主题：【关注跟踪1】GOOG这事终于有点影了 -- pxpxpx

这几天云里雾里的，主要的疑问就是为什么GOOG没有在第一时间报案，以及有关攻击手段和后果的细节，今天NYTIMES的一篇文章终于揭开了大幕的一角。

两边的大头到现在都没吱声，但是肯定也都没闲着...

慢慢看吧，这事一时半会完不了。

U.S. Treads Lightly in Wake of Google’s Loud Stance on China

http://www.nytimes.com/2010/01/15/world/asia/15diplo.html?hp

SANTA CLARA, Calif. — Last month, when Google engineers at their sprawling campus in Silicon Valley began to suspect that Chinese intruders were breaking into private Gmail accounts, the company began a secret counteroffensive.

It managed to gain access to a computer in Taiwan that it suspected of being the source of the attacks. Peering inside that machine, company engineers actually saw evidence of the aftermath of the attacks, not only at Google, but also at at least 33 other companies, including Adobe Systems, Northrop Grumman and Juniper Networks, according to a government consultant who has spoken with the investigators.

Seeing the breadth of the problem, they alerted American intelligence and law enforcement officials and worked with them to assemble powerful evidence that the masterminds of the attacks were not in Taiwan, but on the Chinese mainland.

But while much of the evidence, including the sophistication of the attacks, strongly suggested an operation run by Chinese government agencies, or at least approved by them, company engineers could not definitively prove their case. Today that uncertainty, along with concerns about confronting the Chinese without strong evidence, has frozen the Obama administration’s response to the intrusion, one of the biggest cyberattacks of its kind, and to some extent the response of other targets, including some of the most prominent American companies.

President Obama, who has repeatedly warned of the country’s vulnerability to devastating cyberattacks, has said nothing in public about one of the biggest examples since he took office. And the White House, while repeating Mr. Obama’s calls for Internet freedom, has not publicly demanded a Chinese government investigation. Secretary of State Hillary Rodham Clinton, who had been the most senior U.S. official to talk of the seriousness of the breach, discussed it on Thursday with a Chinese diplomat in Washington, however, and a senior administration official said there would be a “démarche in coming days” — a diplomatic move.

On Thursday, China’s Foreign Ministry deflected questions about Google’s charges and dismissed its declaration that it would no longer “self-censor” searches conducted on google.cn, its Chinese search engine. A ministry spokeswoman said simply that online services in China must be conducted “in accordance with the law.”

In interviews in which they disclosed new details of their efforts to solve the mystery, Google engineers said they doubted that a nongovernmental actor could pull off something this broad and well organized, but they conceded that even their counterintelligence operation, taking over the Taiwan server, could not provide the kind of airtight evidence needed to prove the case.

The murkiness of the attacks is no surprise. For years the National Security Agency and other arms of the United States government have struggled with the question of “attribution” of an attack; what makes cyberwar so unlike conventional war is that it is often impossible, even in retrospect, to find where the attack began, or who was responsible.

The questions surrounding the Google attacks have companies doing business in China scrambling to confirm that they were victims. Symantec, Adobe and Juniper Networks acknowledged in interviews that they were investigating whether they had been attacked. Northrop and Yahoo, also described as subjects of the attacks, declined to comment.

Besides being unable to firmly establish the source of the attacks, Google investigators have been unable to determine the goal: to gain commercial advantage; insert spyware; break into the Gmail accounts of Chinese dissidents and American experts on China who frequently exchange e-mail messages with administration officials; or all three. In fact, at least one prominent Washington research organization with close ties to administration officials was among those hacked, according to one person familiar with the episode.

Even as the United States and companies doing business in China assess the impact, the attacks signal the arrival of a new kind of conflict between the world’s No. 1 economic superpower and the country that, by year’s end, will overtake Japan to become No. 2.

It makes the tensions of the past, over China’s territorial claims or even the collision of an American spy plane and Chinese fighter pilots nine years ago, seem as outdated as a grainy film clip of Mao reviewing the May Day parade. But it also lays bare the degree to which China and the United States are engaged in daily cyberbattles, a covert war of offense and defense on which America is already spending billions of dollars a year.

Computer experts who track the thousands of daily attacks on corporate and government computer sites report that the majority of sophisticated attacks seem to emanate from China. What they cannot say is whether the hackers are operating on behalf of the Chinese state or in a haven that the Chinese have encouraged.

The latest episode illuminates the ambiguities.

For example, the servers that carried out many of the attacks were based in Taiwan, though a Google executive said “it only took a few seconds to determine that the real origin was on the mainland.” And at Google’s headquarters in Mountain View, there is little doubt that Beijing was behind the attacks. Partly that is because while Mr. Obama was hailing a new era of cautious cooperation with China, Google was complaining of mounting confrontation, chiefly over Chinese pressure on it to make sure Chinese users could not directly link to the American-based “google.com” site, to evade much of the censorship the company had reluctantly imposed on its main Chinese portal, google.cn.

“Everything we are learning is that in this case the Chinese government got caught with its hand in the cookie jar,” said James A. Lewis, a senior fellow at the Center for Strategic and International Studies in Washington, who consulted for the White House on cybersecurity last spring. “Would it hold up in court? No. But China is the only government in the world obsessed about Tibet, and that issue goes right to the heart of their vision of political survival and putting down the separatists’ movements.”

Over the years, there have been private warnings issued to China, notably after an attack on the computer systems used by the office of the defense secretary two years ago. A senior military official said in December that that attack “raised a lot of alarm bells,” but the attacker could not be pinpointed. The administration cautioned Chinese officials that attacks seemingly aimed at the national security leadership would not be tolerated, according to one American who took part in delivering that message.

可以看出来，毫无证据。只是说，就是你，就是你，不是你也是你

就是中国政府正在向美国发动新型的网络战争。

网络攻击时刻都有，股沟的退出也就是几个小毛孩在耍耍性子而已，看看微软就知道谁是大人了。

另外，能被发现踪迹的攻击怎么能叫 Sophisticated 呢。

cry babies.

没有证据的虚弱指控和交涉还是不要出来逼我们外交上打脸，抓个正着才叫英雄。

证据都是推断出来的， 全源于有个藏独被黑了。 靠这个就扯上政府也太牵强了吧。

再不济， 咱也可以来个表态：是过时的骇客程序被误运行了一下。

大家心知肚明， 哪个国家的情报机构都不是纯洁的天使。 要是个天使， 纳税人养着情报机构干啥呀？

这种事要是就导致它要退出中国， 那全世界的公司都不要开门了。

为何这次它就要跳出来和公众高调一下呢？老百姓别太好糊弄啊。

这作者是含沙射影，还是真有什么内幕消息？

过一段时间再看吧。 不过我看多半象以前一样。大声骂完。下面呢？ 下面没有了。 慢慢玩是肯定，有影是未必。

这写这么多字，一点实在的没有。 自己写的就没胆子，全是没证据，不确定之类。"being unable to firmly establish the source of the attacks"

不要负责的引用就全成了言之凿凿的指控了。“it only took a few seconds to determine that the real origin was on the mainland.” “Everything we are learning is that in this case the Chinese government got caught with its hand in the cookie jar,” 要是有证据就摆出来，啐土共好了。 要没证据， 不诬陷人自己会死么？

最后表个态。省得时间一长，不了了之：

要真是咱娃干的，被抓着了。 只能安慰说："咱娃倒是想帮家里倒腾点东西，就是手脚笨了点， 后院练着去吧。 自己练点本事比偷艺强”

要不是咱娃干的， 倒有心让人买根棒棒糖压压惊。 就怕欺负娃的主到时候缩头不吱声了。

wired 杂志今天有一篇文章，叫

Google Hack Attack Was Ultra Sophisticated, New Details Show

http://www.wired.com/threatlevel/#ixzz0cfgCmv32

这是我目前看到的对攻击手段最具体的描写，虽然很多地方根本看不明白，但是相信在技术分析这个层面上，很快就会有文章通俗的把手段问题讲透，也许还会另外有对攻击途径的报道。

文章里提到这次攻击可能叫＂极光行动＂，看来这件事情还真不简单。

By Kim Zetter January 14, 2010 | 8:01 pm | Categories: Breaches, Cybersecurity, Hacks and Cracks

Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer, according to new details released by researchers at anti-virus firm McAfee.

“We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It’s totally changing the threat model.”

In the wake of Threat Level’s story disclosing that a zero-day vulnerability in Internet Explorer was exploited by the hackers to gain access to Google and other companies, Microsoft has published an advisory about the flaw that it already had in the works. McAfee has also added protection to its products to detect the malware that was used in the attacks and has now gone public with a number of new details about the hacks.

Google announced Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. The attack had originated from China, the company said.

Minutes later, Adobe acknowledged in a blog post that it discovered Jan. 2 that it also had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

Neither Google nor Adobe provided details about how the hacks occurred.

The hack attacks, which are said to have targeted at least 34 companies in the technology, financial and defense sectors, have been dubbed “Operation Aurora” by McAfee due to the belief that this is the name the hackers used for their mission.

The name comes from references in the malware to the name of a file folder named “Aurora” that was on the computer of one of the attackers. McAfee researchers say when the hacker compiled the source code for the malware into an executable file, the compiler injected the name of the directory on the attacker’s machine where he worked on the source code.

According to Alperovitch, the attackers used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the bowels of company networks and obscure their activity.

“The encryption was highly successful in obfuscating the attack and avoiding common detection methods,” he said. “We haven’t seen encryption at this level. It was highly sophisticated.”

Although the initial attack occurred when company employees visited a malicious web site, Alperovitch said researchers are still trying to determine if this occurred via a URL sent to employees via e-mail or instant messaging or some other method, such as Facebook or other social networking sites.

Once the user visited the malicious site, their Internet Explorer browser was exploited to download an array of malware to their computer automatically and transparently. The programs unloaded seamlessly and silently onto the system, like Russian nesting dolls, flowing one after the other.

“The initial piece of code was shell code encrypted three times and that activated the exploit,” Alperovitch said. “Then it executed downloads from an external machine that dropped the first piece of binary on the host. That download was also encrypted. The encrypted binary packed itself into a couple of executables that were also encrypted.”

One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network, Alperovitch said, to search for login credentials, intellectual property and whatever else they were seeking.

McAfee obtained copies of malware used in the attack, and “quietly” added protection to its products a number of days ago, Alperovitch said, after its researchers were first brought in by hacked companies to help investigate the breaches.

Although security firm iDefense told Threat Level on Tuesday that the Trojan used in some of the attacks was the Trojan.Hydraq, Alperovitch says the malware he examined was not previously known by any anti-virus vendors.

iDefense also said that a vulnerability in Adobe’s Reader and Acrobat applications was used to gain access to some of the 34 breached companies. The hackers sent e-mail to targets that carried malicious PDF attachments.

Alperovitch said that none of the companies he examined were breached with a malicious PDF but he said there were likely many methods used to attack the various companies, not just the IE vulnerability.

Once the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan. Alperovitch wouldn’t identify the systems in the U.S. that were involved in the attack, though reports indicate that Rackspace, a hosting firm in Texas, was used by the hackers. Rackspace disclosed on its blog this week that it inadvertently played “a very small part” in the hack.

The company wrote that “a server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyber attack, fully cooperating with all affected parties.”

Alperovitch wouldn’t say what the attackers might have found once they were on company networks, other than to indicate that the high-value targets that were hit “were places of important intellectual property.”

iDefense, however, told Threat Level that the attackers were targeting source code repositories of many of the companies and succeeded in reaching their target in many cases.

Alperovitch says the attacks appeared to have begun Dec. 15, but may have started earlier. They appear to have ceased on Jan. 4, when command-and-control servers that were being used to communicate with the malware and siphon data shut down.

“We don’t know if the attackers shut them down, or if some other organizations were able to shut them down,” he said. “But the attacks stopped from that point.”

Google announced on Tuesday that it discovered in mid-December that it had been breached. Adobe disclosed that it discovered its breach on Jan. 2.

Aperovitch says the attack was well-timed to occur during the holiday season when company operation centers and response teams would be thinly staffed.

The sophistication of the attack was remarkable and was something that researchers have seen before in attacks on the defense industry, but never in the commercial sector. Generally, Alperovitch said, in attacks on commercial entities, the focus is on obtaining financial data, and the attackers typically use common methods for breaching the network, such as SQL-injection attacks through a company’s web site or through unsecured wireless networks.

“Cyber criminals are good . . . but they cut corners. They don’t spend a lot of time tweaking things and making sure that every aspect of the attack is obfuscated,” he said.

Alperovitch said that McAfee has more information about the hacks that it’s not prepared to disclose at present but hopes to be able to discuss them in the future. Their primary goal, he said, was to get as much information public now to allow people to protect themselves.

He said the company has been working with law enforcement and has been talking with “all levels of the government” about the issue, particularly in the executive branch. He couldn’t say whether there were plans by Congress to hold hearings on the matter.

Read More http://www.wired.com/threatlevel/#ixzz0cfhtJNrg

看完不知道该气还是该笑。 这描述地不是很普通的钓鱼，养肉鸡的进攻方式嘛？这也叫"Ultra Sophisticated"? 连主动攻击都算不上。如果中招者有普通的安全意识和使用行为，这攻击者不得等一辈子？

当然也可能我水平太低看不懂。可看看文章后面的评论觉得好像没什么人被震住。 倒是骂中招者愚蠢的多。好的攻击手段，会让黑客高潮的。 短短的时间内，一段短小的测试代码就会传播开来。这代码一般会包含攻击的所有特征，却更精炼，更直接。

事实上我一直在想，怎样的攻击手段才可以让人能判断是政府行为而不是黑客行为？

特别难的，特别精巧的？ 这轮不上，网上高明的攻击案例很多都来自个人。

最后想到稍靠谱一点的是：

手段上， 个人攻击强调技巧、和普通网络资源的聚集，而不是强力资源的使用。

攻击结果上，个人攻击会有明显的后续求财行为，或强烈的当场留迹炫耀行为。

要知道internet 无国界，从一开始泄出的信息来看，我都看不出来和中国有任何特别联系。 要指名道姓的说某某政府做了什么攻击,这提供证据的难度可还真不小。

流言里最可以用来隐射土共政府主导攻击的还是 “Google上海员工被掺沙子，从内部攻击” 就这个，离证据还远着呢。

现实里政府偷嘴被抓住。往往是因为笨和组织行为官僚了，导致有政府身份的人被拿住。 而不是"从技术上看，就这政府有这技术..." blah blah.

今天（Jan 21）,美国国务卿希拉里就网络自由这个问题做了一个长篇的讲话，路透社对讲话进行了一个概括，下面就是路透社总结的七个要点：

INTERNET FREEDOM GOOD FOR BUSINESS

CHINA SHOULD OPENLY INVESTIGATE CYBER ATTACKS ON GOOGLE

NO COMPANY SHOULD ACCEPT CENSORSHIP

TECHNOLOGY A MIXED BLESSING

CHINA, OTHERS FAULTED FOR INTERNET CENSORSHIP

FIGHTING ILLS NO EXCUSE FOR REPRESSION

SAUDI ARABIA, VIETNAM, CHINA RAPPED ON RELIGIOUS FREEDOM

美国国务院的网站上已经把讲话的全文以及答记者问登了出来，全文连接如下：

Remarks on Internet Freedom

值得注意的是，希拉里已经表示要将推动网络自由作为今后美国外交政策的第一要务。

另据美国务院透露，尽管希拉里在讲话中要求中方对GOOG受攻击事件进行公开调查，但美方至今尚未就此事向中方提出正式的抗议。

在同一天的早些时候，中国外交部副部长何亚非就GOOG事件表态，这也是至今中方最高级别的官员对此事发表意见，具体内容如下：

新华网北京1月21日电(记者 廖雷)外交部副部长何亚非21日表示,中国政府欢迎外国互联网企业来华发展,但其应遵守中国法律法规,各界不应过度解读“谷歌事件”。

何亚非在接受记者采访时表示,谷歌等外国企业在中国遇到问题,应通过中国法律进行解决,中国政府也愿意帮助它们解决有关问题。“谷歌事件”不应与两国政府和两国关系挂钩,否则就是过度解读。

关于网络监管问题,何亚非表示,网络监管事关国家安全,许多国家都有相应监管措施,中国也不例外。如果外国企业对此有不同看法,也应该通过法律途径加以解决。

---------------------------------------------------

看来，无论是对内还是对外，至少是希拉里的手上是又多了一张牌。这牌要用多久，就看好处到底有多大了。

当然，从前到后，GOOG也没有吃亏，甚至可能还会因此受益，尤其是在海外市场和中国企业竞争的时候（如果中国同类企业真的有那个雄心的话）。而且听何亚非的口气，GOOG甚至在国内也还有机会。

而从GOOG与希拉里到目前的互动上来看，很难说是＂狗摇尾＂还是＂尾摇狗＂，也许二者都有吧。

总之还需要继续观察。

从GOOG事件在今年一月爆发以来，其中国国内广告代理商就一直保持沉默。直到今天，CCTV的一篇独家报道披露了这２７家代理商给刘允的一封信，他们的声音才最终被大众所听到。

从信里不难看出他们的焦虑，失望，甚至是愤怒。

若干年后，当人们再次回顾这个事件的时候，这封信也许会被看成是一个转折点。

下面是信的全文

－－－－－－－－－－－－－－－－－－－－－－－－－－－－

谷歌遭代理商逼宫 致刘允邮件独家曝光

CCTV.com 2010年03月16日 10:57

近日，有关谷歌退出中国的消息再度成为了网民关注的焦点。今天早间的媒体消息，谷歌在华广告客户已接到通知，谷歌可能在月底将关闭，google.cn广告会变更到google.com，一些剩余业务将被转移到中国香港继续服务。此前，谷歌管理层称已99.9%确定将退出中国互联网搜索引擎市场。

　　对于谷歌是否退出中国市场，广大的网友都在关注，而对于谷歌的代理商们来说等待消息可以说是个煎熬。昨日晚间，谷歌某代理商给主管大中华区销售的谷歌全球副总裁刘允博士发了一封邮件，文中表达了谷歌在中国有27家代理商目前最迫切的愿望：给代理商合理的解决方案。以下是代理商发给刘允博士的邮件全文：

　　尊敬的刘允博士：

　　自从今年1月13日Google首席法务官在Google官方博客上宣布了Google有可能退出中国以来，各方传言不断。两个多月以来，即使在中国人传统佳节-----春节期间，我们每天都忐忑不安、焦虑万分。我们看着层出不穷的各种相关新闻，却无法预测未来；看着业务量直线下滑，却无能为力；看着员工一个个离去，却无法劝留。我们从Google得到的回答，以及我们所能做的事，就是两个字-----等待，在无比痛苦和不安的状态下等待。

　　直到今天，我们再也无法等待下去了，无法再等了！

　　因为我们面对与我们紧密合作的数以万计的客户，我们需要给他们最坏结果下的解决方案；我们面对与我们披星戴月、奋战多年的同事和伙伴，我们需要给他们最坏结果下的安置和补偿方案；我们面对投资给我们、却总是没有回报的投资人，我们需要给他们最坏结果下的回报和补偿方案。

　　我们理解Google有自己的价值观，但我们不能理解的是，直至今天，Google与我们之间没有任何沟通和关于未来解决方案的谈判，尤其这牵涉到我们数以万计客户、员工、投资人的利益。

此时此刻，如果Google告诉我们这是商业行为，我们的客户、员工、投资人都应该自己承担商业风险，我们以及客户、员工、投资人，所有人将绝对不能接受！

　　我们要求Google立即与我们的代表进行沟通，并给予未来退出中国情况下对我们的客户、员工、投资人的解决方案，必须解决包括以下几点的所有问题。

　　1、 我们在中国有数万的用户，他们都是采用预存款的方式获得Google的广告服务。如果Google将关闭google.cn并退出中国，那么所有这些客户已经存入Google账户的款项，Google公司会在多长时间之内，自行或经由代理商退还给客户？

　　2、 Google在中国有27家代理商，我们的发展时间都在2到3年，时间不长。过去的几年，我们在Google的要求下，不断增加人员，不断扩大规模，不断进行业务投入。目前，全国上下已经积累数以万计的Google代理商员工，这些员工大多数只专注于Google业务。Google如果退出中国，那么，所有的相关员工如何补偿？如果这数以万计的员工对中国的经济政治社会造成任何不稳定，Google应当承担全部责任。

　　3、 全国的27家Google代理商，目前对于Google的业务都尚处于投入期，还未得到合理的回报。Google如果退出中国，那么，我们大多将面临破产、倒闭，之前在Google的要求下，投入了巨大的资金和无比的艰辛，Google如何对于代理商进行补偿？

　　由于您是Google全球副总裁，负责Google中国所有业务事宜，所以，我们特意写这封邮件给您，请您尽快给予我们回复。同时，请告知您准备接待我们进行沟通、谈判的时间和地点，我们将派代表前往。

　　受这一事件的影响，我们几乎没有业绩，我们每一天都在亏损，我们需要您给予最快速的回复，以及谈判。

　　请理解，我们无法等待更多时间，我们需要维护我们应有的利益，我们需要负责任的Google认真看待我们过去几年付出的血汗，尊重我们的客户、员工和投资人，对我们有一个合理的交代、合理的解决方案。否则，我们只能代表数以万计的客户、员工和投资人，寻求中国政府相关部门、媒体的进一步帮助。

　　谢谢。

Google全国代理商：

品众互动广告（北京）有限公司

北京紫博蓝科技发展有限公司

天津互联在线广告传媒有限公司

石家庄正日商务网络有限公司

青岛爱搜广告有限公司

济南搜索在线广告有限公司

郑州易赛诺科技有限公司

西安为华网络有限公司

上海火速网络科技有限公司

上海天擎信息技术有限公司

苏州寰宇网络传媒有限公司

杭州网通互联科技有限公司

杭州国盛互联广告有限公司

常州中网世纪信息技术有限公司

扬州市鼎捷科技有限公司

温州市中资富投科技有限公司

南京网赢网络传媒有限公司

宁波虎翼网络科技有限公司

厦门亿资网络服务有限公司

深圳时代赢客网络有限公司

深圳天拓资讯科技有限公司

广东天拓资讯科技有限公司

成都盘古网络有限公司

重庆智佳信息科技有限公司

武汉龙腾时代网络技术有限公司

中企动力科技集团股份有限公司

厦门中资源网络服务有限公司

this article basically is a joke. No any solid evidences at all.

而且从一个正常的common sense, 中国政府或者国安用这么低级的方法从台湾的服务器搞入侵，是和可笑的事情。如果真有入侵发生，最大的可能也就是一般黑客或者竞争对手，一个政府完全会有更有效的方法。

当时GOOGLE事件刚出来，我曾经回帖

GOOGLE使了一招六伤拳

抛开政治层面来讲，伤害最大的一个是它的广告客户和合作伙伴，一个是它的员工。

从这两点来看，它在中国的生意算是到头了。而那些流失的员工将成为崛起中的中国互联网事业的中坚力量。