Tuesday, January 12, 2010

Google v China

It's been a few months since I mentioned China in a blog post, but this one can't be ignored. Thanks to SW for passing me this one:

Google Blog: A New Approach to China

In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google...

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted...

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.


Welcome to the party, Google. You can use the term "advanced persistent threat" (APT) if you want to give this adversary its proper name. See my post Report on Chinese Government Sponsored Cyber Activities for more details.

I have to really applaud Google for saying they might shut down operations in a country of 1.4 billion potential consumers as a result of an incident detection and response!

There were many events last year that fulfilled my prediction for 2009 Expect at least one cloud security incident to affect something you value. I think this one wins hands down.

Never mind the China angle for a moment. All of us should stop and consider what sort of data we are storing at Google, and in what form that data is stored. Google's Keeping Your Data Safe post for Enterprise customers claims While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure. However, my experience with these sorts of incidents is that if it occurred in "mid-December," Google will be spending the next several months realizing how large the exposure really is.

6 comments:

Justin Hall said...

Great analysis, man. Hopefully such a disclosure, from an almost globally revered tech company, will help bring more mainstream attention to the reality and seriousness of this threat.

Anonymous said...

Appears Adobe encountered something similar:

http://blogs.adobe.com/conversations/2010/01/adobe_investigates_corporate_n.html

But they also appear to be denying that it's related to what Google recently experienced (as per UPDATE, 7:22 p.m. ET):

http://www.krebsonsecurity.com/2010/01/hack-against-google-prompts-search-giant-to-stop-censoring-chinese-search-results/

Agree that it may be a while before the dust settles and more is known about what _really_ happened here...

iamnowonmai said...

You rock! Have you made next year's World Series predictions yet?

VivekRajan said...

I never thought of Gmail accounts as Google's intellectual property. Why would they talk of shutting shop in such a huge country - if simply a handful of human rights activists gmail accounts had been compromised ? Not to mention due to phishing attacks, which Google cant prevent. Was there a breach of something more significant ?

NSM techniques have often been criticized for ignoring the data volume issues. The boundary at the offshore development center is another ideal vantage point where NSM can be deployed. The ODCs usually are connected to the development LANs leaving the source code servers loosely secured. This presents an ideal hop on point for APT.

LHillenbrand said...

Extremely interesting, several good articles over past 24 hours by yourself and other blogs. I think my question would be, now that you have discovered them and understand that they have stolen some IP, are they out? I'm sure they are not. My first question would be, how do I get them out? How do I not let them back in? Then, What did they steal?

gunnar said...

Spare me. They knew all of these issues going in, this pure PR wrapped in sugar coated morals, or are we supposed to believe

a) this is the first attack
b) the attack magically stop when they leave China

http://1raindrop.typepad.com/1_raindrop/2010/01/cyberattacks-happen.html