Modernizing Authentication ? What It Takes to Transform Secure Access
When Google went public in January with revelations that it and 20 other companies had been targeted by a sophisticated group of hackers operating from China, it also threatened to close down its Web properties in that country unless authorities relaxed their content-filtering requirements, a gambit that steered the conversation toward issues of censorship and away from the attacks themselves.
Little has been known about the precise nature of the attacks or their intended targets.
But a new report, citing a person with direct knowledge of the investigation, is claiming that the hackers were able to compromise Google's (NASDAQ: GOOG) password system, the single-sign-on mechanism that gives employees and millions of users central access to the company's myriad online products and services.
The New York Times report describes the password system as one of Google's "crown jewels," a sophisticated authentication mechanism that had only been described in public once, at a technical conference four years ago.
The investigation indicated that the hackers were not able to steal any passwords from Google users by accessing the program, which is code-named "Gaia," the Greek goddess of the earth, according to the report. The Times also noted that Google has made substantial alterations to the password system since the attacks, though it raises the question that a network of sophisticated hackers working around the clock could unearth a vulnerability that Google's own security team hasn't found.
Google has traced the intrusion back to an employee based in China who clicked on a link to a "poisonous site" that he received in an instant message using Microsoft's Messenger program, according to the report. Once the employee navigated to the site, the hackers were able to compromise his system, an intrusion that ultimately enabled them to gain access to the systems of a key group of software developers at Google's Silicon Valley headquarters.
Google's official line hasn't changed since the initial disclosure.
"We are not going to comment on the record beyond our original blog post," Google spokesman Jay Nancarrow told InternetNews.com in an e-mail. "At the time we described the extent and impact of the issue, as well as the measures we have since put in place. The post still stands as our statement of record."
In that post, published Jan. 12, Google Chief Legal Officer David Drummond did not provide specific details of the attacks, saying only that they resulted in the loss of "intellectual property" at Google, and that the intruders appeared to have succeeded only in compromising a limited amount of non-sensitive information about two Gmail users. Drummond said that the investigation had also revealed that the Gmail accounts of Chinese human rights advocates based in Europe, China and the United States were routinely accessed by unnamed third-parties.
In the time since, Google has made good on its promise to break with the Chinese government's censorship requirements, moving the Web servers that power its search engine and other services to Hong Kong, beyond the reach of the mainland Internet laws.
The issue has also wafted up to policy circles, with Secretary of State Hillary Clinton delivering a high-profile policy speech heralding unfettered Web access and calling on China to conduct a thorough and transparent investigation of the attacks Google described.
Chinese authorities have lashed back at Google and U.S. officials, by turns accusing the company of politicizing what it describes as a commercial dispute and the U.S. government of hypocrisy on the issue of Internet regulation. Officials have also repeatedly dismissed allegations that the attacks emanated from China.