So, just how did Google get hacked?

Google hack: Sophos Antivirus
Adobe's Flash and PDF software is frequently targeted by hackers

UPDATE: The vector for the attack on Google has since been confirmed as Internet Explorer.

Earlier this week the internet was rocked by a blog post from Google revealing that it had been the victim of a targeted attack from Chinese hackers, and was planning to express its outrage by no longer censoring the Chinese version of its search engine.

Google said that it and at least 20 other large companies had been on the receiving end of the "highly sophisticated and targeted attack", which resulted in the theft of intellectual property and the attempted access of Gmail accounts belonging to Chinese human rights activists.

Although targeted attacks are nothing new, it is very unusual for a corporation to be so upfront about an attack, and to pinpoint the blame in a clear direction.

Google, however, must be feeling fairly confident about its facts to so clearly imply that the Chinese state may have been responsible for the hacking attempt.

But how did the hack happen, and how can other companies and individuals protect themselves from similar attacks in the future?

Not the only attack

A clue might lie in a near-simultaneous announcement from Adobe, which said that it too had suffered a "computer security incident involving a sophisticated, coordinated attack against [its] corporate network systems."

Although there has been speculation in the media that other well-known companies such as Yahoo, Northrop Grumman and Symantec were also targeted by the hackers, Adobe is the only company other than Google to have confirmed an incident so far.

Adobe's involvement is interesting, because vulnerabilities in its ubiquitous Flash plug-in and Acrobat Reader (which handles PDF files) software have tarred the company with the nickname "the new Microsoft".

Adobe's Flash and PDF software is frequently targeted by hackers because so many of the world's computers are running it. As a result, users have been facing a running battle of keeping up-to-date with Adobe security patches to ensure that they are not exposing themselves to infection via exploitable code.

To its credit, Microsoft has become better and better in recent years at automatically informing users about available security patches - highlighting the weaknesses of Adobe's approach even more.

Moving from Microsoft

So, where hackers used to exploit vulnerabilities in Internet Explorer and Microsoft Outlook they now - more and more - take advantage of weaknesses in Adobe's software to infect computers.

I wouldn't be surprised at all if it was determined that many, if not all, of the security incidents at the 20+ companies involved a targeted zero-day attack which was delivered in the form of a boobytrapped PDF file to a user inside the organisation.

If an innocent user opened the PDF file on his or her corporate computer, believing it perhaps to have come from a colleague, then hackers could have easily gained control over the PC.

Hackers have used this tactic time-and-time again. For instance, an investigation into the GhostNet cybercrime network last year alleged that Chinese hackers had spied on computers in 103 different computers, including foreign ministries, embassies, and organisations such as the Tibetan government-in-exile and the private office of the Dalai Lama.

It could happen to you

Oh, and if you think this is just a problem for human rights activists and the government of Tibet, think again. Any computer could find itself on the sharp end of a targeted attack exploiting a vulnerability in the Adobe PDF format or Flash plug-in.

Earlier this week Adobe issued fixes for multiple vulnerabilities in its software, one of which has been actively exploited by hackers since late last year - giving hackers a large window of opportunity to seize control of even more PCs and steal more sensitive data.

My bet is that Google will have applied that critical Adobe patch across its computers, so don't you think you should, too?

In summary, the best way to protect your data is to ensure that you have up-to-date anti-virus and firewall security in place, and are running a fully-patched version of Adobe's software. But in addition to using up-to-date security software, users may well be interested in workarounds to protect themselves whilst waiting for the patch. These include:

1. Disable JavaScript support. This can be done from the Edit/Preferences menu in Adobe Reader.

2. Prevent Internet Explorer from automatically displaying PDFs. This can be done via a Registry tweak described on the US-CERT notification.

3. Disable rendering of PDFs within webpages. This can be done from the Edit/Preferences menu in Adobe Reader.

Practice safe computing and you can do your bit to ensure that it's not your company which is the next to be making the headlines after being hacked.


Graham Cluley is senior technology consultant at Sophos, and has been working in the computer security field since the early 1990s. When he's not updating his award-winning blog on the Sophos website you can find him on Twitter at @gcluley.