I applaud Google for coming forward and letting the world know about how they were attacked and what the attackers were after. Secrecy only helps the offense. Most of the time we only hear about attacks when there is public evidence such as a defaced web page, screen shots sourced from the attacker, or there is a prosecution. Since the vast majority of attackers are quiet and not prosecuted the public admission of attacks is a great public service which will help organizations understand their own risk. Other organization similar in size and sophistication to Google are clearly at risk from similar attackers and attacks.

This widespread attack on US high tech companies signals that 2010 is the year organizations will wake up that there are sophisticated attackers after their intellectual property such as source code and hardware designs. All the same attacks used to steal CC#’s and online passwords for financial theft are being targeted at intellectual property.

Attackers are well organized and have command & control in place so that the discovery of a zero day vulnerability can be used to maximum advantage by rapidly hitting a large number of high value targets.

The only solution to running software with latent vulnerabilities is to stop running software with latent vulnerabilities. Anti-virus and IDS won’t help when it is a zero day vulnerability where there is no pattern to match. Software acceptance needs to include evidence that rigorous security testing was performed.

It is time for organizations to take a hard look at the set of client software they allow on their employees workstations and determine how trustworthy that software is. In most organizations these client systems have unbounded risk and are receiving data from the untrusted internet. If this doesn’t change, attacks similar to what happened to Google are going to effect every organization with something of value.

Veracode Security Solutions

Veracode Security Threat Guides

Written by: Chris Wysopal