This Is Google's Nightmare Scenario

A Virginia research firm, NetWitness, has uncovered the digital tracks of a cyberattack called "Kneber" that, over the past 18 months, has systematically compromised close to 2,500 companies and government agencies and at least 75,000 computers around the world, The Wall Street Journal reported this week.

Hackers in Europe and China executed the attack, which, according to the Journal's reporting, has exposed secret documents and sensitive personal information, including credit card transactions. Merck & Co. (NYSE: MRK  ) , Cardinal Health (NYSE: CAH  ) , Juniper Networks (Nasdaq: JNPR  ) , and Viacom's (NYSE: VIA  ) Paramount Pictures were among the victims.

We don't know whether Kneber found its way past Google's (Nasdaq: GOOG  ) defenses, but it's precisely this sort of cyberattack that represents the nightmare scenario for The Big G.

Google isn't like any other cloud computing vendor. Only one password is required to access a Google account and a wide range of services -- from mail, to documents, to messaging, to calendaring, and so on. Breach the main gate, the theory goes, and you've access a treasure trove of secret data.

A lesson from Twitter
This domino effect helped a French hacker break into Twitter's Google Apps account months ago, stealing documents that revealed its plans to build a $100-million-a-year business.

If IT managers are paranoid about committing to cloud computing, Twitter's security snafu is at least part of the reason why. And that affects Google, as does the hysteria over this latest breach.

It's a big problem: The Big G doesn't say much about how it handles security. So, rumors swirl about the company is cooperating with the National Security Agency in the wake of a successful attack on its Chinese site. A recent round of meaningless glad-handing with members of the U.S. Senate has done nothing to answer remaining questions.

I've no doubt Google is serious about security. I just want to know how serious. As a customer and investor, I need to know the size of the risk I'm facing.

Should Google say more about how it handles security? Make your voice heard using the comments box below.

Google is a Motley Fool Rule Breakers recommendation. Try any of our Foolish newsletter services free for 30 days.

Fool contributor Tim Beyers is a member of the Rule Breakers stock-picking team. He owned shares of Google at the time of publication. Check out Tim's portfolio holdings and Foolish writings, or connect with him on Twitter as @milehighfool. The Motley Fool is also on Twitter as @TheMotleyFool. The Fool's disclosure policy is master and commander of the final line of this story. Stand fast!


Read/Post Comments (6) | Recommend This Article (6)

Comments from our Foolish Readers

Help us keep this a respectfully Foolish area! This is a place for our readers to discuss, debate, and learn more about the Foolish investing topic you read about above. Help us keep it clean and safe. If you believe a comment is abusive or otherwise violates our Fool's Rules, please report it via the Report this Comment Report this Comment icon found on every comment.

  • Report this Comment On February 19, 2010, at 2:36 PM, hwarrier wrote:

    In hindsight, people can always comment on security. It is not clear whether a different system would have prevented the attack or even the single-sign-on is in fact the problem. Two levels of passwords (or having different passwords for different systems) is not going to improve security. It just gives the illusion of security. Moreover, keep in mind that people who went with different authentication systems did it because they were incapable to designing a unified one.

  • Report this Comment On February 19, 2010, at 6:07 PM, viconquest wrote:

    Agreed, a single sign on element encompassing all those Google services is technologically tricky to execute. More authentication just means potentially more vulnerable areas and a needlessly convoluted cloud computing structure.

  • Report this Comment On February 19, 2010, at 11:59 PM, simonhs wrote:

    In response to the question "Should Google say more about how it handles security?"... I think not. They can only make vague statements as to their security measures because if they are too specific, well it would kind of defeat the purpose. That would be like credit card makers putting the designs to chip and pin technology up on their web site. Although I agree it would be nice to know how Google protects itself, the less we know, the less the hackers know (ideally). We're just going to have to trust that the biggest internet company out there is devoting a major part of it's resources to protecting itself from hackers. Although this will always be a potential risk for Google and its investors.

  • Report this Comment On February 20, 2010, at 5:16 PM, PSU69 wrote:

    Disclosure - I own GOOG. Certainly, we can snipe about all the potential negative outcomes. Easy to do. Like hitting a girl. Easy, dumb, and what does it really save about the hitter? With the billions of Euros and Dollars involved in security and in breaching same, the never ending battle will rage on and on and on. Kinda like global warming cocktail party discussions. The glacier I skied on in 1972 is GONE! OK. So what. DC, VA, NJ all have record snow levels. Hummmmm. I luv GOOG and their domination in web media. Huge cash cow and now we see more Droid and Nexus and what next? There are so many interesting GOOG elements that will feed EBITDA. I keep buying GOOG. I luv their free speech move in China. GOOG has that rare combo of balls and juice and intellect. Hackers will always be lurking. So what?

  • Report this Comment On February 21, 2010, at 9:04 PM, 98analysis wrote:

    Another timeless quote: "What goes up must come down".

  • Report this Comment On February 23, 2010, at 8:37 AM, gt1135 wrote:

    I've worked in network security for years and giving out details about how one secures their network is about the dumbest thing that a person/company could do. Once somebody knows how your network is defended, it is much easier to attack.

    Take Iraq for example. If the US military knew exactly where every insurgent was, and knew what their battle plan was, it would be extremely easy to round them all up with minimal casualties to civilians as well as our own soldiers. Unfortunately we don't have that information so the war has lasted years, our soldiers still die from IED's, and we haven't captured our killed all of the insurgents leaders.

    The same analogy could be made to a football game. If an offense knows exactly which defensive scheme will be used every play, it is easier to devise an offensive play to beat that defensive scheme. Would you want the coach of your favorite football team to hold a press conference before a big game to tell the opposing team what the defensive strategy was going to be? Would you want the pitcher on your favorite baseball team to tell the opposing hitters what pitch he was going to throw? I can guarantee you that a slider is much easier to hit if you know that it is coming.

    If Google DOES (which they won't) tell us how their network is being secured, thats when I'd be worried.

Add your comment.

DocumentId: 1116638, ~/Articles/ArticleHandler.aspx, 4/20/2014 10:39:24 AM

Report This Comment

Use this area to report a comment that you believe is in violation of the community guidelines. Our team will review the entry and take any appropriate action.

Sending report...


Advertisement