It is no news by this point that Google is reconsidering its China operations after an attack on their systems from China aiming that the Gmail accounts of Chinese Human Rights activists. One of the many interesting things about this is the nature of the attack and what it says about computer security.
A recent report in Computer World gives us some things to think about if they are eventually confirmed. The first is that the limited success the attackers had at getting Gmail account information was not by breaking into Google proper, but by gaining some
access a system used to help Google comply with search warrants by providing data on Google users. So there we have it. It shouldn't be surprising that the easiest way to collect information about Gmail users is to co-opt the same system that our government uses. Indeed this data interception system wouldn't even be in place if it weren't for law enforcement requirements.
[A] source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.The second thing is how the attackers got access to the systems that they did. Apparently they first worked to compromise uses who might have access to those systems.Right before Christmas, it was,Holy s***, this malware is accessing the internal intercept [systems].
There is an attack exploiting a zero-day vulnerability in one of the major document types,[Eli] Jellenc said.They infect whichever users they can, and leverage any contact information or any access information on the victim's computer to misrepresent themselves as that victim." The goal is to "infect someone with administrative access to the systems that hold the intellectual property that they're trying to obtain.
This is a scary lesson for anyone concerned about computer security within an institution. People who work there have legitimate access, but they may not have the best security practices at home (or work). Spies are targeting those individuals (people like you and me) to get some access to the kinds of things we have access to for our work.
The trouble with Adobe Reader
Now when I hear Autumn 2009 and
zero-day vulnerability in one of the major document types my mind jumps immediately to problems with Adobe's PDF readers. PDFs are great. PDFs are in principle much more secure that word processing documents. PDFs are ideal for certain kinds of document exchange. So it is with real bitterness that I acknowledge that there are problems with PDFs. The trouble with PDFs however all have a single source and there is a very simple work-around. The origin of problems lie in the marketing department of Adobe.
The solution is to use other PDF readers. PDF is an (relatively) open standard. Anyone can create and distribute software that can read and create PDFs. And many people have. Mac OS X users should just use the Preview.app that comes with their system for reading PDFs. For Windows users I recommend Sumatra PDF. There are more sophisticated PDF viewers available, but these lightweight, high quality, free PDF readers are where to start. For other Unix users, you probably aren't using Adobe's PDF reader in the first place.