Google has released a documentary video series on YouTube titled Hacking Google.
No, this is not a masterclass on breaching security defenses at Google, but rather an overview of how Google’s security teams protect the company against cyberattacks: the group of threat analysis, Project Zero and the red team.
The latter actually hacks Google, or attempts to do so, using the same techniques as real attackers would. There are six episodes in all, none of which are longer than 20 minutes.
Do not chloroform the security guards
My favorite episode, because truth be told, I’m definitely a hands-on hacking guy, is #3: Hacking Google – Red Team. This 17-minute video is a great insight into how this particular security team is employed by Google to hack Google from the inside. Don’t think that these people spend their days doing vulnerability scans or performing mundane penetration tests.
No, a red team plays (almost) while the real threat actors play. The brief is quite broad, trying to compromise the security of Google products and services by (almost) any means necessary. So what is almost?
Well, each organization will dictate the “scope” of such an exercise, and Google is no exception. The rules of engagement here include not breaking anything, not accessing actual customer data, not taking any systems apart, not “physically attacking” the offices of Alphabet (Google’s parent company), and, uh , chloroforming safety agents are also irrelevant. question.
However, it is normal for Google Red Team hackers to target services and devices owned and operated by Alphabet and carry out social engineering attacks on other Googlers as long as there is no intimidation, corruption or threats. This brings me to my favorite story they tell about in this short but fascinating documentary: the 2012 USB Plasma Globe attack.
The Red Team in action, hacking Google Glass
This was aimed at other Googlers in an effort to see if the red team could gain access to their work computers. Like most successful social engineering programs, the plot was simple: send employees a gift on their work anniversary. I mean, that’s the kind of thing a lot of organizations could do, right? The freebies here were little USB plasma globes. Or, more specifically, little Google-branded USB plasma globes complete with a bit of malware to install a backdoor. You have to remember that ten years ago offices were pretty much USB-powered, with employees plugging in anything and everything on their desktops and laptops.
Chasing Google Glass with Plasma Globes
Apparently most Google employees were security savvy enough not to plug in the devices at work, but “two or three people” did. And it only takes one to start a potentially much bigger trade-off, through a lateral move. Indeed, that’s a takeaway here, because the red team was actually in charge of accessing the computers belonging to the Google Glass team (remember that?).
None of the employees who plugged in the Globe worked with Google Glass. It was, however, a successful first step in a longer chain of destruction. From the initial compromise, the red team was granted access as a privileged user and then was able to access everything they could in that role, including their corporate email account. The emails claiming to be from the compromised employees, well, they did for all intents and purposes, were then sent to the real targets of the Google Glass team.
A sufficient number of targets opened the emails, allowing the hackers to recover enough data to gain access to the account of someone who had access to the Google Glass technical plans. Or, to put it another way, the red team now had access to the Google Glass technical blueprints, which they downloaded and concluded the case was complete.
And no security guards were harmed in the process.
Think like a hacker and solve the Hacking Google CTF challenge
If you get the chance, watch not just episode three, but all six. Even if you’re not a security buff like me, you’re probably a Google user. As such, you’re probably also interested in the security of your Google Accounts and Google data, right? This deep insight into the heart and soul of Google’s security teams should give you more, not less, confidence that this data is secure.
Plus, after watching all six videos, why not take part in the Hacking Google “capture the flag” (CTF) challenge? There are 24 puzzles that you must try to solve by thinking like a hacker, using clues left throughout the videos themselves if you can find them. Good luck!