Report: Cyberattackers hit Google staff via friends
Summary: People behind the China-based online attacks of Google and other companies looked up key employees on social networks and contacted them pretending to be their friends to get the workers to click on links leading to malware, according to a report.
"The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learned who their friends were," the Financial Times reported. "The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent."
The attackers used a popular instant-messaging program to distribute the malware link to target employees, George Kurtz, chief technology officer at security firm McAfee, told the Financial Times. The malware exploited a hole in Internet Explorer that Microsoft patched just last week.
For more on this story, read "Report: Attackers sent Google workers IMs from 'friends'" on CNET News.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
It looks like the Village Idiots over at Google
Imagine trusting our data to their network, managed by Village Idiots that are going to use that same network to "hang out with their friends", and load backdoors into the system.
It's time Google took the security of people's data [i][b]seriously.[/b][/i]
Village Idiots
If I understand you correctly...
Hey, that's good. I forgot about that one! (nt)
Well, let us just hope that Google is smart enough to get rid of all
company that cares about security should.
But, YES, Google has no place to hide here, they
should have know that the minute they allowed
Windows and IE in the building, they had their
pants down.
HAHA! You're stewing now!
You have become [b][i]the joke![/i][/b]
Yes, ANYBODY would look like the village idiot using Microsoft software
This makes Google look very bad. You can bet that
they will make sure that nobody is using Windows
or IE inside of Google for anything other than
compatibility testing.
Also, you can bet that they will be giving courses
on social engineering attacks, and how to avoid
being duped.
Not just Google.
Networks the size of Google cannot be managed securely because too many people have access. This won't be the last time this happens. As a matter of fact it is unlikely that Google has actually contained the full extent of the breach. Attacks such as this most likely require shutting down major parts if not all of the network to totally eradicate the trojans hiding in the lurch. You can bet data is still being leaked.
I agree.
Even with all the checks and balances, I'd really, [b]really[/b] be surprised if some orginization figured out everything in terms of security.
Social Networking just makes Social Engineering Easier
From the time back in the 1980s when a coworker (fellow nerd) landed a beautiful girl friend, who just so happened to be East German, to being a contractor and sitting at a users desk and asking questions about all the 20 pictures of thier favorite dog, to the simple phone call where you say, "Hello, this is Bob from the IT department, we seem to be having some issues ensuring you have access to all of your resources......we need you to log in and tell us exactly what you're typing so we can track the process...."
All of these have and will continue to work.
Most folks know not to open attachments from people you don't know, but when the hacker mines the social networks it becomes even more difficult for a user to tell friend from foe.
A word of caution to all you networkers out there:
DON'T network using your corporate accounts and don't check your personal mail at work.
A word of caution to the companies out there:
DON'T PERMIT external mail checks from internal systems. This includes webmail.
There are necessary variences to these rules, but even then you can mitigate them by not opening any unexpected attachments from any of your networked "friends" until you've asked them if they in fact actually sent them.
For some of my more critical clientelle where I've had to bend the rules, I've requested that they change a key phrase in the body of the message only when they are certifying an attachment; such as:
Change "Best regards," to "Best regards, and wishes," to signal a valid inclusion.
Just the incentive needed to create a secure OS
Or is there no money in it?
Incentive to break.
What do you suppose Windows, or OSX or Linux etc is? Supposedly the OS has control and executes program instructions by feeding them to the processor piecemeal. Its a program itself and its job is to do as its told, quietly.
The problem isnt the OS, its the user. For example, try to build yourself a shelving unit in your garage that is easily upgradeable, strong enough to take engine parts and wont tip over if you overload it. Its not easy, but probably possible with a lot of design and effort - but it only takes a determined idiot moments to find a way of hurting themselves with it.
You'd be perfectly safe because you'd use it for what it was intended and within tolerance.
Most computer users are clueless as to these tolerances and break things, coupled with determined attempts to break things by criminals means that the OS is a lot better designed after those years than you'd like to think. I remember programs that barfed when you typed letters into a numeric field, but since the OS handles this it doesnt happen. It takes cleverly crafted input designed to confuse the program dealing with the information to make it barf, and thats not the OS.
Half the problem is that it is software - anything made can be unmade, and software is designed to be made and unmade easily. Hardware security is the obvious choice to combat unwanted changes but that then means it cant easily be remade if it breaks or is breached.
Security is pointless, we should look to fixing the element that is wrong, those who scam and steal and break for fun - its not just computers that they affect.
Or perhaps get rid of money... O.o
You HAVE to try Linux Mint 8....nt....
Employees at Google use IE?
About Google.
Netcraft listing of the top 100 websites in the
world. Google has most of the top 100. If
there were any security issues at Google, it
would corrode the very foundation of that
supremacy. You would see Google's site visit
count drop dramatically.
http://toolbar.netcraft.com/stats/topsites
"http://toolbar.netcraft.com/netblock?q=GOOGLE-
2,66.102.0.0,66.102.15.255"
From the above chart of the top 100, you can
really see, when it comes to security, Microsoft
is history. MS could never sustain those
numbers.
Like every other reported malady, the problem
isn't with Google, OpenOffice, Firefox, Opera or
Chrome, it's with Microsoft and IE. IE is
horrible, I can't understand why anyone would
still be using it, especially after all the
recent developments.
Geez, I've had Gmail since it was introduced. I
have over 37,000 archived emails (about 20% have
1-8 MB) attachments. Google increased the size
limit on attachments to 20 MB. If Outlook was
handling my email, the computer would be jumping
up and down on the desk from viruses. :-)
Are you saying
isn't with Google, OpenOffice, Firefox, Opera or
Chrome, it's with Microsoft and IE."
So your saying that all these products are built on top of IE. Last I checked, these were stand-alone products with their own unique issues and bugs.
No, I know they have nothing to do with IE.
used Linux for 8 years. My family has also gone
along for the ride with no complaints.
During that time, Firefox, OpenOffice, Opera and
recently Chrome have also been available for
Linux.
So, when you install Linux Mint, you
automatically get the current version of Firefox
and OpenOffice suite. In fact, after running
the package update on Linux Mint 8, I am
automatically updated to version 3.5.7.
So all the articles appearing on ZDNET over the
years for say, FireFox, have tried to blame the
browser for intrinsic faults in Windows. Linux
versions don't present these problems. Sure,
there are issues with memory, where the browser
may crash, but you don't have security worries.
If someone is using Windows with IE and they
install OpenOffice, the issues relate to Windows
having holes in it, not necessarily from
OpenOffice because the Linux sister version is
doing just fine.
You have to understand that IE
is an intrinsic part of Windows and cannot be
separated from it or deleted. That's why they
were sued and lost.
So, your Windows security
problems can be traced back to IE even if you
don't use it. A similar connectivity is
also present in MS Office Suite. They have to
patch MS Office because people can take total
control of the computer due to it's nature.
It's not just a separate program, it's a mess.
They are trying to protect MS reputation by
blaming applications. The truth is the
applications should have never been written for
Windows.