uncompiled.com

BEIJING (Reuters) – U.S. government analysts believe a Chinese man with government links wrote the key part of a spyware program used in hacker attacks on Google last year, the Financial Times reported on Monday.

The man, a security consultant in his 30s, posted sections of the program to a hacking forum where he described it as something he was “working on,” the paper said, quoting an unidentified researcher working for the U.S. government.

The spyware creator works as a freelancer and did not launch the attack, but Chinese officials had “special access” to his programing, the report said.

“If he wants to do the research he’s good at, he has to toe the line now and again,” the paper quoted the unnamed U.S. government researcher saying.

“He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing. The state has privileged access to these researchers’ work.”

The report did not say how analysts knew about the man’s government ties.

The allegations over the spyware are the latest episode in a dispute that has pitted Google and the United States against China, with its wall of Internet controls and legions of hackers.

In January, the giant internet search engine company, Google, threatened to pull back from China and shut its Google.cn Chinese-language portal over complaints of censorship and sophisticated hacking from within China.

Washington has backed those criticisms and urged Beijing to investigate hacking complaints thoroughly and transparently. Beijing has said it opposes hacking.

The Financial Times report also quoted unnamed sources backing a New York Times report that analysts had traced the online attacks to two Chinese educational institutions, the prestigious Shanghai Jiaotong University and the Lanxiang vocational school.

The two establishments have denied the reports. And the allegation that the latter, a high-school level institute that also trains hairdressers, chefs and car mechanics, could take on one of the world’s most powerful Internet firms, have been widely mocked in Chinese cyberspace.

“How can these future cooks be such powerful hackers?” a web user from Zhejiang province said on the portal www.163.com.

The use of the school’s IP address could simply mean that hackers had taken over its computers to hide their tracks.

But Lanxiang’s website also claims to have the “biggest” computer laboratory in the world, a boast it says is confirmed by Guinness World Records.

There was less online comment about the well-respected Jiaotong University, which attracts top graduates and has a School of Information Security Engineering.

(Reporting by Emma Graham-Harrison; Editing by Alex Richardson)

Source

Google today said that a “highly sophisticated and targeted” attack against its network last month originated in China, and tried to access the Gmail accounts of Chinese human rights activists.

In a blog post Tuesday, David Drummond, Google’s chief legal officer, said that attacks have forced the company to “review the feasibility of our business operations in China.” Google, continued Drummond, is “no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.”

The end result of those discussions, said Drummond, may be that Google shuts down its search engine and close its offices in the People’s Republic of China.

“This is a bold and a very difficult move on [Google's] part,” said Leslie Harris, the president and CEO of the Center for Democracy & Technology (CDT), a Washington, D.C.-based civil liberties group. “But with the revelations that there have been major cyber attacks aimed at human rights activists, both in China and in the West, it’s hard to see how Google could have remained silent.”

According to Drummond, Google was one of at least 20 large companies that were targeted by massive attacks in December. In Google’s case, the attacks resulted in the theft of some company intellectual property.

More troubling, said Drummond, was that the attacks were aimed at accessing the Gmail accounts of human rights activists in China. Gmail is officially unavailable in the country, but activists and others use anonymous proxies to circumvent that rule.

“We have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists,” said Drummond, who added that with the exception of two accounts, those attacks had been unsuccessful. The message content of those accounts was not compromised, Drummond claimed; instead, only some information, such as subject lines and the date the account was created, was accessed.

Drummond also said Google had discovered that the Gmail accounts of dozens of U.S.- and Europe-based advocates of human rights in China had been “routinely” accessed by unauthorized users.

“We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” said Drummond.

Source

A security researcher has devised a successful attack on a Google-owned system for blocking malicious scripts on web-based email services and other types of sites.

The attack, described in a paper released Saturday, uses a combination of OCR, or optical character recognition, techniques and other methods to break reCAPTCHA, a widely used security measure acquired by Google in September. Short for Completely Automated Public Turing test to tell Computers and Humans Apart, the CAPTCHA is designed to block automated scripts from carrying out certain tasks by first requiring users to solve an optical puzzles that aren’t easily cracked by computers.

Jonathan Wilkins of iSEC Partners said the method had a total success rate of 17.5 percent against reCAPTCHA. The rate is significant because of the wide use of botnets by spammers and other miscreants. Even a modest-sized network of 10,000 infected machines with a success rate of 0.01 percent would yield 10 successes every second. That could translate into 864,000 new accounts every day, he said.

“Given this, the attacker doesn’t have to rebuild a complete set of solutions, just enough to get this minimal success rate,” Wilkins wrote. A Google spokesman said the data collected in the report was collected in early 2008 and didn’t reflect enhancements made to reCAPTCHA since then. “Therefore, this study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” the spokesman wrote in an email. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

Source

I just received this e-mail from Google:

Dear GrandCentral User (username):
We’re writing to let you know that we will be closing down the GrandCentral website as of December 31, 2009.

All GrandCentral accounts were upgraded to Google Voice earlier this year, but since that time, you’ve still been able to log-in to your GrandCentral account and listen to old messages there. You will no longer be able to log-in to your GrandCentral account after December 31. Because of this, we strongly suggest downloading any messages or contacts that you want to keep in the next 43 days.

We will send you another reminder before closing down the site, but we suggest you take action now to download any information you want to keep.

- The Google Voice Team

Brad Spengler noted on Twitter today:

Cool, the Chrome OS docs recommend applying grsec: http://bit.ly/26p2ac (has other hardening tips that apply to any Linux system too)

From the document:

Efforts to secure Linux environments tend to revolve around the principle of least privilege and applying exploit mitigation tactics wherever possible. While the exploit mitigation techniques are effective, they are never a perfect defense and often the specific techniques deployed vary from distribution to distribution. In addition, the principle of least privilege is excellent in a server environment and for locking down system services on desktops. However, desktop systems are meant to be general purpose. This makes it incredibly difficult to determine the least privilege needed if a program has not ever been seen on the system before (or was written since the system was installed!). The end result is that the risks from interactively executed applications are addressed only using exploit mitigations and not as comprehensively as desired.

Chromium OS has an advantage. All native programs run by the end user are known in advance since all general purpose applications are web applications. We use this knowledge to apply comprehensive access control enforcement in addition to the well-known exploit mitigation techniques. This combination allows Chromium OS to benefit from the great work securing Linux in both end-user and server enviroments!

Source