Google

The NSA Isn’t Evil (Even Working with Google)

By Rich

The NSA is going to work with Google to help analyze the recent Chinese (probably) hack. Richard Bejtlich predicted this, and I consider it a very positive development.

It's a recognition that our IT infrastructure is a critical national asset, and that the government can play a role in helping respond to incidents and improve security. That's how it should be -- we don't expect private businesses to defend themselves from amphibious landings (at least in our territory), and the government has political, technical, and legal resources simply not available to the private sector.

Despite some of the more creative TV and film portrayals, the NSA isn't out to implant microchips in your neck and follow you with black helicopters. They are a signals intelligence collection agency, and we pay them to spy on as much international communication as possible to further our national interests. Think that's evil? Go join Starfleet -- it's the world we live in. Even though there was some abuse during the Bush years, most of that was either ordered by the President, or non-malicious (yes, I'm sure there was some real abuse, but I bet that was pretty uncommon). I've met NSA staff and sometimes worked with plenty of three-letter agency types over the years, and they're just ordinary folk like the rest of us.

I hope we'll see more of this kind of cooperation.

Now the one concern is for you foreigners -- the role of the NSA is to spy on you, and Google will have to be careful to avoid potentially uncomfortable questions from foreign businesses and governments. But I suspect they'll be able to manage the scope and keep things under control. The NSA probably pwned them years ago anyway.

Good stuff, and I hope we see more direct government involvement... although we really need a separate agency to handle these due to the conflicting missions of the NSA.

• Note: for those of you that follow these things, there is clear political maneuvering by the NSA here. They want to own cybersecurity, even though it conflicts with their intel mission. I'd prefer to see another agency hold the defensive reins, but until then I'm happy for any .gov cooperation.

–Rich

FireStarter: APT—It’s Called “Espionage”, not “Information Warfare”

By Rich

There's been a lot of talk on the Interwebs recently about the whole Google/China thing. While there are a few bright spots (like anything from the keyboard of Richard Bejtlich), most of it's pretty bad.

Rather than rehashing the potential attack details, I want to step back and start talking about the bigger picture and its potential implications. The Google hack -- Aurora or whatever you want to call it -- isn't the end (or the beginning) of the Advanced Persistent Threat, and it's important for us to evaluate these incidents in context and use them to prepare for the future.

1. As usual, instead of banding together, parts of the industry turned on each other to fight over the bones. On one side are pundits claiming how incredibly new and sophisticated the attack was. The other side insisted it was a stupid basic attack of no technical complexity, and that they had way better zero days which wouldn't have ever been caught. Few realize that those two statements are not mutually exclusive -- some organizations experience these kinds of attacks on a continuing basis (that's why they're called "persistent"). For other organizations (most of them) the combination of a zero-day with encrypted channels is way more advanced than what they're used to or prepared for. It's all a matter of perspective, and your ability to detect this stuff in the first place.
2. The research community pounced on this, with many expressing disdain at the lack of sophistication of the attack. Guess what, folks, the attack was only as sophisticated as it needed to be. Why burn your IE8/Win7 zero day if you don't have to? I don't care if an attack isn't elegant -- if it works, it's something to worry about.
3. Do not think, for one instant, that the latest wave of attacks represents the total offensive capacity of our opponents.
4. This is espionage, not 'warfare' and it is the logical extension of how countries have been spying on each other since the dawn of human history. You do not get to use the word 'war' if there aren't bodies, bombs, and blood involved. You don't get to tack 'cyber' onto something just because someone used a computer.
5. There are few to no consequences if you're caught. When you need a passport to spy you can be sent home or killed. When all you need is an IP address, the worst that can happen is your wife gets pissed because she thinks you're browsing porn all night.
6. There is no motivation for China to stop. They own major portions of our national debt and most of our manufacturing capacity, and are perceived as an essential market for US economic growth. We (the US and much of Europe) are in no position to apply any serious economic sanctions. China knows this, and it allows them great latitude to operate.
7. Ever vendor who tells me they can 'solve' APT instantly ends up on my snake oil list. There isn't a tool on the market, or even a collection of tools, that can eliminate these attacks. It's like the TSA -- trying to apply new technologies to stop yesterday's threats. We can make it a lot harder for the attacker, but when they have all the time in the world and the resources of a country behind them, it's impossible to build insurmountable walls.

As I said in Yes Virginia, China Is Spying and Stealing Our Stuff, advanced attacks from a patient, persistent, dangerous actor have been going on for a few years, and will only increase over time. As Richard noted, we've seen these attacks move from targeting only military systems, to general government, to defense contractors and infrastructure, and now to general enterprise.

Essentially, any organization that produces intellectual property (including trade secrets and processes) is a potential target. Any widely adopted technology services with private information (hello, ISPs, email services, and social networks), any manufacturing (especially chemical/pharma), any infrastructure provider, and any provider of goods to infrastructure providers are on the list.

