Surveillance Backdoor Enabled Chinese Gmail Attack?

Major Blud writes "CNN is running an opinion piece on their front page from security technologist Bruce Schneier, in which he suggests that 'In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.' His article is short on sources, and the common belief is that a flaw in IE was the main attack method. Has this come up elsewhere? Schneier continues, 'Whether the eavesdroppers are the good guys or the bad guys, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state.'"

Careful There, Schneier

[eldavojohn]

His article is short on sources

Agreed so I visited his blog and a recent post is equally scant. He points back to another blog post with a little more but really he's just pointing out the irony of a new proposed bill outlawing Google's collaboration with China in violating human rights issues. The irony being that the US has asked for similar backdoors from Google already.

So here's my problem: More frequently Schneier acts as a reputable news source 'breaking' a story without citing the originator of the information. This is fine when it's a big paper like the New York Times but Schneier runs a blog on security. That's it. He might be a first hand expert but if so why isn't he showing and describing his conclusive evidence that the US mandated backdoor is how Chinese hackers gained entry? There's no doubt the software is less secure with a backdoor -- by definition -- but when he says:

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

He better be able to back it up. And he reiterates:

China's hackers subverted the access system Google put in place to comply with U.S. intercept orders.

I just want to caution everyone that you're reading an opinion piece by a security blogger with no corroborating evidence. And on top of that, he has zero accountability. In fact, he says none of this on his blog, he leaves it as an op-ed on CNN. Read it like a strange click generating opinion piece and nothing more.

I have respect for the man but this certainly shakes that. Any concrete proof of this would be welcomed. The problem is I'm not sure how one would prove it one way or the other since I believe all the source in question is closed source to begin with.

Re:Careful There, Schneier

There was the following report:
http://www.computerworld.com/s/article/9144221/Google_attack_part_of_widespread_spying_effort

That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

That is not a backdoor. But it did concern me that google is actively preserving all of this information that could be used in the future for good or ill by anyone.

Re:Careful There, Schneier

> The problem is I'm not sure how one would prove it one way or the other since I believe all the source in question is closed source to begin with.

I can't prove it is there but I know it is.

A year so ago I was under consideration for a position with a defense firm looking to beef up for the coming Cyber War feeding frenzy. A half hour after I signed my life away on the clearance background checks and such they started asking questions that sounded oddly familiar. After two or three questions I realized they had read some Blogger posts (on technical issues) that I had written and saved in draft. I had never published a single thing from that Blogger account but it did have my name attached to it. I probably shouldn't have been freaked out - they were interviewing me for what was essentially a hacking position - but I was. I was so distracted for the rest of the interview that I didn't get the job. I couldn't shake the question of "What the fuck am I getting into here?"

Re:Careful There, Schneier

[PugPappa]

So here's my problem: More frequently Schneier acts as a reputable news source 'breaking' a story without citing the originator of the information. This is fine when it's a big paper like the New York Times but Schneier runs a blog on security. That's it.

So what makes it ok for a "big paper like the New York Times" to publish unsubstantiated claims? We shouldn't disengage our critical thinking regardless of the source.

Re:Careful There, Schneier

[eldavojohn]

If US government want and have these, why wouldn't China? It's not that far fetched, and it's probably better for Google to say it was some virus planted on their system rather than have news all over the internet that China has such in place too. And it could be that US operations didn't know about it, Google China is its independent operation after all and why they're maybe pulling off.

This supposition just raises more questions in my mind though. 1) What do you mean by "independent operation" because it's still a subsidiary of Google and I'm sure utilizes much of the exact replicated technology. 2) Why in the world would Google enforce an American law in China? 3) If Google were providing this intercept data as access to the Chinese government then why in the hell would the Chinese government break in to steal email data from human rights activists? (From the original source, they suspect it was the government because the target was 'accessing the Gmail accounts of Chinese human rights activists') Why would the government need to gain malware access to the system that's put in place for them to access?

It just doesn't add up in so many ways. Every explanation seems to have more questions behind it. I'm almost tempted to say this was someone from Baidu or a criminal element in China or Russia that covered up all their tracks except those deliberately left to be political. But I'm getting into tin foil hat territory there.

I think it was AT&T or Verizon that we had /. article recently about how US government used their backdoor tons of times to gather info and that it would had been impossible to handle manually. Why wouldn't Google, one of the largest US companies, have similar system?

All big time communications operations have to worry about this. It sucks but it's the law. The question remains, however, what is that doing in China and if they're doing it for Chinese law, why did the government need to hack their own system set up to serve them?

Re:Careful There, Schneier

"He better be able to back it up."

