

It's known that the United States, China, Russia, North Korea, Israel, France and others have established cyber military structures to serve as both offense and defense in any cyber conflict. But though the United States likely has the best cyberwar capabilities in the world, "that offensive prowess cannot make up for the weaknesses in our defensive position," Clarke contends.

Because the United States is the most Internet-dependent and automated in terms of supply chain, banking, transportation-control systems and other modern facilities, it's also the most vulnerable to cyberattack, Clarke argues. And the military's dependence on the Internet also means it would be vulnerable to disruptions of it.

"The U.S. military is no more capable of operating without the Internet than Amazon.com would be," Clarke says. "Logistics, command and control, fleet positioning -- everything down to targeting -- all rely on software and other Internet-related technologies."

On the other hand, he sees China with an advantage because its military aims to guard both enterprise and government resources, plus the Chinese government basically controls the Chinese Internet outright in many ways. "The Chinese government has both the power and the means to disconnect China's slice of the Internet from the rest of the world, which they may very well do in the event of a conflict with the United States," he writes

"Cyber gap" in protecting businesses

The United States has made the U.S. Cyber Command responsible for defending Department of Defense systems and the Department of Homeland Security responsible for defending civilian government agencies in any cyberattack. But Clarke sees a "cyber gap" in protecting business networks, including banking systems and the electric grid.

Electric power grids are a central source of concern for Clarke because he believes that countries are secretly placing logic bombs -- malicious software hidden away that could be activated to cause power failures -- in each other's power grids. These logic bombs (Clarke's book fails to provide us with concrete examples) might be activated as an act of cyberwar, but might just as easily go off in different scenarios, such as by mistake or by a hacker discovering them and triggering them.

Logic bombs bringing down power grids could inordinately harm civilians through massive loss of electrical supply, and this is a topic that needs to be publicly addressed, Clarke says. He also argues it's time the United States consider establishing international treaties aimed at banning cyberwar against civilian infrastructures.

Clarke writes: "The main reason for a ban on cyber war against civilian infrastructures is to defuse the current (silent but dangerous) situation in which nations are but a few keystrokes away from launching crippling attacks that could quickly escalate into a large-scale cyber war, or even a shooting war. The logic bombs in our grid, placed there in all likelihood by the Chinese military, and similar weapons the U.S. may have or may be about to place in other nations' networks, are as destabilizing as if secret agents had strapped explosives to transmission towers, transformers and generators.

"America's national security agencies are now getting worried about logic bombs, since they seem to have found them all over our electric grid. There is a certain irony here, in that the U.S. military invented this form of warfare."

Clarke suggests that in the United States, it should be up to the U.S. president to approve use of logic bombs against an adversary.

"When U.S. cyber warriors talk about the 'big one,' they usually have in mind a conflict in cyberspace with Russia or China, the two nations with the most sophisticated offensive capability other than the U.S.," Clarke says. "No one wants hostilities with these countries to happen."

Russia -- which has stated it would view a massive cyberattack as an act that would warrant retaliation with traditional weapons -- has been the main advocate of starting talks that could lead to international treaties related to cyber arms. While Clarke acknowledges he has previously rejected Russia's ideas on this score, he now says he's warming up to them because he thinks it's likely in the best interests of the United States and the rest of the world. He says the United States should consider a "no first use" pledge related to cyber weapons. But currently, he notes, the official U.S. position effectively blocks arms control in cyberspace.

Clarke would also like to see a new regulatory structure put in place in which larger ISPs, under government supervision and perhaps what would be a new agency called the Cyber Defense Administration, would play a formal monitoring and protection role for the nation. The United States would likely have to pay for these types of new services.

Indeed, there would be treaties that would require ISPs around the globe to proactively "be able to detect and 'black-hole' major worms, botnets, DDoS attacks and other obvious malicious activity." The goal would be to trace back attacks that might appear to violate treaties.

Amazing cyber espionage

Clarke does not appear to support the notion of banning cyber espionage, however, among nations. In fact, he seems to like it."The idea of limiting cyber espionage requires us to question what is wrong with doing it, to ask what problem is such a ban intended to solve?" Clarke asks in his book, with his answer being, "espionage is about getting knowledge."

And he marvels at modern cyber-espionage.

"Cyber espionage is in many ways easier, cheaper, more successful and has lower consequences than traditional espionage. That may mean that more countries will spy on each other, and do more of it than they otherwise would," he writes. But elsewhere, he also acknowledges "cyber espionage does have the potential to be damaging to diplomacy, to be provocative, and possibility even destabilizing."