The vast majority of our security tools and defenses are designed to prevent crimes of opportunity. We've been saying for years that you don't have to outrun the bear, just a fellow hiker. This round of attacks, and the dramatic rise of financial breaches over the past few years, tells us those days are over. More organizations are being deliberately targeted and need to adjust their thinking. On the upside, even our well-resourced opponents are still far from having infinite resources.

Since this is the FireStarter I'll put my recommendations into a separate post. But to spur discussion, I'll ask what you would do to defend against a motivated, funded, and trained opponent?

–Rich

Google, Privacy, and You

By Rich

A lot of my tech friends make fun of me for my minimal use of Google services. They don't understand why I worry about the information Google collects on me. It isn't that I don't use any Google services or tools, but I do minimize my usage and never use them for anything sensitive. Google is not my primary search engine, I don't use Google Reader (despite the excellent functionality), and I don't use my Gmail account for anything sensitive. Here's why:

First, a quote from Eric Schmidt, the CEO of Google (the full quote, not just the first part, which many sites used):

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place, but if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it's important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities.

I think this statement is very reasonable. Under current law, you should not have an expectation of privacy from the government if you interact with services that collect information on you, and they have a legal reason and right to investigate you. Maybe we should have more privacy, but that's not what I'm here to talk about today.

Where Eric is wrong is that you shouldn't be doing it in the first place. There are many actions all of us perform from day to day that are irrelevant even if we later commit a crime, but could be used against us. Or used against us if we were suspected of something we didn't commit. Or available to a bored employee.

It isn't that we shouldn't be doing things we don't want others to see, it's that perhaps we shouldn't be doing them all in one place, with a provider that tracks and correlates absolutely everything we do in our lives. Google doesn't have to keep all this information, but since they do it becomes available to anyone with a subpoena (government or otherwise). Here's a quick review of some of the information potentially available with a single piece of paper signed by a judge... or a curious Google employee:

• All your web searches (Google Search).
• Every website you visit (Google Toolbar & DoubleClick).
• All your email (Gmail).
• All your meetings and events (Google Calendar).
• Your physical location and where you travel (Latitude & geolocation when you perform a search using Google from your location-equipped phone).
• Physical locations you plan on visiting (Google Maps).
• Physical locations of all your contacts (Maps, Talk, & Gmail).
• Your phone calls and voice mails (Google Voice).
• What you read (Search, Toolbar, Reader, & Books)
• Text chats (Talk).
• Real-time location when driving, and where you stop for food/gas/whatever (Maps with turn-by-turn).
• Videos you watch (YouTube).
• News you read (News, Reader).
• Things you buy (Checkout, Search, & Product Search).
• Things you write -- public and private (Blogger [including unposted drafts] & Docs).
• Your photos (Picassa, when you upload to the web albums).
• Your online discussions (Groups, Blogger comments).
• Your healthcare records (Health).
• Your smarthome power consumption (PowerMeter).

There's more, but what else do we care about? Everything you do in a browser, email, or on your phone. It isn't reading your mind, but unless you stick to paper, it's as close as we can get. More importantly, Google has the ability to correlate and cross-reference all this data.

There has never before been a time in human history when one single, private entity has collected this much information on a measurable percentage of the world's population.

Use with caution.

–Rich

Gmail CSRF Flaw

By Adrian Lane

Yesterday morning I read the article on The Tech Herald about the demonstration of a CSRF flaw for 'Change Password' in Google Mail. While the vulnerability report has been known for some time, this is the first public proof of concept I am aware of.

"An attacker can create a page that includes requests to the "Change Password" functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker," the ISecAuditors advisory adds.

The Google response?

"We've been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user's password within the period that the user is visiting a potential attacker's site. We haven't received any reports of this being exploited. Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue. We always encourage users to choose strong passwords, and we have an indicator to help them do this."

Uh, maybe, maybe not. Last I checked, people still visit malicious sites either willingly or by being fooled into it. Now take just a handful of the most common passwords and try them against 300 million accounts and see what happens.

How does that game go? Rock beats scissors, scissors beat paper, and weaponized exploit beats corporate rhetoric? I think that's it.

–Adrian Lane

Healthcare In The Cloud

By Adrian Lane

Google is launching a cooperative program between Google and Medicare of Arizona. They are teaming up to put patient & health care records onto Google servers so it can be shared with doctors, labs and pharmacies.

Arizona seniors will be pioneers in a Medicare program that encourages patients to store their medical histories on Google or other commercial Web sites as part of a government effort to streamline and improve health care. The federal agency that oversees Medicare selected Arizona and Utah for a pilot program that invites patients to store their health records on the Internet with Google or one of three other vendors.

