Tuesday, January 19, 2010

China vs. Google (et al) via MSIE...


Have we all lost our damn minds!?

Let's get a few things straight ...

  • Google and a bunch (somewhere in the 'hood of 30) other high-priority targets, appear to have been hacked by the Chinese
  • This issue is primarily based around China's commie-civil-rights issues
  • The attack (if you believe "sources") was likely an inside job (at Google, at least)
  • The attack was committed (again, believing "sources") using an 0-day exploit against IE6
  • Panic has spread with Germany and France now issuing "stay away from IE directives"
Now ... I can't tell you how many papers and e-publications from eWeek to Washington Post to international publications have gotten in on this madness but it's spreading like bird flu paranoia.  Now there's even some chatter about India being "hacked by China" too [in PCWorld, no less]... I guess everyone's getting in on this craziness.

Rik Ferguson (of TrendMicro fame) already wrote up a pretty good blog post on this titled "Google, China, Chicken Little and Cyber Armageddon" ... and I couldn't agree more with Rik.

I guess I just don't understand all the sudden panic.  We've known the Chinese were hostile to us for year now right?  When was the last time there was any civil discourse between China and western world that didn't involve hostility?  Yet... we continue to sleep with the enemy.

This issue baffles me for a number of reasons...

  1. We've known the Chinese were hostile to us for many, many, many years (does anyone remember the Cold War?)
  2. We continue to economically tie ourselves deeper and deeper in debt with the Chinese
  3. Chinese "hackers" (state-sponsored or otherwise) have been at our digital doorsteps and in our Interwebs for a very long time as well... read here, here, here, here ...
  4. China's record on Civil Rights is deplorable from Tienanmen Square to the Green Dam
  5. Who still uses IE6?  And before you say many SMBs and large businesses alike I will tell you that it is then their own damn fault ...
Yet - this is a big panic?  Maybe it's because Google finally came out and publicly said "Hey, we've been had"... maybe it's because sentiment seems to think it's an "inside job" ... or maybe it's because Google is threatening to pull out of China (I'm calling their bluff)... or maybe it's because we're all so caught up in the paranoia that we can't tell when Chicken Little has us running for our lives and donning our foil hats.

Can we take a pause for a moment?  Secure your networks.  Know and live with the fact that the Chinese (and likely many other world nations) dislike us enough to be building "cyber-armies" against us (I feel sick just writing that stupid phrase) just like we live with radical Muslim terrorists who want us dead.

As a final word on the fact that this was an inside job - so what?  No kidding!  That's the price of doing business inside a hostile nation, with their own citizens as employees.  This shocks us why?  Let's get angry at Google for failing to properly secure information on a need-to-know basis... and failing to apply a risk-based approach to security - clearly Chinese employees needed to be highly limited!

Now for the IE6 issue ... to avoid beating a dead and buried horse I will simply say that incident could be substituted for anything else non-technical in nature ... such as driving a Chevy Nova and and failing to take it in for the recall notices - then freaking out when the car fails... well duh?

Get over it.  Another day, another hack ...


Anonymous said...

Well, not exactly. Yes, targetted attacks from China existed for a very long time. This is no news. BUT, most of these targetted attacks in the past, for which we provided our IR services, were aimed at activists, policitians, and other significant people, and the purpose was for intelligence gathering.

Over the past 18 months, we have witnessed the following happening to more than one commercial organization:

The chinese hackers get their way in via targetted attacks, and then scan especially for source code--by particularly targettings various software repositories--SVN, CVS, foundation server, etc.

When they owned desktops they were also only after source codes.

They get the source codes, within a year, a company in China comes out with a similiar product, or a Chinese competitor of the victim comes out with a semiliar feature.

Yes, commercial espionage isn't new, BUT, it used to be much more on getting their hands on the commercial products, reverse engineering, buying insiders to collect intellectual property info, etc.

Over the past 18 months, we have witnessed a direct connection between targetting hacking to get source code, to coming out with the same product or feature.

This, to us, is new.

Stiennon said...

Sure this is old news. Just like cyber criminals targeting bank accounts. But until the rest of world catches up with your perspective there will be a need for wake-up calls. Major losses at one bank, if talked up in the MSM, might wake up a CEO or board director.
The amount of press and the reaction to the Google China story is good methinks.