Digital Espionage

Attacks on sites had been a common occurence ever since the boom of the Internet market, and it is only usual for people to get into the business themselves either legally or ilegally. Since the occurence of these attacks anti-virus companies had been built, adding yet another business into the market. But the level of attacks had been vastly improving, and one example is what happened on Google, one of the world’s leading search engine. On January 12, 2010, Google announced on its blog that it had been attacked. It was said to have occured from mid last year and finished last December.

Google stated that over 20 other companies including Adobe and Microsoft, had also been victims. On that same day, US Secretary Hilary Clinton publicly asked for an explanation from the Chinese government. Google became aware of the attack themselves, through their inside sources. According to Newsweek, at the time, they contacted Rafal Rohozinski, CEO of The SecDev Group (a global security and research firm) because the attack was very similar to GhostNet (a large scale cyber spying event last March 2009) and they wanted to know what they could share that might be helpful to their in-house investigation.

The attack seems to be emanating from the jurisdiction of China. Google said that the hackers were interested in accessing the Gmail accounts of Chinese human rights activists. According to the Financial Times, a person named Ai Weiwei had his two accounts hacked, their contents read and copied. On the others, however, they were only able to view limited details such as the subject line and the creation date of the account. It was said that the attack started when an employee in China click on an infected linked, which was sent through an instant message.

The attacker was able to access the person’s computer, and eventually Google’s headquarters in California. It also accessed Google’s Moma, an intenal directory that stores information on each of the employees work task. Carlos Carillo, principal consultant of Mandiant (security incident response and forensics firm) was also called in by Google. He said that it was “definitely one of the most sophisticated attacks I’ve seen in the last few years… This wasn’t something that a 16-year-old came up in his spare time.

” He said that they’ve seen similar attacks like this on the government, but never on the commercial space. The level of the attack had certainly been done by a group of experts. Last January 14, 2010, McAfee reported that the attackers had exploited zero-day vulnerabilities and called the attack “Operation Aurora”. They exploited a hole in Microsoft’s Internet Explorer even if their DEP (Data Execution Prevention) was turned on. The vulnerability affects Internet Explorer versions 6, 7, and 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4.

It would be very hard to exploit the flaw on Windows Vista or Windows 7, however, because of its advanced memory protection technology. Zero-day vulnerabilities are those flaws that are unknown to the developer. When the attacker discovers the vulnerability before the developer does, it can prove to be very dangerous. The attacker can either use the vulnerability to copy the information and make a similar program and then sell it to the market, or he can use the vulnerability to directly destroy the program of the developer.

As with Google, analysts said that “China is likely using its maturing computer network exploitation capability to support intelligence collection against the U. S. government and industry by conducting a long term, sophisticated computer network exploitation campaign. ” At least 10 to 20 terabytes of data had been taken from Google and other companies. Days after the attack, the exploit had been opened to the public, which are now dangerous to the internet community. Paul Ducklin, Head of Technology (Asia Pacific) from Sophos Lab(developer and vendor of security software and hardware), explained how the exploit on Google was done.

The Aurora explot relies on a used-after free bug. The exploit uses java script to control over the browser as it crashes. The exploit has all the usual javascript tricks: heap spray (technique used to facilitate arbitary code execution) and nop sleds (No Operation Execution, meaning to “slide” the instruction on its final destination) . At the end of the nop sled is the shellcode, (the actual malicious binary code that the hacker wants to execute) and a coming bid which uses javascript events that tricks the browser into misusing memory in the first place.

He went to a test server wherein he edited the shellcode, that contains debug breakpoints and he added some human readable text “WARHEAD” so that if the computer crashed he can visually confirm that it was into the computer’s shellcode. He tried it in IE 6, wherein he put it in the debug controller and only attaching debug to it (the reason for doing so is of course because of the debug breakpoints, so if the exploit actually works, he can track back into the debugger). Then he clicked on Internet Explorer and visited the malicious site.

The exploit actually relies on fetching image files. It worked when he tried to see the address on the debugger, “WARHEAD” came out. Usually, a good anti-virus program can protect internet users from these kind of exploits. In order to fix the IE flaw, Microsoft stepped out of its normal monthly patch cycle to release a patch. The users of IE are now required to run Windows update and click on MS10-002 update to fix it. Meanwhile, Google announced that it would stop censoring its search results in China.

David Drimmond, Senior Vice President, Corporate Development and Chief Legal Officer of Google said “Users visiting Google. cn are now being redirected to Google. com. hk, where we are offering uncensored search in simplified Chinese, specifically designed for users in mainland China and delivered via our servers in Hong Kong. ” Censorship in China had been a rule to maintain the country’s communism. Censhorship prevents unapproved reformist, separatist, “counter-revolutionary” ideas from organizing themselves and spreading.

It also prevents Chinese citizens from discovering or learning more about past and current failures of the Communist Party that could create or inflame anti-government sentiment. They had also intended on blocking foreign government websites to prevent the people from learning alternative systems of governance . What Google did was a risky step because China may stop doing business with Google altogether. And China, is one of the most sought-after market in the world today.

Analysts expects China’s search market to reach 10 billion yuan ($1.46 billion) this year. However, in 5 to 10 years, what Google did may prove to be advantageous for them. Ben Sargent, an analyst with Common Sense Advisory, a market research company said that “As a culture, China is much more long-term thinking than most other cultures. No other government takes such long-term views as the Chinese government,” Sargent said. “So Google is trying to out-Chinese the Chinese in terms of making a really long-term play for young people’s hearts and minds in China. “

Google had always been concerned on its position in China, but the country is too big of a market to ignore. As what Rohozinski have said, “Engagement is better than exclusion. ” You can do a lot more for the people if you work from the inside than just standing around and watching. Google went in with their eyes wide open. Sergey Brin(founder of Google), who had been from the Soviet Union understood China on its political views. The cyber spying just gave them the opportunity to make their stand and make the world praise them for it.