From Google & Medicare's standpoint, this seems like a great way to reduce risk and liability while creating new revenue models. Google will be able to charge for some add-on advertisement services, and possibly data for BI as well. It appears that to use the service, you need to provide some consent, but it is unclear from the wording in the privacy policy if that means by default the data can be used or shared with third parties; time will tell. It does appears that Google does not assume HIPPA obligations because they are not a health care provider. And because of the voluntary nature of the program, it would be hard to get any satisfaction should the data be leaked and damages result. The same may be true for Medicare, because if they are not storing the patient data, there is a grey area of applicability for measures like CA-1386 and HIPPA as well. As Medicare is not outsourcing record storage, unlike other SaaS offerings, they may be able to shrug off the regulatory burden.

Is it just me, or does this kind of look like Facebook for medical records?

–Adrian Lane

Mail Goggles

By Adrian Lane

Someone at Google has created Mail Goggles. It's a little Gmail utility to keep you from sending out email while, uh, under the influence. Jon Perlow, the author, had this to say ...

[snip] "Sometimes I send messages I shouldn't send. Like the time I told that girl I had a crush on her over text message. Or the time I sent that late night e-mail to my ex-girlfriend that we should get back together," [/snip]

And who hasn't, really? It's no wonder I am not smart enough to work at Google. I would never have through this up, never mind actually coding it. I checked, and it's really there, under the Lab's section, along with a dozen or so other productivity tools. I really think they could be onto something here ... just consider this from a 'Reputational Risk' perspective; this could be a hot product for Postini. One too many Martini's with lunch? Drowning your sorrows as you watch your stock portfolio plunge? A little testy that your "spa day" executive retreat was cancelled? No problem, Google will quarantine your outbound email! And if your too drunk to remember to turn this off, your email probably should be sequestered. Hoff was right, Google really is becoming a security company. Now, where did I leave that glass of bourbon ...

–Adrian Lane

Google AdWords

By Adrian Lane

This is not a 'security' post.

Has anyone had a problem with Google AdWords continuing to bill their credit cards after their account is terminated? Within the last two months, four people have complained to me that their credit cards continued to be changed even though they cancelled their accounts. In fact, the charges were slightly higher than normal. In a couple of cases they had to cancel their credit cards in order to get the charges to stop, resulting in letters from "The Google AdWords Team" threatening to pursue with the issuing bank ... and, no, I am not talking about the current spam floating around out there but a legitimate email. All this despite having the email acknowledgement that the AdWords account had been cancelled.

I did a quick web search (without Google) and I only found a few old complaints on line about this, but in my small circle of friends, this is a pretty high number of complaints considering how few use Google for their small businesses.

I was wondering if anyone else out there has experienced this issue?

Okay- maybe it is a security post after all...

–Adrian Lane

YouTube, Viacom, And Why You Should Fear Google More Than The Government

By Rich

Reading Wired this morning (and a bunch of other blogs), I learned that a judge ordered Google/YouTube to turn over ALL records of who watched what on YouTube. To Viacom of all organizations, as part of their lawsuit against Google for hosting copyrighted content. The data transfered over includes IP address and what was watched.

Gee, think that might leak at some point? Ever watch YouTube porn from an IP address that can be tied to you? No porn? How about singing cats? Yeah, I thought so you sick bastard.

But wait, what are the odds of tracing an IP address back to an individual? Really damn high if you use any other Google service that requires a login, since they basically never delete data. Even old emails can tie you back to an IP, never mind a plethora of other services. Ever comment on a blog?

The government has a plethora of mechanisms to track our activity, but even with recent degradations in their limits for online monitoring, we still have a heck of a lot of rights and laws protecting us. Even the recent warrantless wiretapping issue doesn't let a government agency monitor totally domestic conversations without court approval.

But Google? (And other services). There's no restriction on what they can track (short of reading emails, or listening in on VoIP calls). They keep more damn information on you than the government has the infrastructure to support. Searches, videos you've watched, emails, sites you visit, calendar entries, and more. Per their privacy policies some of this is deleted over time, but even if you put in a request to purge your data it doesn't extend to tape archives. It's all there, waiting to be mined. Feedburner, Google Analytics. You name it.

Essentially none of this information is protected by law. Google can change their privacy policies at any time, or sell the content to anyone else.

Think it's secure? Not really- I heard of multiple XSS 0days on Google services this week. I've seen some of their email responses to security researchers; needless to say, they really need a CSO.

I'm picking on Google here, but most online services collect all sorts of information, including Securosis. In some cases, it's hard not to collect it. For example, all comments on this blog come with an IP address. The problem isn't just that we collect all sorts of information, but that we have a capacity to correlate it that's never been seen before.

Our laws aren't even close to addressing these privacy issues.

On that note, I'm disabling Google Analytics for the site (I still have server logs, but at least I have more control over those). I'd drop Feedburner, but that's a much more invasive process right now that would screw up the site badly.

Glad I have fairly tame online habits, although I highly suspect my niece has watched more than a few singing cat videos on my laptop. It was her, I swear!

–Rich