February 2010 Archives

Google has a Corporate Philosophy comprised of ten truths. Number six on the list is "You can make money without doing evil." This motto has come up very recently, especially connected with criticism of Google's decision to support business operations in a country that suppresses freedom of speech.  The "do no evil motto" has also been questioned with the Tuesday, February 9th, 2010 release of Buzz, Google's entry into the social-networking world. From a privacy and security point of view, Buzz fell flat on its face and caused a public backlash for Google.

Privacy Fail:
A contact list is not a "Whitelist". A contact list may contain names and information on people you never want to speak to again. Especially Google's contact list, which pretty much saves the information of anyone you've communicated with through Gmail. Google treated the contact list as a whitelist for Buzz and automatically established relationships (auto-follow). Including the establishment of relationships with people you may not want knowing anything about you, the people you most often communicate with are not always friends. Numerous blog reports detail this happening, including one that established and leaked location-specific information to an abusive ex-spouse, which now poses a security risk to an individual. If you had a Google profile setup, your information was made visible to the friends of people following you increasing your information exposure significantly. Lastly, Google allowed you to "turn off buzz;" however, turning off Buzz did not break pre-established connections. If you simply turned off buzz back on February 9th, turn it back on and take a look at all of those pre-established connections. 
 
Privacy/PR Win:
Google reacted with lightening speed (four days) to the privacy complaints. Auto-follow/relationship connections were turned into "auto-suggest".  Buzz will no longer automatically connect to other Google services and users will have tighter control over the publication of their information. Google tried to move social networking from an opt-in to opt-out and failed.  They recognized this and moved with speed to correct their course.
 
A lot of the criticism about Google in the "blogo-twitter-mybook-sphere" is about breaking privacy laws. Google broke no law in its implementation of Buzz. In fact, it was contractually legal. Everyone who uses Google Gmail accepted a Terms of Service, and that document pretty much gives Google ultimate dominion over your information. Again, Google broke no laws. However, it definitely did some evil in the initial release.
 
Even with the "privacy tweaks" I still look at the product roll out as a giant failure on Google's part. Despite the less-than-stellar market entry I have no doubt Google Buzz will succeed as an excellent aggregation tool and a new social media service, especially as Google listens to its customers and improves on the product.
 
Google Buzz is another example that social media is here to stay and that users will police the products more than the companies who create them.  Even when a product so blatantly violates notions of privacy, it is not allowed to simply go away.  The users want new experiences and platforms to share; however, they want to do it on their terms.  Users are becoming increasingly smarter and know they hold some leverage.  When the users supply the information that a company needs to succeed (in Google's case, it's to serve highly targeted ads) they also know they have a powerful hand to play.

"...this is a war of attrition against an enemy with extensive resources. It is a long fight, one that never ends. You will never declare victory." ~MANDIANT M-Trends: The Advanced Persistent Threat

APT has been making the rounds in the press after Google and many other companies announced that they had suffered an uber-sophisticated hack at the hands of Chinese hackers (if they were state actors is still to be determined; however, given the sophistication and targets it's not hard to believe they had some serious backing).

See: http://www.wired.com/threatlevel/2010/01/operation-aurora/ and any related article linked therein about the Google Hack and APT.
 
APT is dangerous.  This is the new threat to corporations and government.  It is information warfare and corporate espionage rolled into one. 
 
If you think your company would be spared by APT, I urge you to reconsider.  The organizations/people behind APT are looking for a host of information including, but not limited to Intellectual Property, competitive advantages, identity information (for facilitating identity theft), and identity information for escalating and targeting their attacks to specific people (spear/whale fishing). This later part is especially important -- APT does it's homework.  It does not fire off an e-mail to @domain.com, it targets important people by conducting intelligence on the target.  It will find the C-level people, find out what they are working on, who they are working with, and exploit that information to craft a highly targeted phishing attack (one of many attack vectors).  Let's follow an example.

How did APT know who to target in company ABC, a cleared defense contractor?

Step 1 -- Reconnaissance: Conduct advanced recon on ABC's employees.  Discover who is cleared and who isn't.  Knowing exactly who to target is critical for their spear/whale phishing attack vector to work.  A blanket phishing e-mail will be noticed, a targeted one may go unnoticed and has a better chance of being acted upon. 

Step 2 -- Initial Breach: (again, only one of many vectors) Send highly targeted, specific, e-mail attempting to breach ABC's security.
 
Step 3 -- Backdoor: Install a backdoor (or 20) so the attackers may easily and quickly gain access to the network whenever they want.
 
Step 4 -- Obtain more user credentials:  Once on the network, attackers would begin "sniffing" network traffic or using key loggers on compromised systems looking for legitimate user credentials to critical or sensitive systems. 
 
Step 5 -- Install Malware: Attackers would use these credentials to pose as legitimate users and would install software to capture even more credentials.
 
Step 6 -- Privilege Escalation / Data exfiltration is the nasty part.  After all the recon and building blocks to ensure a near-permanent presence on an infected network the attackers would begin "data exfiltration".  Siphoning out *terabytes* of information. 
 
Step 7 -- Persistence: They do all this and maintain a persistent and ever advancing presence.  Multiple compromised hosts with multiple compromises and backdoors ensure that a network security administrator's job in catching them will be difficult if not impossible.
 
Alexandria, VA based MANDIANT has released a new research paper, M-Trends: The Advanced Persistent Threat, comprised of OPEN SOURCE, UNCLASSIFIED, CORPORATE encounters with APT. 
 
Click here for a PDF copy of the report. It is well worth a read (required to fill out a form for access to the content).
 
Oh right, tying APT to privacy. It's pretty simple; APT is designed to steal terabytes of information that includes our names, social security numbers, bank account information, and lots of other goodies.  Again...scary.