Ok. There is more (or may be less) to the VPN story, Google says

Posted on January 21, 2010 | 7 Comments

Google called me again after I posted the latest follow up to the Google hack story. Wow, two calls from Google AR in the span of an hour! They were uncomfortable about the way I characterized the involvement of the corporate VPN in the Google attack. The official on-the-record word from Google is that: “This is not accurate”.  So, I should rephrase how the attack happened:

a) A Google employee’s machine that was running IE v6 was compromised via the IE vulnerability.

b) The attacker used the compromised machine to somehow gain access to Google servers (some of which housed critical information). The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that “the compromised client used their corporate VPN to gain access to the servers”.

At Google’s request, I retract that particular statement.

This is what we do know factually:

1) The attack on Google server happened

2) Google immediately decided to do an emergency update of their entire corporate VPN infrastructure.

Could these two things be entirely unrelated? I doubt it. But Google isn’t going on the record to say that the attack came in via the VPN, and that’s their official position.

This entry was posted in Application Security, Cloud security. Bookmark the permalink.

7 Responses to Ok. There is more (or may be less) to the VPN story, Google says

  1. Pingback: Ok. There is more (or may be less) to the VPN story, Google says …

  2. Dan Gregory | January 22, 2010 at 8:18 am | Reply

    Whose VPN is Google using? Did they circumvent VPN security or just ride in on a VPN connection?
    Thank you!

  3. Chenxi Wang | January 22, 2010 at 8:37 am | Reply

    We don’t know for sure–whether the attackers compromised VPN or just rode it in. But in any case, if Google were using two-factor authentication or one-time password schemes for the VPN, the attack might have been prevented.

  4. Paul | January 22, 2010 at 10:37 am | Reply

    First of all, nice reporting.

    Second, interesting how Google has been happy to discuss and confirm the IE aspect of this exploit and let the media run with that, but when it comes to the series of things on their end that went wrong it’s “no comment” or “we’re not happy with that characterization”. Who cares what they’re happy with? They should either come clean about what happened and the extent of their own failures, or deal with the fact that folks like you will put 2+2 together and conclude it equals 4.

  5. Pingback: What We’re Reading, Week of 2/1 « VPN Haus

  6. Pingback: VPN is hot again (thanks google!) « VPN Haus

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s