Clarke doesn't hold back in the book from airing a few grievances.

Though a supporter of President Obama, Clarke is a fierce critic of some of the president's policies such as the electric-power "smart grid," which he thinks will be "a Less Secure Grid."

That's largely because a modernized U.S. power grid, for which billions of dollars has been allocated, will be more highly networked and automated with more points of attack, but as yet no clear defenses, such as encryption requirements, he points out.

Clarke also takes more than a few swipes at Microsoft, whose software is widely used by federal agencies, "even though Linux is free." Clarke is angry because Windows-based software over the years has had so many vulnerabilities that have been exploited in attacks against the government. And he perceives Microsoft as largely unwilling to change.

"Microsoft is a terribly successful empire built on the premise of market dominance and low-quality goods," he states. "For years, Microsoft's operating system and applications, like its ubiquitous Internet browser, have been pre-packaged on the computers we buy."

He says that although Microsoft "did not originally intend for its software to be running critical systems," the problem is that has happened "from military weapons platforms to core banking and finance networks. They were, after all, much cheaper than custom-built applications."

The Pentagon buying commercial-of-the-shelf software brought in "all the same bugs and vulnerabilities that exist on your own computer." Clarke adds, "Microsoft can buy a lot of spokesmen and lobbyists for a fraction of the cost of creating more secure systems."

He resents that Microsoft refused to "share a copy of its secret operating code to its largest U.S. commercial customers," but was so compliant with demands from the Chinese government.

"By threatening to ban Chinese government procurement from Microsoft, Beijing persuaded Bill Gates to provide China with a copy of its secret operating code," he says, and as part of the deal, "China modified the version sold in their country to introduce a secure component using their own encryption." He says China has also developed its own operating system, Kylin, modeled on open source Free BSD, which has been approved by the People's Liberation Army for use on their systems.

Clarke also finds it alarming that Chinese companies have been selling counterfeit Cisco routers at cut-rate discounts around the world. One firm, Syren Technology, that was indicted by the FBI and Justice Department as having a customer list that included the Marines Corps, Air Force and multiple defense contractors.

Clarke concludes that the United States, despite whatever advantages it thinks the military may have, has to act now to come up with a viable and comprehensive cyber strategy.

"While it may appear to give America some sort of advantage, in fact cyberwar places this country at greater jeopardy than it does other nations," Clarke says. "Nor is this new kind of war a figment of our imaginations. Far from being an alternative to conventional war, cyber war may actually increase the likelihood of the more traditional combat with explosives, bullets and missiles. If we could put the genie back in the bottle, we should -- but we can't."

Richard Alan Clarke[1] (born October 1951) was a U.S. government employee for 30 years, 1973–2003. He worked for the State Department during the presidency of Ronald Reagan.[2] In 1992, President George H.W. Bush appointed him to chair the Counter-terrorism Security Group and to a seat on the United States National Security Council. President Bill Clinton retained Clarke and in 1998 promoted him to be the National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, the chief counter-terrorism adviser on the National Security Council. Under President George W. Bush, Clarke initially continued in the same position, but the position was no longer given cabinet-level access. He later became the Special Advisor to the President on cybersecurity, before leaving the Bush Administration in 2003.

Richard Clarke came to widespread public attention for his role as counter-terrorism czar in the Clinton and Bush Administrations in March 2004, when he appeared on the 60 Minutes television news magazine, released his memoir about his service in government, Against All Enemies, and testified before the 9/11 Commission. In all three instances, Clarke was sharply critical of the Bush Administration's attitude toward counter-terrorism before the 9/11 terrorist attacks, and of the decision to go to war with Iraq. Following his strong criticisms of the Bush Administration, Bush administration officials and other Republicans attempted to discredit Clarke or rebut his criticisms, making Clarke a controversial figure.


(1951)Richard Clarke is currently Chairman of Good Harbor Consulting, a strategic planning and corporate risk management firm, an on-air consultant for ABC News, and a contributor to GoodHarborReport.net, an online community discussing homeland security, defense, and politics. He is an adjunct lecturer at the Harvard Kennedy School and a faculty affiliate of its Belfer Center for Science and International Affairs.[3] He has also become an author of fiction, publishing his first novel, The Scorpion's Gate, in 2005, and a second, Breakpoint, in 2007.