Ok. There is more (or may be less) to the VPN story, Google says

Google called me again after I posted the latest follow up to the Google hack story. Wow, two calls from Google AR in the span of an hour! They were uncomfortable about the way I characterized the involvement of the corporate VPN in the Google attack. The official on-the-record word from Google is that: “This is not accurate”.  So, I should rephrase how the attack happened:

a) A Google employee’s machine that was running IE v6 was compromised via the IE vulnerability.

b) The attacker used the compromised machine to somehow gain access to Google servers (some of which housed critical information). The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that “the compromised client used their corporate VPN to gain access to the servers”.

At Google’s request, I retract that particular statement.

This is what we do know factually:

1) The attack on Google server happened

2) Google immediately decided to do an emergency update of their entire corporate VPN infrastructure.

Could these two things be entirely unrelated? I doubt it. But Google isn’t going on the record to say that the attack came in via the VPN, and that’s their official position.

About Chenxi Wang

Dr. Chenxi Wang is a Principal Analyst with Forrester Research. She serves on the security and risk team, covering topics such as cloud security, application security, and content security. Previously Chenxi was Chief Scientist with KSR Inc. (now part of Neohapsis). Prior to that Chenxi was an Associate Professor at Carnegie Mellon University.
This entry was posted in Application Security, Cloud security. Bookmark the permalink.

7 Responses to Ok. There is more (or may be less) to the VPN story, Google says

  1. Pingback: Ok. There is more (or may be less) to the VPN story, Google says …

  2. Dan Gregory says:

    Whose VPN is Google using? Did they circumvent VPN security or just ride in on a VPN connection?
    Thank you!

  3. Chenxi Wang says:

    We don’t know for sure–whether the attackers compromised VPN or just rode it in. But in any case, if Google were using two-factor authentication or one-time password schemes for the VPN, the attack might have been prevented.

  4. Paul says:

    First of all, nice reporting.

    Second, interesting how Google has been happy to discuss and confirm the IE aspect of this exploit and let the media run with that, but when it comes to the series of things on their end that went wrong it’s “no comment” or “we’re not happy with that characterization”. Who cares what they’re happy with? They should either come clean about what happened and the extent of their own failures, or deal with the fact that folks like you will put 2+2 together and conclude it equals 4.

  5. Pingback: What We’re Reading, Week of 2/1 « VPN Haus

  6. Pingback: VPN is hot again (thanks google!) « VPN Haus

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s