Google attacked via email

I seem to have become a prophet: the column I wrote for the December
2009 issue of ;login: focused on disabling scripting in Web browsers,
and through that, email readers as well, using NoScript. The big
news is this week is that Google has been hacked, along with 33 other
US companies (all Fortune 500) by China.

The hacks involved emailing individuals in these companies and using
flaws in IE and Adobe Reader/Acrobat. Of course, you can't use No
Script with IE, and NoScript doesn't block the opening of PDF files
by default. But it would seem that even opening an HTML formatted
email is dangerous--something that should not surprise anyone. By
disabling scripting, and not opening PDFs by default (something US
CERT recommended in its Alert TA10-013A on January 12, these
attacks might have failed. But then I suspect the Chinese would
have tried something else.

Targeted attacks are nothing new, and neither are browser-related
attacks. Your browser is the number one way of breaking into
your computer, and your organization when you are connected to an
internal network locally or via a VPN. This is what happened at
Google and the other 33 companies.
Patching might have helped with the IE flaw, but only if it were
done immediately. The December attacks came within hours
of Microsoft announcing patches for the vulnerability--that's
how tight the patch window was for this attack. Patches for the
Adobe Reader exploit appeared January 12, 2010, almost a month
after the attack.

Best practice for security would appear to be using UNIX mail and
lynx for mail and web browsing. Given that most of the people listening
to Jeremiah Grossman's talk at USENIX Security 2009 had decided not
to use NoScript, getting them to give up the cool features that make
the Web, and email, so compelling seems unlikely. And these were
all people with an expressed interest in security.

There is hope on the horizon. Google Chrome runs content from different
origins as different processes, and IE8 uses similar tricks. I don't
think either is sufficient, but this is, at least, as start. Content
from each site needs to be run in an isolated environment, a jail,
that has no access to other site content or to the user's system.
Getting to this point from the wide open environment we have today,
where viewing a PDF file involves allowing the PDF reader total
access
to your computer, will not be easy. Xax (see article in
the April 2009 ;login: by Douceur et al) runs programs in an isolated
environment, and Google has a project called Native Client that
also sandboxes code. Both of these projects are aimed at running
any native code, but both can be used to isolate programs like
PDF readers as well as Flash or Silverlight.

This is already long for a blog post, but I wanted to write something
significant for my first post.

Rik Farrow