He doesn't have to. I'll explain later. In fact, reactionary posts like yours and the /. article is an inhibitor in favor of backdoors like this, instead of being patient and seeing what comes out. You are attacking the holder of the opinion, redirecting focus to the very real case of government backdoors and general population communication abuses, which has been proved, real, and pronounced (see AT&T eavesdropping and others).

Which is a shitload worse than Schneier mere opinion, even if unsubstantiated (which is worse than uncorroborated) on the matter.

"I just want to caution everyone that you're reading an opinion piece by a security blogger with no corroborating evidence." ,,,in the story. He may have corroborating evidence, but is smart enough not to put it forward for both his sake, his sources sake, and/or as bait.

If he had that evidence, he'd be held for obtaining classified information without a due security clearance and prosecuted.

"I have respect for the man but this certainly shakes that. Any concrete proof of this would be welcomed. The problem is I'm not sure how one would prove it one way or the other since I believe all the source in question is closed source to begin with."

Very true and you start in on the crux of this matter of releasing source info. However, I think you are looking at this as overly critical of Schneier, instead of looking at the whole picture. He lives in the real world, he has to live with the repercussions to his life, far more than you or I.

If he releases the info and has a source, Schneier himself gets prosecuted or at least subpoena'd for his source, and if he refuses to reveal it, he gets locked up. His source, at the very least, can be revealed and gets pounded (and people like you won't do a think and can't). And Schneier loses future use of his source. iow, at the very best, he can only suggest his opinion, which is what he is doing.

If he simply airs the idea out there, knowing it's true, that's fine by me. Maybe it isn't for you, but he's been right far far more often than not so in this case, I think people should look at the bulk of his work instead of just one instance that has yet to play out fully. If he continues to do this repeatedly for other issues, then yes, I'd start to shift in your opinion of the man. But I haven't seem him abuse his reputation. iow, if this is a lapse, it's unfortunate, but Schneier is human, and I doubt it's a lapse of judgment.

If he doesn't have a source, but has evidence, and isn't sure, he may be airing this out there without corroborating evidence (having no substantial evidence of course), to see what happens. If they go after him, then you have a tell tale sign. If there are code changes, again, tell tale sign. If he gets harrassed or hammered by 3 letter agencies, again, tell tale (and maybe this has already happened).

If he simply just threw it out there, then, yeah, shame on him, but again, I haven't seen him do this in the past, so I'm very willing to give him the benefit of the doubt, since his contributions, sources, and info in the past has been spot on. His hands may be tied in this case or he's being careful (esp. with a new administration that still has strong ties in the agencies to the prior administration, with a pro-prosecutional bent to it to go after small fries which Schneier would be in the grand scheme of things in the populace).

Your opinion will likely differ on this, but as you seem well aware of his legacy, I think it's over done to be this critical this early in the game.

Re:Careful There, Schneier

[Glonoinha]

Hah. I don't believe anything until it's been unequivocally denied.

Re:Careful There, Schneier

[DeadPixels]

He's partially right, but equally wrong.

Computer World quotes an anonymous source "familiar with the situation" as saying:

That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

According to that article, what Google had was an internal system that could pull limited amounts of account information to comply with law enforcement requests, not a backdoor that gave access to the account in question. Also, it appears that the malware/attack in question didn't "subvert the system" so much as it piggybacked onto a computer with access and got in that way.

So while he's right as to the general purpose of the system, he seems to be pretty wrong as far as the scope of the 'backdoor'.

Missing the real issues

[etymxris]

The backdoor in question is likely only available on Google's internal network. If it's guarded by VPN, this is fairly secure. Of course, there are many ways to hack into a company's internal network, as the Chinese hack demonstrates. But the law enforcement interface isn't uniquely problematic in this regard. Once you're into the internal network, there are all types of things you can do.

The real problem here is pen register taps, and it's application to email. The police can get as much "traffic analysis" information as they want without a warrant. This law enforcement interface was designed to allow easy access to this information, further invading our privacy through warrantless activities.

* All email header information other than the subject line, including the email addresses of the people to whom you send email, the email addresses of people that send to you, the time each email is sent or received, and the size of each email that is sent or received.
* Your IP (Internet Protocol) address and the IP address of other computers on the Internet that you exchange information with, with timestamp and size information.
* The communications ports and protocols used, which can be used to determine what types of communications you are sending using what types of applications.

From the EFF.

source

[Charles+Dodgeson]

When I blogged about this the week before last, I was relying on an article in Computer World which talked about the intruders gaining access to "a system used to help Google comply with search warrants by providing data on Google users."

