Monday, April 26, 2010

Google Security Failure

Google, with over one million interconnected servers, its mature software architecture and its centrally managed security, represents the most formidable case of information protection. Google has more at stake in securing its network than any other firm. $23.6 billion of its revenues and a staggering $6.5 billion profits/year are dependent on assuring customers that privacy will be safeguarded.
Google security was compromised in December 2009. Google never disclosed what was the cause of this security failure. However, reporters kept sniffing around for clues. Finally, a well-connected reporter published what appears to be the most plausible story, which is consistent with everything else I know about Google. (See article by John Markoff, Cyberattack on Google Said to Hit Password System, New York Times, April 19, 2010).

The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program. According to Markoff, by clicking on a link and connecting to a “poisoned” Web site, the Google employee allowed gaining access to the employee’s personal computer and from there to the computers of software developers at Google. Ultimately, the Chinese intruders were able to obtain control of a software repository used by the development team. Through that the intruders were able to access Google’s crown jewels, which is the password system that controls access by millions of users worldwide to almost all of Google’s Web services.

Clearly, it was the Microsoft Messenger program that was the conduit for penetrating Google’s security curtain. This program is an instant messaging client that is widely used for chat communications and usually depends on Microsoft Live services. With the Chinese in full control of routers that handle all incoming traffic it would be simple for them to divert the message from the Google employee to a Web site, which then implants a “bot” into the Google client. After that, the entire Google system is open to corruption.

IMPLICATIONS
The variety of chat offerings available to DoD personnel through social computing can repeat the Google’s security failure incident many times over. DoD’s seven million clients cannot be protected because of human error and on account of technically inadequate protective measures. As long as social computing, via the public Internet, makes possible the implantation of “bots” into DoD clients, DoD will be always vulnerable.

The only remedy available to DoD is to allow social computing to take place exclusively only over virtual servers that have no connection whatsoever with the networks that carry military traffic.

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com