Hackers prey on Google workers' friends

It has been discovered that the hackers who mounted the attacks on Google, Adobe and other companies recently breached, have targeted friends of employees that had access to proprietary data.

According to the Financial Times, the plan was simple: compromise the social network accounts of those friends, send messages with links that lead to spyware and so improve the chances of the victims clicking on the malicious link.

It obviously worked flawlessly. But, knowing now how they did it raises some serious points.

First, the attacks were obviously scrupulously planned. And second, the attacks included spying on people, so the likelihood of this being a government-sponsored effort has suddenly skyrocketed.

Security researchers also discovered that part of the code used in the attacks dates back to 2006, which means that attacks like these have been planned years ago.

Sobering facts, indeed.

How / what does Aurora work?

For the technical peeps who want to have a better understanding of what this Aurora can do, you can read the following articles:

http://www.symantec.com/connect/blogs/trojanhydraq-incident

http://www.symantec.com/connect/blogs/hydraq-vnc-connection

Microsoft Hurries Out IE Patch (for Aurora)

The time-honored idea of "Patch Tuesday" has gone out the window (no pun intended, promise) in response to an Internet Explorer vulnerability Microsoft's classified as critical. A patch will be issued today, Thursday the 21st, in response to the threat, instead.

This ties in to a couple of recent news stories. Remember the Google China attack that caused the search giant to threaten leaving the country? The same attack that may have affected Adobe, Dow Chemical, Northrop Grumman, Symantec, and Yahoo? The hole Microsoft's shutting today was used in that series of hacks.

Also, like the 17-year-old Windows flaw we wrote about yesterday, the IE vulnerability has been around for quite a while; an official list of affected software names everything from Windows 7 and IE 8 to Windows 2000 and Internet Explorer 5.01.

As for some other facts, the problem relates to remote code execution, Microsoft's patch should come out around 11 AM Redmond time, and installing the patch will require a system restart.

And if you need further evidence of the importance of this development, Microsoft said in a security bulletin that it "will host a webcast to address customer questions on the out-of-band bulletin on January 21, 2010, at 1:00 PM Pacific Time . . ." (The webcast will be available for viewing afterward, too.)

IT professionals and end users might want to respond as quickly as possible, allowing for a reasonable degree of convenience; just save your work and sacrifice a couple of minutes of computer time when the patch comes out.

It's not very often that Microsoft abandons the tradition of Patch Tuesday, and it's usually in everybody's best interest to pay attention when the corporation does.

7 Steps For Protecting Yourself From 'Aurora'

Microsoft patch is imminent, but here's a checklist for locking down in the meantim.

Microsoft today confirmed it will release an out-of-band emergency patch for the previously unknown Internet Explorer vulnerability that was abused in the attack against Google and others, and amid concerns the threat could be used for more widespread attacks.

The so-called "Aurora" attack exploit on IE 6, which was unleashed in the wild late last week, has raised alarm as researchers demonstrated the exploit code can be retooled to attack IE 7 and IE 8 as well, and can bypass Data Execution Protection (DEP). So far, just a few attacks have actually been spotted in the wild, according to Websense.

Though the exploit is just one piece of the puzzle in the attacks out of China, it's what we know for now and can at least try to mitigate, security experts say.

So with the exploit code taking on a life of its own and an IE patch on the horizon, how do you protect your computer in the meantime? Here are some steps Microsoft and other security firms recommend you can take now to help defend yourself:

1. Upgrade to IE 8 if you're an IE shop.
Despite concerns that IE 8 also could be compromised by the attack, Microsoft is still recommending the newest version of its browser as the safest.

Dino Dai Zovi, a security researcher and co-author of The Mac Hacker's Handbook, warns, however, that IE 8 on Windows XP SP3 isn't safe from this exploit, thanks to the latest research findings. "IE 8 on Windows Vista SP1 and above or Windows 7 is considerably more difficult to exploit," he says.

2. Enable DEP in IE.
DEP is automatically enabled in IE 8 on XP SP3, Vista SP1, Vista SP2, and Windows 7, but other versions of the browser require manually selecting DEP.

3. Run IE in Protected Mode on Visa and newer versions of Windows.
Microsoft says doing so limits the "impact" of an attack on the flaw.

4. Warn users about suspicious links that could be used for this attack or Websites containing online ads or user-generated content.
A user has to click on the malicious link to get infected with the malware, so remind people to be careful about links in email and instant messages, and to take care on the Web.

5. Limit user privileges.
If an attacker victimizes a user with administrative rights, then he would have the same access as that user.

6. Set Internet zone security in IE to "high."

7. Update all third-party applications with the latest versions and patches.
"Asking people to use a browser [other] than IE is not going to help one bit, unless the user also patches all other programs," says Thomas Kristensen, CSO at Secunia. "The reason is actually quite obvious -- more than 60 programs are installed on the average PC, approximately one out of five programs on the average PC are vulnerable, [and] some of these programs go unpatched for months, even years."

Full report.

Google China Hackers May Have Had Inside Man

Google's original announcement about an attack based in China was almost breathtaking; it was hard to imagine the tech leader, which employs thousands of brilliant people, losing so badly to hackers. But an explanation could be surfacing insofar as a new report's indicated that some Google employees may have helped the hackers.

Reuters - which isn't in the business of spreading baseless rumors - stated this morning, "Google is investigating whether one or more employees may have helped facilitate a cyber-attack that the U.S. search giant said it was a victim of in mid-December, two sources told Reuters on Monday."

More specifically, people who actually work for Google in China are said to be under the microscope.

From a how-did-they-do-it perspective, involvement on that end of things would make a lot of sense. It could explain why Google's ready to abandon China, too, since the corporation probably isn't equipped to fight the Chinese government (which most experts believe was behind the attacks) at every turn.

Still, any inward-looking investigation may just be a matter of Google covering its bases. It's a little too early to start comparing this matter to some spy thriller just yet.

Google hacked, plans to leave China

Although it does face a variety of cyber attacks on a regular basis, Google recently acknowledged the theft of intellectual property following a sophisticated attack on their infrastructure originating from China.

Investigation of the incident uncovered a more serious problem - at least twenty other large companies have been targeted as well. These are not only IT companies but doing business in a variety of sectors - finance, media, technology, etc. U.S. authorities are working with Google and the affected companies to try and understand the depth of the attacks.

It's not a secret that the Chinese government relies heavily on censorship as a way of control. There's evidence that these people are going the extra mile in order to retain control. Google suggests that a primary goal of the attacks was accessing the Gmail accounts of Chinese human rights activists although their apparently failed to gain access to the accounts during this attack.

Following these events, Google is reviewing the feasibility of their business operations in China and they are no longer willing to continue censoring their search results on Google.cn.

Full report here.