At least Google wasn't running IE 6

[Greg+Hullender]

This item makes me feel better about Microsoft AND Google! :-)

Seriously, it really does make a lot more sense. How could anyone at Google still be running IE 6?

--Greg (Now I just need to find something to make me feel better about our government)

Google's internal security vulnerbilities

[lumierang]

This is congruent with another report that mentioned
  Google put its Google China staff on paid leave and
suspended their access after the incident:

http://www.guardian.co.uk/technology/2010/jan/18/china-google-cyber-attack

      A lot of evidence points into google treating it as an internal security leak
, and is conducting an internal audit on all its China employee. It seems
Google has very good external security but is very vulnerable from inside .In the hacking very likely some google China employee was found to have leaked
information that facilitate the attack. And that explain Google management's fury
  as it would be a moment as shocking for them as the
“Cambridge Five” for British government .

    Firstly it would mean Google can no longer count on its Chinese
employee’s loyalty when it clashes with their loyalty to China, so if
it wants to operate in China it has to continue with a tainted staff, though that
should have been expected for any corporation operating in a foreign country.

    Secondly it would mean there are serious security loopholes in Google
internal management as it failed to implement a safety mechanism to
check or limit inside attack.It this is true, pile on the fact that
Google is already facing increasing privacy scrutiny in the US and
Europe,it would be a heavy blow to Google’s reputation as a whole as
it sends out the message that Google cannot be trusted with your data
IN ANY COUNTRY.

    In my opinion Google failed to take care of its own fences,However
  Google’s genius lies in politicizing this incident ,as
it completely shadows the question of Google’s own internal security
vulnerability, as evidenced by the blanket omitting of this question
in most of the news reports I have seen.It became a Good vs Evil in the news ,
and you cannot criticizing Good ole Google
without being grouped with the Evil Chinese Communist, can you?

Re:Google's internal security vulnerbilities

[TwineLogic]

Another way to look at this is the Chinese government may have planted highly-trained professional spies inside Google.

Not to group you with the Evil Chinese Communist, but where are you from? You sound overly sympathetic to the non-political interpretation of this, and it's sort of odd to blame the victim. It wouldn't be odd for the Evil Chinese Communist to excuse its own behavior and blame the victim, however. So, despite your 'disarming' final statement, I suspect exactly that -- not due to your criticism of Google, per se, but certainly due to your attempt to minimize the wrong acts of the Chinese government.

Re:Google's internal security vulnerbilities

[wvmarle]

With all respect to the many good Chinese, there are plenty of bad ones. Especially when it comes to money. Money gives status in China, and both are known to corrupt. China is unfortunately a very very corrupt country at the moment, and it wouldn't surprise me if those employees were simply paid off to provide such access.

Almost every day I read in the local newspaper (in Hong Kong) about corrupt government officials being caught, and of course also corrupt businesspeople. There are always two sides to corruption. And if it is normal for the government being paid by businesses for favours, why wouldn't government officials pay off company employees for the same.

For companies investing in China, trust in their employees is a major issue. You invest in a factory producing photo cameras, for example. Then it is quite commonplace that soon you see exact copies of your camera appear in the shops, with the exact same specifications and quality, just a lot cheaper. And it can very well be that those copies are made in your own factory in a second shift, after they are done producing your own orders. Or that the factory manager simply set up a second factory which is a copy of your own investment.

So there being "internal security vulnerabilities" wouldn't surprise me. At all. Whether it's really national pride, or cold hard cash, or something else I can't tell, possibly a combination of it all. But with the current state of corruption in China well it's at the very least highly plausible.

Hmm...

[antifoidulus]

How come when I type "backdoor entry" into google, I don't get any sites related to this attack, just massive amounts of material on anal sex. It's a cover up I tell you!

Schneier might _be_ a source for his own article.

[TwineLogic]

Schneier is not primarily a 'blogger,' although that may be how we most frequently encounter him. As the publisher of the renowned book "Applied Cryptography," Schneier is a recognized domain expert in the field of security.

Therefore it is possible, even likely, that Schneier has directly received information pertinent to the attack. Someone assigned to the investigation may have phoned him up to consult his opinion, if nothing else. Given the progressive techno-legal opinion he wrote, I think it is just as possible that someone from the investigation 'leaked' information to Scheneier about the use of the CALEA interface.

By the way, for those who doubt that there is a 'backdoor' to gmail, CALEA is a law which _mandates_ a law enforcement backdoor, either through manual procedures or through computational interface. It sounds like Google has implement a CALEA interface, and China used an IE6 vulnerability to hack first Google, then used the CALEA interface to monitor specific accounts.

