Social Engineering techniques helped attackers orchestrate an attack on Google’s infrastructure from Chinese hackers working inside China.

The middle of December 2009, Google’s infrastructure was attacked by a highly sophisticated operation originating from China. The attack resulted in theft of intellectual property from Google. Along with Google, there were 20 other large Internet, finance, technology, media and chemical companies also attacked.

Google says the attackers tried to get into Gmail accounts belonging to human-rights activists around the world based on subject lines for the emails.

The hackers targeted users within a targeted network system with carefully crafted emails full of personal information. The whole goal with the emails was to get the user to open the email PDF or Work document attachment full of malware. Once the malware laden document is opened, the malware compromises the computer and the attacker can command the computer remotely. This is just the beginning, once a computer is compromised on a network the attackers branch out from there probing other computers raiding emails accounts to get more personal information ammunition for more social engineering attacks on the network.

It is well known China suppresses/censors their citizen from access to many Internet sites and for the past year further limiting free speech on the Web. Why is this whole ordeal such a big deal anyways? Google wants to run their standard version of its search engine in China and have not been able to. I ask, “What if these attackers were orchestrated by Google to give them leverage with the Chinese Government so Google could run their standard version search engine more easily? Or could the Chinese Government be trying to steal intellectual rights from Google to create something of their own and kick Google out of China?

Read the original post here

Google Wave promises a lot of online collaborative capabilities that appeal to the more technically oriented among us. But like any other new, online service, don’t get so carried away that you forget about privacy and security risks.

When next I heard about Google Wave, I heard some interesting things about what people will be able to do with plugins to add their own functionality. I looked into the promised capabilities a bit more, and found that I might have at least one use for it, as a tool for running an online Pathfinder RPG campaign.

Because of the potential use for it as a gaming aid, I applied for an “invitation” for Google Wave testing. I got a few more invitations I can distribute to others, which is kind of a necessary capability — since it is an interactive service — and requires the participation of other people before it becomes particularly useful.

It is a new service, still in testing, however. It will be interesting to see whether any bugs bite me or any of the functionality changes while I use it. More importantly, it remains to be seen where the unexpected security implications will arise. Because of this, I will not be using it for anything involving any kind of sensitive or private information, at least during the preview/testing stage of development.

Like any new service, particularly if it offers new functionality or uses old functionality in a new way, it pays to be very cautious. This is especially true when it is the sort of thing that encourages its users to share or store information through the service itself. Even for a  well-known organization like Google, it’s important to note that the service is in testing, which means the service provider is not confident in its stability. The whole point of testing, after all, is to find bugs so they can be eliminated before the official release.

If you come up with a good use for something like Google Wave and acquire an invitation before its general release — but after the end of the official testing period — make sure that however you use it will not involve sharing any sensitive information. Depending on how things work out while I play around with it, I may end up using it to provide real-time client security training and online support sessions — but I will not do so while I am uncertain of any potential security pitfalls. Until the security implications of using a service like Google Wave are better understood, it is best to keep your private communications restricted to channels that are more thoroughly tested, where the security benefits and dangers are much clearer, and the means to protect oneself against those dangers are well established.

Of course, if you do business anything like the way most banks do business, with little or no concern for the preferences of your more security-conscious clients and customers, simply diving into Google Wave without any thought for the dangers of entrusing a new online service with your most sensitive data may not be any worse than how you already do things. If you are more careful — and care more about privacy and security  than the average bank, you should definitely apply a little practical paranoia to the way you use Google Wave, or any other online service, while it is still so new.

Watch Google Wave Video Explanation and sign up

Author: Chad Perrin ]]> http://www.devinhunter.com/google/google-wave-imemail-app-launching-2010/feed 1