LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-25-2010, 07:11 AM   #1
resetreset
Senior Member
 
Registered: Mar 2008
Location: Cyberspace
Distribution: Dynebolic, Ubuntu 10.10
Posts: 1,340

Rep: Reputation: 62
What did Google's attackers do?


Can anybody with some "insider knowledge", heh heh, post about this? All Google said was that they were "sophisticated" attacks coming from China, I, generally speaking, love to know how hackers minds from all over the world work, so - does anybody know?
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 02-25-2010, 07:36 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
A reminder to anyone wishing to discuss this issue: Sharing insider knowledge of this nature could have extremely serious legal implications, so I must ask that you refrain from doing that. Please keep things limited to what you know from widely-available sources.
 
Old 02-25-2010, 07:45 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by resetreset View Post
Can anybody with some "insider knowledge", heh heh, post about this? All Google said was that they were "sophisticated" attacks coming from China, I, generally speaking, love to know how hackers minds from all over the world work, so - does anybody know?
I'd be interested in the big picture too. I haven't paid much attention to the news, but what little I did read gave me the impression that the attack was based on an Internet Explorer exploit. I'm not sure what happened beyond that.
 
Old 02-25-2010, 07:51 AM   #4
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
It's all related to bills browser AFAIK.

Read this for some more
http://tech.slashdot.org/story/10/01...gle-Now-Public

Quote:
IE6 comes installed with Windows XP.. you can't uninstall it. For people who *never* use IE, that's the version we're going to have installed.

The problem here is that Acrobat Reader was embedding IE to display some user controllable elements. So the attack is:

1. Send the target a PDF.
2. They open it in Acrobat Reader.
3. Acrobat Reader loads up IE to display some elements of the PDF.
4. The embedded code triggers and exploit in IE.
5. Arbitrary code execution follows.

And yes, it is a totally lame attack but it works because:

* Way too many people use Acrobat Reader to read PDFs (monoculture)
* IE can't be uninstalled, and no-one updates a browser they don't use.
http://tech.slashdot.org/comments.pl...6&cid=30789090

Last edited by smoker; 02-25-2010 at 07:53 AM.
 
2 members found this post helpful.
Old 02-25-2010, 08:00 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Okay, so what happened after client-side arbitrary code execution abilities were gained?

Last edited by win32sux; 02-25-2010 at 08:51 AM.
 
Old 02-25-2010, 08:57 AM   #6
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
they executed an attack.
 
Old 02-25-2010, 09:19 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by smoker View Post
they executed an attack.
Uh, you could have simply answered "I don't know", or better yet, just waited for someone who does to post. There's tons of different directions which could have been taken by the bad guys once they reached this point in their attack.

Last edited by win32sux; 02-25-2010 at 09:20 AM.
 
1 members found this post helpful.
Old 02-25-2010, 10:16 AM   #8
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
Or you could have looked it up yourself ?

Should I be posting intimate details of a hack on a public forum anyway ?

There are enough script kiddies out there without giving them detailed instructions here.

I gave some starting references for more information. Surely only newbies want the answer on a plate.
 
0 members found this post helpful.
Old 02-25-2010, 11:39 AM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by smoker View Post
Or you could have looked it up yourself ?
I've read multiple news articles regarding this event, and I'm still not exactly sure how it all unfolded. In other words, I'm quite likely in a situation similar to what the OP is in, and I'm looking forward to the valuable insight typical of the LQ community. If you have any links to reputable news sources which will shed light, please don't hesitate to share them.

Quote:
Should I be posting intimate details of a hack on a public forum anyway ?
No, of course you shouldn't - but unless you actually do have some, it's a moot point regardless.

Quote:
There are enough script kiddies out there without giving them detailed instructions here.
This thread isn't about getting detailed instructions, okay? Heck, it isn't even about providing a detailed account of what happened. It's simply a means by which we may better understand what transpired during this extremely significant breach of security. That's all that it can be, because anything beyond that would likely be incompatible with the LQ Rules.

Quote:
I gave some starting references for more information. Surely only newbies want the answer on a plate.
Your link to some random individual's Slashdot comment is very appreciated, and hopefully we can move beyond the Internet Explorer vulnerability now. Neither the ITworld article which that Slashdot user was commenting on, or the McAfee blog post which said article links to, provide any account of what happened after Internet Explorer's arbitrary code execution vulnerability was exploited. Once again, if you don't know the answer to the question, that's okay (we're in the same boat), so just sit back and relax while someone who does know chimes in. Thanks.

Last edited by win32sux; 02-25-2010 at 12:20 PM.
 
Old 02-25-2010, 01:59 PM   #10
Jim Bengtson
Member
 
Registered: Feb 2009
Location: Iowa
Distribution: Ubuntu 9.10
Posts: 164

Rep: Reputation: 38
http://siblog.mcafee.com/cto/operati...google-others/
 
1 members found this post helpful.
Old 02-25-2010, 02:11 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Jim Bengtson View Post
Thanks, Jim Bengtson. From that article:
Quote:
As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.

Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.
I wonder if these clients were actually Google employees (and/or the other companies which were attacked) or were they Gmail end-users? I ask because if this is simply the case of some Windows PCs getting owned and their users getting their Gmail passwords lifted then that wouldn't explain all the Google-related media coverage. I remember reading articles that mentioned the target as being certain specific Chinese human rights activists or something of that nature, but doesn't this quote above makes it sound like Google itself was the target?

Last edited by win32sux; 02-25-2010 at 02:21 PM.
 
Old 02-25-2010, 02:50 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
I suspect the closest we'll come to understanding what happened might be this official statement.

It's starting to sound to me like it was indeed Google employees within the corporate network who inadvertently launched the exploit code. Does it sound that way to you guys?
 
Old 02-25-2010, 02:55 PM   #13
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
As far as I know (which is usually not enough...and in any case needs a legal disclaimer that I only know what others have been saying) one of the somewhat confusing things about this case is there seem to have been two disconnected things, and there has been some assumption of a clear and obvious connection of some sort between them.

There was a hack attempt, which as far as anyone in the outside world knows, seems to have been from miscreants who may or may not have been in Chinese Universities. The only thing that has been revealed that connects these to the Chinese Government seems to have been that there seems to have been an attempt to target dissidents, and an attempt to target dissidents seems to be something that might have a value to the Chinese Government, although other interpretations, like straightforward blackmail, are possible.

Google's response, apart from the very immediate 'plug the hole' reaction, seems to involve going back on the hugely controversial deal that they had struck with the Chinese Government to, errr, 'protect' the Chinese people from information that the Government though might be harmful, although the Government has not been all that explicit about whether they thought that the harm in question would occur to the Chinese people or the Chinese government.

The lack of connection between these things seems, at first, confusing. 'Chinese hackers' try to do things which could compromise dissidents, Google responds with an action inimical to the Government.

It seems that the background to this is that Google's market penetration in China hasn't been to Google's normally elevated standards, and, presumably, to their business plan. In particular, this seems to have made it easier for Google to say to themselves that they are not that bothered about the Chinese market, big in total though it may be, and that it certainly it isn't worth compromising to attain, if reputational damage in the rest of the world where Google does do well is the consequence of the terms that they are forced to comply with, in order to be in the market.
 
1 members found this post helpful.
Old 02-27-2010, 12:54 PM   #14
resetreset
Senior Member
 
Registered: Mar 2008
Location: Cyberspace
Distribution: Dynebolic, Ubuntu 10.10
Posts: 1,340

Original Poster
Rep: Reputation: 62
Why is everyone suddenly giving legal disclaimers? As long as you have dynamic IPs, it'd be kind of hard to trace you ANYWAY, y'know.
So...
the attack was a stupid Exploit Bug in Adobe Reader hack, nothing mind bendingly original. And here I was thinking rootkits and whatnot.

What I find most worrying was that this attack happening to *Google* gets this much publicity. Surely attacks like this happen everyday, all over the world, to all sorts of companies....? Did Google actually put word about this out themselves? Folks know it's Google, so the security on the server-side'll be *bloody* good, so they're not worried about losing accounts, it's just a way to get the company's name in the papers....? Or am I being too skeptical?
 
Old 02-27-2010, 01:37 PM   #15
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by resetreset View Post
Why is everyone suddenly giving legal disclaimers? As long as you have dynamic IPs, it'd be kind of hard to trace you ANYWAY, y'know.
So...
the attack was a stupid Exploit Bug in Adobe Reader hack, nothing mind bendingly original. And here I was thinking rootkits and whatnot.

What I find most worrying was that this attack happening to *Google* gets this much publicity. Surely attacks like this happen everyday, all over the world, to all sorts of companies....? Did Google actually put word about this out themselves? Folks know it's Google, so the security on the server-side'll be *bloody* good, so they're not worried about losing accounts, it's just a way to get the company's name in the papers....? Or am I being too skeptical?
Google was only one of dozens of companies which were hit. Also, when Google describes the attack as "highly sophisticated", they are referring to the attack as a whole, not the exploit you're making reference to. If you read this article you may get an idea of why the attack has been described by Google and others in that manner. BTW, keep in mind that we may never learn the true extent of what took place inside Google's corporate network during the time they were breached.

Last edited by win32sux; 02-27-2010 at 01:38 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
google's move sinaisix.blogspot.com Linux - General 4 07-19-2009 01:00 PM
Striking Back At Attackers snowman81 Linux - Security 5 02-13-2008 10:18 AM
LXer: Fail2ban - Put brute force attackers away from your Linux Box LXer Syndicated Linux News 0 10-13-2007 11:20 AM
LXer: How To Secure Your CentOS Server Against Attackers LXer Syndicated Linux News 0 08-23-2006 02:54 PM
LXer: Linux on Mac Could Spike Attackers' Interest LXer Syndicated Linux News 0 04-23-2006 11:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration