Wednesday, April 21, 2010

Google SSO hacked?

Yesterday I read a disturbing post on one of my favorite security-blogs.
It covers a New York Times Article reporting that Google’s password system (Gaia) was compromised during a targeted attack last December (see also this post)

This zdnet-post summarizes all the posts I made about phishing, SSO and SaaS and exemplifies my argument of not taking SaaS and SSO too lightly for security reasons.
The New York Times Article said the hack started with an IM message to a Google employee in China who was using Microsoft (ahaa!) MSN Messenger:

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

People are still wondering how the 'poisoned' web site did his 'evil' job (own quote!).
Some think it was done by using a Trojan horse and ínstall these in the global Google data centres, but this is too difficult because of detection.
Others think it was done by having access to the source code in the software repository. For hackers that's the real jackpot!

People, this was not a impulsive attack, but a 'planned' one.
Also, if you know that other companies (Adobe, Juniper) were having similar Cyberattacks, this cyberattack can't be just be seen as lucky.

Cyber-Criminals (just plain crooks if you ask me) are trying to get the intellectual property from the companies they attack and this damages the companies ,the clients and the general adoption of the cloud.
Security breaches will ever be there,we all(!) just have to be wary of them and try to diminish or eliminate the risks.

PS: One other thing, this post explains the vulnerability in Microsoft MSN Messenger and that Microsoft will deal with it

Monday, April 12, 2010

Open standards and the cloud

With every client I work for, I start to look for interesting subjects that client is involved with.
As a software testconsultant I had a lot of different clients the last six years, so you can imagine the diversity of areas I've seen.

For me one of the most interesting areas is the financial services area. Not because of the arithmetics (still not my cup of tea), but because of the innovative way these services try to adapt to the changing financial environment.
I started to see this in the beginning of internet banking and at the moment I see financial services woven into social networks like Hyves, web 2.0 as you may call it.

Very interesting for a tester, because these financial services and social networks will form an 'in silico' ecosystem (I'm still a biologist :-)), and like a living ecosystem very intricate and therefore very susceptible to errors.
To minimize this error-proneness (Open) Standards (like XBRL) were developed to make interoperability between the systems possible and to prevent also vendor-lockin.
But even standardization does not fully minimize the errors, because using standardization in design and development is still a human job, resulting in possible errors.
And what I've seen in online financial services, things can get very messy if an XML-tag of a webservice is not well tagged.

Standardization increases interoperability, but does not mean errors can't be made.