Google: Single Sign-On, Single Point of Failure?

Spoof or SPOF?

IT Security reportage veteran John Markoff reports in the New York Times that the attack on Google's intellectual property reported in January was even more interesting (and disquieting) than most of us realized. According to an unnamed source, some of the information stolen related to the company's password system, Gaia.

Gaia is a single sign-on system which allows Google users to access a range of services with a single password. In fact, it's apparently now actually known as Single Sign-On. I'm tempted to draw comparisons with Ratners and Windscale, but that would be unkind...

Markoff observes that "the intruders do not appear to stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks."

So I certainly wouldn't assume any connection betwen the alleged Chinese breach disclosed in January and recent reports of compromised Gmail accounts like those I blogged about earlier, but I wouldn't discount the possibility either. After all, many of the respondents to the thread flagged by Aleksandr Matrosov were adamant that they hadn't fallen prey to a phishing attack, and earlier reports did suggest attempts to access the accounts of Chinese human rights activists. The point of a single sign-on is to access a range of services: the problem with a single sign-on is that if it's compromised, it becomes a single point of failure (SPOF).

Of course, it's a long stretch from confidentiality attacks on Chinese dissidents to a South Korean spam server: I can't help but wonder, though, what interesting  weaknesses the original attackers may have found, and how widely the information on those issues may have been disseminated subsequently.

The story has also been commented on by Cade Metz in The Register, by the way.

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://amtso.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
http://chainmailcheck.wordpress.com
http://smallbluegreenblog.wordpress.com/