The nice thing about using the CALEA interface is that I presume this would not give any clue to the monitored user that the account is being monitored. Logging in with the user's password, as a contrary example, updates the IP usage information displayed by gmail.

Re:Think about it a second

[Glonoinha]

Where does the money that the government pays the companies come from? Taxes.
Who pays these taxes? The same people being spied on.

So yes. the consumer is paying for the overhead so they can be spied on.

Re:Think about it a second

[chill]

Get out, get vocal, tell people, tell average people on the street when they hang up their phone that all that information just got logged for the government.

That isn't quite how it works. Other than the normal billing logs, the phone companies do NOT log all the data, much less voice logs, without a specific request.

I spent 2 years helping implement CALEA for Sprint/Nextel and was the point person for much of the integration. The simple truth is, the telecom companies don't have the storage capacity to log all the niggling details that CALEA requires for everyone. Hell, if the link between the CO and the LEO goes down, they're only required to store call data, not voice. That is all the button pushes, numbers called, etc. Voice is uploaded live and if the link is down, so is the voice collect.

Normal billing records include the phone number, direction and duration. CALEA records include EVERYTHING -- cell tower connected to, buttons pushed, call response, number of rings, text messages, multi-party calls, etc.

The truth is, the gov't DOESN'T log everything every time you use a phone. And no, on the cell networks I've worked on, they don't even listen for "key words" ala ECHELON unless it goes international.

Unless, of course, you or another party on the line is a target.

Re:Think about it a second

[russotto]

That isn't quite how it works. Other than the normal billing logs, the phone companies do NOT log all the data, much less voice logs, without a specific request.

I don't know about cell. But on land lines, they DO log everything. The switches emit raw call record data. The billing logs are produced from the call record data.

Re:The People's Responsibility

[0123456]

It's the people's responsibility to push their representatives to keep these government mandates from happening in the first place, or replace those representatives with those who do what the fuck they're told by the people they represent.

Yeah, because that works just so well.

Companies sure as hell should be shouting when the government tries to force them to take these stupid, police-state measures: bad publicity is far more effective at eliminating bad laws than mere voting ever has been.

Re:Google + ChiCom Gov

[Jerry]

This episode reminds me of a Microsoft claim made seven years ago:

http://forums.macrumors.com/archive/index.php/t-21643.html/
March 06, 2003

According to its own testimony at its anti-trust trial last year, Microsoft Corporation, purveyor of the omnipresent Office and Windows product lines, has betrayed the United States of America.

Microsoft has been struggling over the past year to slow the loss of international market share to cheaper, Linux-based alternatives. To that end, it recently began sharing the source code of its Windows operating system with various foreign governments. The problem is that this initiative comes just months after Jim Allchin, Microsoft's head of Windows development, claimed under oath that releasing such code to its competitors would be a major risk to American national security.

The disconnect between the software giant's actions and claims became even more striking last week when Microsoft announced that the second major nation to receive a tour of Windows' plumbing will be the People's Republic of China.

China is not America's ally. China is not our friend. At best, our two nations tolerate each other. At worst, we are on a cultural collision course that could dwarf the Cold War. And now Microsoft is planning to give China information that it has claimed could seriously compromise American security. Thanks a lot, Mr. Gates.

Re:From what I understand...

[Animats]

Did you ever believe there was a time when a wiretap was nearly impossible?

It used to be far more difficult. In the electromechanical switching era, there was no built-in support for wiretaps. Somebody had to physically wire into the appropriate cable pair, either near the phone being tapped or in the central office. New York Telephone would only do that if they got a court order, and they'd then bill the law enforcement organization for a private line. When Giuliani was a prosecutor taking down the New York Mafia, there was much grumbling about the million dollar a year phone bill for wiretaps. There was one embarrassing situation when the FBI didn't pay their wiretap bill on time, and the billing software billed the party being wiretappped for their "additional extension".

It was possible to listen in on an line using the Automatic Line Insulation Test equipment, but a typical central office only had two ALIT units, and they had line testing work to do, so tying up one for wiretapping really irked telcos. Sometimes telcos would do that for the FBI, but not for local law enforcement.

Because of this, wiretapping was rare. It was just too much work to be used lightly.

As for call data, the original "pen register" was a physical device hooked to one line which produced dashes on a paper tape for dial pulses. The electromechanical central offices didn't store any data about local calls; only toll calls produced a billing record. Law enforcement agencies that wanted information about toll calls could only get it for the calling party, in the form of a copy of the phone bill. The data wasn't sorted by receiving party.

Now, it's too easy. All the call data is in indexed databases, and CALEA has huge capacity for recording calls.