Rathores blog

      


Twitter, Facebook, Microsoft. Three major tech companies, all hacked in the past few weeks… but they’re not alone. Who is responsible? Why did they do it? We may never learn the answer to those questions, but it leads us to wonder if our dear Google is susceptible to attack. The mighty “G” has plenty of security protocols in place, but are they enough? We should all be concerned with the security of our data, so let’s find out just how much we need to concern ourselves regarding the information we store on Google’s servers.


      

Who did what to whom?

In situations like this, we are only given enough info to scare us a bit. Buzzwords like “compromised information” or “accounts hacked” are thrown about, but we rarely gain insight into the how and why. This secrecy is another measure of security, as letting us know how it was done only invites more hacking. There is, however, one singular thread running through all this fabric of recent hacking activity.

Twitter

When 250,000 user accounts are compromised, people take notice. When a company can’t reveal information to put minds at ease, people worry. Via a blog post, we learned that Twitter responded within hours, going on to say that they were not the only ones compromised by hacking. While no direct flaw was identified, Twitter seemed keen to mention Java again and again, pointing to a Department of Homeland Security warning about Java.

Facebook

Another recent target for hackers was Facebook, which came forward to acknowledge being hacked after Twitter, though their attack happened a month prior. Facebook claimed “no evidence that Facebook user data was compromised” while also pointing out that they were breached through a security vulnerability in Java. We’re starting to see a trend, here.

Microsoft

Maybe the most tight-lipped of the three, Microsoft would only say they experienced a similar hacking instance. They would go on to say that some computers were “infected by malicious software using techniques similar to those documented by similar organizations.” Microsoft also claimed that no user data was compromised. That’s three big tech companies, and one Java mess.

The others

Apple, The New York Times, The Wall Street Journal, The Washington Post. All allegedly hacked, and all allude to Java as the issue. That Department of Defense vulnerability note mentioned earlier notes the following:

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.

The report goes on to point out that the security manager in Java has a flaw which allows a security exception, allowing malicious users and software. This would then allow unprivileged Java code to access restricted classes. Let’s also be clear that this security flaw affects the machine, not the entire network, perse.


      

Are we all at risk?

To determine the answer, let’s first define what “security” and “risk” are. If you have access to high-value information, you are at risk. When we hear things like a quarter million Twitter accounts have been compromised, that’s probably due to a “smash and grab” job by hackers more than the information of 250,000 people being targetted. They get everything they can before they’re locked out, which leads to a high number of “compromised” accounts. In a broader sense, we’re all at risk. If a hacker wants information, they’ll find a way to get it.
Security is a bit more difficult to define. While it’s clear that Java is an issue, it can be turned off. Does that suddenly make your machine secure? It relieves the Java threat, but that doesn’t mean you’ve suddenly become secure. Apple has disabled Java by default in their products, so we’re wise to take the Java security issues seriously. It may not be the silver bullet, but recent events suggest disabling Java is a solid option until there is a satisfying fix for that issue.


      

Is Google doing enough?

Chrome, and by virtue Chrome OS, were built from the ground up to be secure. The main focus for security is what Google likes to refer to as “sandboxing”. In a nutshell, this means all of your actions are separate actions, and carried out as such. This prevents any widespread malice, and Chrome is built to shut down and threatening action once its been identified.
Much of what we do in Chrome involves an extension, in one form or another. How is security accomplished with so many extensions flying around? From the Google Chromium Blog:

To help protect against vulnerabilities in benign-but-buggy extensions, we employ the time-tested principles of least privilege and privilege separation. Each extension declares the privileges it needs in its manifest. If the extension is later compromised, the attacker will be limited to those privileges. For example, the Gmail Checker extension declares that it wishes to interact with Gmail. If the extension is somehow compromised, the attacker will not be granted the privilege to access your bank.
 To achieve privilege separation, each extension is divided into two pieces, a background page andcontent scripts. The background page has the lion’s share of the extensions privileges but is isolated from direct contact with web pages. Content scripts can interact directly with web pages but are granted few additional privileges. Of course, the two can communicate, but dividing extensions into these components means a vulnerability in a content script does not necessarily leak all the extension’s privileges to the attacker.

To achieve privilege separation, each extension is divided into two pieces, a background page andcontent scripts. The background page has the lion’s share of the extensions privileges but is isolated from direct contact with web pages. Content scripts can interact directly with web pages but are granted few additional privileges. Of course, the two can communicate, but dividing extensions into these components means a vulnerability in a content script does not necessarily leak all the extension’s privileges to the attacker.
To better illustrate the benefits of sandboxing, here’s a video Google made:





Should we worry?


If you have sensitive information that may be of some value, yes… you should worry. If someone wants what you have so bad they’re willing to steal it, then you are at risk. Whether you have the information yourself, of the access to it, you are a security risk and a target for compromise.
Securing information is not an easy task, and there are just as many people trying to get it as there are trying to secure it. Hacks and security breaches occur constantly, and we may never even know it. A good example of that is Microsoft’s blog post regarding their security breach, which noted “Consistent with our security response practices, we chose not to make a statement during the initial information gathering process.” We can surmise from that statement that security issues happen regularly, and it’s not necessary to report each one. That also suggests that not all security concerns are these massive attacks with compromised information. This leads us to wonder about any large-scale Google security compromises. Does that mean they didn’t happen, or just weren’t discussed?


      

Conclusion

Your information is vulnerable to a hacker, but probably not via Google. Security was and is one of the core concepts of Chrome, be it browser or OS. Will that change over time? Absolutely. As something becomes more widely used, it becomes a target. While utilizing a sandboxing feature is a great move, it relies a bit on the honor system. Google trusts developers to create safe web apps and extensions, not malicious software designed to permeate the sandbox walls. So far, so good… but that tide can change quickly, so Google will have to change with it.
Services like Google+ haven’t had the issues that Twitter or Facebook have had, so Google is doing something (or many things) better than their competition. As users, we can’t control hackers. They’ll keep trying to get whatever info they’re going after, and all those bright security experts will try to stop them. All we can do is be smart about what we do and how we do it. Our job is to browse the web wisely, and download apps from reliable sources. We may not be able to stop the security issues, but we can all do our part to mitigate them.