Much has been written about last week’s attack on Google, Yahoo, and more than 30 other companies.
Google’s stark reaction to the attack has put the company at the forefront of this news story. At stake is one of the world’s largest Internet markets, as well as the already tenuous relationship between US and China - it is no wonder this attack is drawing the attention of headlines worldwide.
Why isn’t this an attack on cloud computing?
First of all, the mechanics of the attack, though not entirely clear, have nothing to do with cloud computing. What we do know is the following: A Microsoft browser vulnerability was exploited, some employees’ desktops were compromised, and the attacker used the compromised desktops via Google’s VPN to get to some of the servers. As a result, Google apparently issued an emergency refresh of the entire corporate VPN infrastructure last week, which lasted more than 24 hours, leading to more than a little bump in the road of employee productivity.
So, let’s look at the facts here. Exploiting browser vulnerabilities is a familiar attack method, one that has nothing to do with cloud computing. Compromising desktops and using VPN to further compromise servers is again nothing new. What is at the root of the problem here is a vulnerability from everybody’s “favorite” software company (more about this vulnerability to come later today), not the fact that the target of the attack is a prolific cloud computing company.
However, some of my clients (and many others) were asking why they would want Google to host their applications/data if Google is a bigger attack target than themselves. This is indeed an interesting question, one that is worth exploring. This question is particularly interesting when you consider that the attack in question involved exploiting vulnerabilities in IE 6. Why would Google employees still be running IE 6, an outdated browser? Clearly Google’s corporate IT isn’t doing a good job. But the fact that the attacker used VPN to further its attack suggested that the initial victim machine may not be a corporate managed machine. However, we do not know for sure. In any case, Google is at fault here for not managing its risks adequately. And being one of the biggest cloud computing companies, they should know better.
I will be uploading another entry on the specifics of the Microsoft vulnerability after 10:00 a.m. PST today. Stay tuned. In the meantime, let me know what you think of the attack and its implications.
Posted by Chenxi Wang, Ph.D.
This entry has been cross-posted to Chenxi's blog