Friends and listeners to the Fresh Ubuntu Podcast will know that I frequently raise concerns about Google and the information that it acquires about all of us. My concerns normally are along the lines of "just imagine what Google can do with all of that information." However, I've never brought up what could be an even bigger concern: "What if someone else were to get a hold of all of that information?"
Let's assume, for argument's sake, that Google does abide by its own code of conduct and isn't evil. They're still amassing a staggering amount of data about nearly every Internet user. Now, with more and more companies "Going Google," Google has access to data that it wouldn't in the past. Now, they aren't just indexing your website, blogs, or even chats and emails. Now they're indexing your corporate documents - you know, the sensitive things you're "not supposed to send via email?"
While I am quite confident in Google's security capabilities, no one is perfect. And like my aikido instructor used to say, there's always someone stronger, or quicker than you. Last week, Google met its security match when their servers were hacked.
While I won't delve into the economic and political issues which revolve around this hack (see footnotes for plenty of reference links), there are plenty of lessons we can take away from this:
- By most accounts, Google's servers were hacked by good, old-fashioned social engineering:
"Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees..."
This means that the attackers were not hammering through firewalls or reprogramming routers - they had people click links on what they thought were legitimate emails and exploited security flaws in common desktop software to gain access.
- Users accounts which were hacked were most likely running with administrative privileges over their desktop systems.
- If Google can be hacked, anyone can. By extension, if your data is with Google, you can be hacked as well.
- Trusting Google does not just mean "trusting that Google won't do anything evil with my data." It also means "trusting Google will never make a mistake which accidentally opens my data up to anyone else."
- Substitute the word "Google" with any popular online service or enterprise firm that has a lot of (your) data (e.g. Facebook, Salesforce, Amazon). This is not a problem just with Google.
- Researchers identify command servers behind Google attack
- Adobe Reader vuln hit with unusually advanced attack • The Register
- IE zero-day used in Chinese cyber assault on 34 firms • The Register
- Google may exit China after 'highly targeted' attack • The Register
- Google May Pull Out of China After Cyber Attack
- NY Times Article on Google/China Hack
- Official Google Blog: A new approach to China
- China Defends Internet Censorship
- Ballmer doesn't get why Google is upset about attacks | Googling Google | ZDNet.com
- US will complain to China about Google hacking • The Register
- SANS Internet Storm Center Diary