Google Gaia Hack Shows Cloud Isn't Safe After All
Google's single sign-on system, formerly called Gaia, was the access point for the Chinese cyber attack that exposed the Gmail accounts of human rights activists.
This password system controls access to Google Apps for millions of users. A user clicked on a link sent to his instant messaging client and was connected to a "poisoned" Web site, permitting intruders to gain access to his (or her) personal computer and then to the computers Google programmers. Read the details on eWEEK and on TechMeme.
Now that we know the metadata behind this hack, we may infer that Google's cloud isn't the snug bug in the rug we thought it was. But first, the background.
Google disclosed the hack on Jan. 12, announcing it had uncovered "a highly sophisticated and targeted attack" that also struck numerous other companies. Google would later shutter Google.cn and port users to Google.hk.
Google was coy about specific details regarding the breach. The company did, however, assert that the hack was not an assault on its cloud computing infrastructure.
Google Enterprise President Dave Girouard said this in a blog post Jan. 12:
This was not an assault on cloud computing. It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers. Any computer connected to the Internet can fall victim to such attacks. While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure.
But as The New York Times noted in its April 19 expose on the attack, the hack certainly threatened the wealth of information stored in Google's massive cloud of thousands of servers, which all leverage the Internet as a common highway on which to share data:
The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google's that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as "cloud" computing, a single breach can lead to disastrous losses.
So while Google's cloud infrastructure may not have been the access point for the Chinese hackers, it still threatened the cloud, right?
Today, I put this question to Google and a spokesperson would only refer me back to the Jan. 12 blog by Google's Girouard, specifically the section I noted above.
This is a case of the glass half empty and the glass half full.
You could argue, as Google does, that the hack was not on Google's cloud-based e-mail systems, which it would later lock up some more by making HTTPS on by default.
You can point to the cunning social engineering hack that led to the exposure of Gmail accounts and you would be well within your right to argue that Google as a large global Internet power didn't fall asleep at the switch and that it's security track record has been darn good. And you'd be justified in your thinking.
You could also argue that once a perpetrator gained access to Google's single sign-on and e-mail systems it could pretty much see what any consumer user of Gmail was working on and mess with it.
Though this wasn't the case here -- these perps were looking at the inboxes of at least two specific people to snoop on them -- it's not hard to believe that perps could access more if they chose to.
This information lives in the cloud, Google's cloud. Google's business is Web-based, so I'd argue an attack on Google is an assault on the cloud despite Google's insistence to the contrary.
But Google has to refute this or it must admit that it's core business might not be as safe as it purports. That's not to say the cloud is any less secure than on-premise programs; the access points are different in some cases.
Moreover, because Google's servers are linked in parallel fashion, it's also reasonable to assume that gaining a foothold in one account could lead to additional footholds in others, as the Times piece noted:
One of the most alarming possibilities is that the attackers might have intended to insert a Trojan horse -- a secret back door -- into the Gaia program and install it in dozens of Google's global data centers to establish clandestine entry points.
The cloud architecture may be tough to crack, but once perps are in, the access can be a wonderland. Of course, this didn't happen. Google would have told us if it did, right?
I'm not canceling my Google Account over this, but it's important to recognize that why Google's cloud is resilient, it's by no means impervious to clever, but malicious human engineering.