Impossible Dream

According to the FT, Google is dropping Windows internally. The article quotes anonymous sources at Google:

“We’re not doing any more Windows. It is a security effort,” said one Google employee.

“Many people have been moved away from [Windows] PCs, mostly towards Mac OS, following the China hacking attacks,” said another.

Given that Google employees many of the smartest security people around, I wonder at this. Moving to Apple as a defence against targeted attacks is a bad idea - OS X is a softer target than Windows 7. It’s a win against un-targeted attacks as (for now) OS X has less malware written for it, but that doesn’t seem to be the quoted threat.

Against targetted attacks, OS X runs many of the same attack vectors as Windows (Flash, pdf, web browsers) while Apple’s continuing embrace of minimal disclosure of security threats makes the platform less secure. It’s telling that OS X falls first in the annual pwn2own contest.

Moving to Linux is different. Not only would a desktop running a suitably hardened Linux be a hard target Google has the expertise to fix any problems they see themselves. It seems however that even many Googlers prefer the “it just works” appeal of OS X.

So is it true? Who knows. It could be: Google obviously needs Windows for testing its products, but that need could be meet via VMs running on either Apple or Linux. Given its Linux backend and engineering culture they undoubtedly have many, many fewer Windows users than other companies their size. Probably not that many at all.

I just don’t see such a big win. Maybe they take the view that the people running Windows are the least technical members of staff and so need the most help :)

This leaves the only plausible reasons I can think of as being related to China:

• For their staff there, mandating no Windows ensures no dodgy pirated versions get in (as seems to happen to everyone else running IT in China) and
• It’s probably reasonable to assume that most (even state sponsored) attackers running out of China are better at Windows than Linux/OS X. The reverse is probably true within Google so doing this improves the odds in Google’s favour.

hm. Maybe it does make sense after all.

More details are coming out about the Google/China hacking incident. There’s even talk of how resistance is futile

Dave Aitel from Immunity, who is one the top guys out there on the offensive side, has been making this point for a while. Given a modern penetration toolkit (Canvas for the flush, Metasploit for the cheap), breaking into nearly any organisation is possible. Given more resource, pretty much anything softer than GCHQ/NSA is a target. It’s just a matter of time, effort and economics. How many person-days is it worth the attacker spending on breaking in?

For the defender, things are muddied even further by the issue of unpatched bugs, or zero-days. How do you defend against an attack for which no patch, anti-virus signature or IPS rule exists? To quote Dave again:

Everyone says an attack is “sophisticated” whenever any 0day is involved. But that should be the baseline. Or rather, it IS the baseline and everyone seems to just be finding out

Universities maybe can be less worried by this than most, but not for good reasons. Attackers use their resources wisely: there’s no need to use an expensively developed zero-day Internet Explorer exploit when there’s an unpatched copy of WordPress running on the user webserver and no DMZ.

For most people and organistations this is somewhere between unpalatable and unacceptable. It’s saying that even if we keep all our systems patched and make sure every PHP app anywhere on the network is secure we’ll still be 0wn3d. And the reality is that most Universities (especially the older ones) are so devolved that even getting everything patched is a Sisyphean task.

So if a senior manager asks “What is the point of employing these InfoSec staff if we are going to be broken into anyway” it’d be best to have a good response ready. That’s something we’ll return to in a future post (along with a post on the mechanics of how targetted attacks work)