Wednesday, January 13, 2010

Google Attack Vectors

It is no news by this point that Google is reconsidering its China operations after an attack on their systems from China aiming that the Gmail accounts of Chinese Human Rights activists. One of the many interesting things about this is the nature of the attack and what it says about computer security.

A recent report in Computer World gives us some things to think about if they are eventually confirmed. The first is that the limited success the attackers had at getting Gmail account information was not by breaking into Google proper, but by gaining some access a system used to help Google comply with search warrants by providing data on Google users. So there we have it. It shouldn't be surprising that the easiest way to collect information about Gmail users is to co-opt the same system that our government uses. Indeed this data interception system wouldn't even be in place if it weren't for law enforcement requirements.

[A] source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. Right before Christmas, it was, Holy s***, this malware is accessing the internal intercept [systems].
The second thing is how the attackers got access to the systems that they did. Apparently they first worked to compromise uses who might have access to those systems.
There is an attack exploiting a zero-day vulnerability in one of the major document types, [Eli] Jellenc said. They infect whichever users they can, and leverage any contact information or any access information on the victim's computer to misrepresent themselves as that victim." The goal is to "infect someone with administrative access to the systems that hold the intellectual property that they're trying to obtain.

This is a scary lesson for anyone concerned about computer security within an institution. People who work there have legitimate access, but they may not have the best security practices at home (or work). Spies are targeting those individuals (people like you and me) to get some access to the kinds of things we have access to for our work.

The trouble with Adobe Reader

Now when I hear Autumn 2009 and zero-day vulnerability in one of the major document types my mind jumps immediately to problems with Adobe's PDF readers. PDFs are great. PDFs are in principle much more secure that word processing documents. PDFs are ideal for certain kinds of document exchange. So it is with real bitterness that I acknowledge that there are problems with PDFs. The trouble with PDFs however all have a single source and there is a very simple work-around. The origin of problems lie in the marketing department of Adobe.

The solution is to use other PDF readers. PDF is an (relatively) open standard. Anyone can create and distribute software that can read and create PDFs. And many people have. Mac OS X users should just use the that comes with their system for reading PDFs. For Windows users I recommend Sumatra PDF. There are more sophisticated PDF viewers available, but these lightweight, high quality, free PDF readers are where to start. For other Unix users, you probably aren't using Adobe's PDF reader in the first place.

If you feel you must use Abobe's PDF Readers, disable Javascript. Adobe's attempt to add JavaScript to PDF in one of the worst ideas in the history of bad ideas in tech design.


  1. The fact that there is an existing device that permits the so-called "law enforcement" to spy on our email ... hey, who are those "law enforcement" people?

    What if I am in Iran and the "law enforcement" means those mujahidin nuts?

    Will they have the right to spy on my emails?

    What if I am in China and the "law enforcement" happens to be the red army?

    What if I am in Zimbabwe and the "law enforcement" happens to work for Robert Mugabe?

    You see, thanks to those hackers in China, now the pandora box is opened.

    Before that, we thought our emails are safe, in the care of Google.

    No more.

  2. Kalambong, you have (partially) reiterated my point. Once a mechanism for snooping on email is in place, we can expect that it would be used.

    But to elaborate on what "law enforcement" means in this context it is US (and particularly California) law. In the same way that in the course of a criminal investigation a court can issue a search warrant for your house, it can also issue a subpoena to your bank to turn over our records to investigators or to an ISP to turn over information that it has about your activity, or in this case, the court order can be issued to an email host. This is going to be the case with any and every email host service you use. If they are in the US, they will be subject to US law in this regard.

    This leaves you with a few options. One is to use an email host in a country where you don't expect to be investigated. Presumably this is why the Chinese activists choose Gmail. Had they used a provider in China, the Chinese government could have simply ordered that provider to turn over the email.

    But I feel that the real and proper solution is to use good email encryption end-to-end. Something like GnuPG or S/MIME. That way the content of your email will remain private no matter what your provider does.

    But in answer to your questions, the simple fact of the matter is that Google will not recognize a court order coming out of Zimbabwa or Iran or China. But it will honor those coming from US and California courts.

    Still, I did want to emphasize that having a mechanism in place to simplify snooping on mail when a US court order comes in means that that mechanism is a juicy target.