Attackers hit Google single sign-on password system

Attackers hit Google single sign-on password system

Summary: The New York Times is reporting that Google's password system was compromised during a targeted attack last December.

SHARE:
TOPICS: Google, Software
107

The New York Times is reporting that Google's password system was compromised during a targeted attack last December.

The system, called Gaia or Single Sign-On,  controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.

NY Times reporter  John Markoff writes:

The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

follow Ryan Naraine on twitter

The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.

[ SEE: Google was hacked with IE zero-day ]

The report said the hack started with an IM message to a Google employee in China who was using Microsoft MSN Messenger.

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

In January, Google acknowledged that its systems were compromised by attackers exploiting an Internet Explorer zero-day vulnerability.

At the time, Google said the attacks were very targeted and resulted in the theft of intellectual property.  Several other big-name U.S. companies, including Adobe and Juniper were also breached in the same attacks.

Topics: Google, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

107 comments
Log in or register to join the discussion
  • Welcome to the "cloud" kids. Feel safe and secure? Maybe not.

    Just one more reason NOT to trust data storage to some "cloud" provider.
    IT_Guy_z
    • And this is worse then stealing account passwords

      these theives took Google's own code.

      Not only does this give them the ability to possibly find holes Google's unaware of, it also gives them insight into Google's coding techniques and thought processes.

      This is not a simple "change passwords and we're safe" type theft.
      John Zern
      • My question is.....

        Where were the levels of security that should have prohibited the somewhat easy theft of googles code. Shouldn't that code be locked down with additional security techniques that would not allow the theft by just having a system compromised?
        OhTheHumanity
        • Who knows...might have been a honeypot ;-) nt

          nt
          storm14k
        • open source

          Most of googles crap is open source. These Chinese probably wrote a few new nice "features" of their own into everything they found. AND they got googles indexing system. Wouldn't be surprised if China comes out with their own CHIgle and CHImail etc... in a few weeks...
          jdieter@...
          • Do even know what "open source" means?

            If the software was open source, China (any everyone else) would be allowed access
            to. If you have to break the law and crack into their computer to get something, it
            is closed source.


            Speaking of which, if you'd actually read the article instead of just the inflammatory headline, you'd know that the attack only succeeded because of flaws in
            something closed source.. Windows.
            AzuMao
        • Not using Windows would have been a good start.

          Obviously the employees who are working on code need access to said code.
          AzuMao
      • This is exactly what our security have been beating them

        over the head about, and it has been like talking to a wall, albeit a very arrogant wall. With their answer of "don't worry about it". I just forwarded this to our security people for the next round of talks. They just don't seem to understand the Enterprise level issues we have to deal with and this just made the conversations tougher.

        It's funny, but I NEVER see Donnieboy on these type of Google conversations...interesting.
        ItsTheBottomLine
      • Took, more like WROTE

        They gained access to the code repository. Most likely they modified googles own programs. What would YOU stick into Googles software?
        jdieter@...
      • Actually, if you read the article, you'd find neither passwords nor code..

        ..was stolen. And the hole was in a Microsoft product.
        AzuMao
        • Excuse me?!

          The article says: "Ultimately, the intruders were able to gain control of a software repository used by the development team."

          Seems to me that if you "gain control of a software repository," you can steal code -- and worse. Moreover, the article also explicitly said the Google said the attack "resulted in the theft of intellectual property."

          So if no code was taken from the software repository, what was taken? The software engineers steamy new novel set in Hong Kong?
          scwlaw
          • I'm talking about the incident this story is about.

            Not the one from January.


            They were both directly caused by Google using Microsoft software, so your confusion is understandable.
            AzuMao
    • And this has what to do with the cloud?

      If they got into Google they'll certainly get into
      your data no matter where its stored.
      storm14k
      • If it's accessable from the web

        Many companies have data on their own servers, with nothing of it being anywhere near the internet, so there's no door to hack into.

        The cloud has to be accessable from the internet, and that's a lot of people out there looking for that door.
        John Zern
        • You're Confused

          Google's code was nowhere near the Internet. The attacker used social engineering to get on a low-access computer and escalated from there. If your company's employees have access to your company's data (and they probably do), the same attack would work on you. Unless ... all your employees are too smart to be tricked, but how likely is that?

          Google will be switching internally to ChromeOS for nearly everyone soon. Seriously. They've already announced the plan.
          daengbo
        • server internet access equals hacked

          you state that many companies have data on their own servers, with
          nothing of it being anywhere near the internet.

          if any user in the company has any access to the company's server/s
          which holds data, and also has access to the internet, or has some
          some connection (however distant it may be) to an employee that has
          access to the internet, then those servers are accessible from the
          internet.

          That's what hacking is.

          Ever done a maze puzzle? Simple analogy to explain to you how it is
          possible.

          I don't believe there is any company that has its own servers, that has
          no access throughout the entire company (not one site - the entire
          company) to the internet.

          furthermore....

          THE CLOUD IS THE INTERNET

          The cloud is utilizing services that are not stored on your own
          systems.

          It's the entire point of the cloud.

          If it's not accessible from the internet, then it's not a cloud, it's
          internal software.

          sigh
          Nunya Bizniss
      • Making life easier

        It would take a focused attack directly on my equipment to access my data. It would take a significant amount of effort and time, although we all know it's doable. Is it worth the time to get to my data? Probably not.

        However, Is it worth the time to get into millions of user accounts, with data ranging from SSNs, online banking info, corporate trade secrets, political and government information... now it's getting to be worthwhile.

        Centralizing massive amounts of valuable data makes you a big target. Can Google, perhaps one of the most secure private organizations be hacked to get to the data? It's looking plausible.
        crazydanr@...
      • "And this has what to do with the cloud?" How about EVERYTHING.

        Ever heard of Google Apps? G-mail? Google Business Solutions?

        ALL cloud services storing data...maybe yours.
        IT_Guy_z
      • it's about that time

        It's time for every last person who ever uses a
        computer that connects to the internet,
        encrypts data, has "secret" data to realize
        that there is no such thing as "completely
        secure" Just today, as an example of this, I
        bypassed an encrypted USB file system and had
        complete and total access to the "secured"
        data. "password protected" I did _not_ use a
        password at all. Four commands and it was open
        season. -For all practical purposes this was
        encrypted by a program and my associate gave me
        the drive to see how "secure" it was.
        vitamind
      • google apps=saas=cloud

        duh, one more person who doesnt understand the latest key word and tricky catch phrase for something that has been going on for years.
        btek@...