Forgot your password?
typodupeerror
Google Security Technology

Google Warning Gmail Users About State-Sponsored Attacks 69

Posted by Soulskill
from the state-of-distributed-denial dept.
Trailrunner7 writes "Google, whose users have been frequent targets of suspected attacks by foreign governments, is deploying a new warning system for users who may be victims of those kinds of attacks. The new system is in addition to existing warnings that Google will show Gmail users when their accounts may have been accessed by attackers. Gmail users have been on the receiving end of a number of known attacks, including the infamous Google Aurora attack that has been blamed on China. Part of that operation was aimed at a specific subset of Gmail users, including Chinese dissidents and journalists. Now, Google says it will warn users about exactly that kind of activity."
This discussion has been archived. No new comments can be posted.

Google Warning Gmail Users About State-Sponsored Attacks

Comments Filter:
  • by madbavarian (1316065) on Tuesday June 05, 2012 @06:17PM (#40226111)

    Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys. I believe that browsers already allow client certificates for setting up https connections. Using computer generated and invoked keys would solve the phishing and guessing attacks. The keys would have a high enough search space that guessing would be impossible. The connections would be authenticated in a way that wouldn't expose the private key itself, so phishing wouldn't work. 1) the google server key would be checked in a secure crypto manner and a MITM attack wouldn't be possible. 2) the user's key would be checked in they standard public key crypto manner also, which wouldn't expose the private key in the process of authentication. Crap, I know practically nothing about crypto and can punch holes in Googles stuff. They don't think the equivalent of some evil country's NSA could do much better?ï

    • by Anonymous Coward

      Not just text messages, they support hardware tokens too. http://yubico.com/totp

      I've been lolling a lot over the past few years that people would trust their phones more than their computers.

      • I thank Google for their concern of users' right

        But I wonder, what if the US Government decides to hack into Gmail accounts that they believe belong to members of "terrorist groups"?

        Would GMail allow that?

        • by ark1 (873448)

          I thank Google for their concern of users' right

          But I wonder, what if the US Government decides to hack into Gmail accounts that they believe belong to members of "terrorist groups"?

          Would GMail allow that?

          US Govt has likely the keys to any gmail account. No need for hacking.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      First, there is an Android/iPhone/BlackBerry authenticator app (software one-time pad) that you can and should use instead of SMS-sent confirmation code if you don't have a dumbphone.

      Second, if you cannot use such an app: obviously SMS represents in no way a secure channel, but it still adds another unsecure channel a potential attacker has to identify then crack (although wiretapping SMS is peanut butter for NSA and friends, linking phone number to Google account might not always be trivial when using prep

      • by anared (2599669)
        What about other OS's?
        • To which "other OS's" do you refer? Maybe AC answered your question after all. I can't believe that anyone who is worthy of the "Geek" title would be using a WINDOWS PHONE! At best, a Windows phone would be a neat toy to play with. When you get tired of it, hand it off to unsuspecting fool who doesn't understand, need, or want any security.

          • by anared (2599669)
            MeeGo is better than any of those. But your attitude tells everything about you :D
      • by swillden (191260)

        First, there is an Android/iPhone/BlackBerry authenticator app (software one-time pad) that you can and should use instead of SMS-sent confirmation code if you don't have a dumbphone.

        Second, if you cannot use such an app: obviously SMS represents in no way a secure channel, but it still adds another unsecure channel a potential attacker has to identify then crack (although wiretapping SMS is peanut butter for NSA and friends, linking phone number to Google account might not always be trivial when using prepaid cards for example).

        Another option is to pre-generate a list of codes, print them out and cross them off as you use them. When you get low, log in and generate and print another set.

    • by Catskul (323619) on Tuesday June 05, 2012 @06:32PM (#40226271) Homepage

      I think the text message is not supposed to be 100% secure, but another obstacle to put in the way of attackers. It's an 80% solution.

      • by Anonymous Coward

        With Google's 2 factor authentication you can either opt for them to call you with a code or send you a txt, along with making that cookie be a one time sign-on or expire in 30 days.

    • Armchair experts (Score:5, Insightful)

      by Namarrgon (105036) on Tuesday June 05, 2012 @06:38PM (#40226355) Homepage

      I know practically nothing about crypto

      That should be a sign right there that they've likely thought this through more than you have. What makes you think the entirety of their security policy is accurately conveyed in TFA?

      PINs through texts are not bulletproof, but they do add security. So do the other methods Google offers, like locally-generated tokens. Certificates are hardly bulletproof either, as Microsoft recently found out. And most methods will fail if you've got a state-sponsored infection like Flame on your system...

    • by utkonos (2104836) on Tuesday June 05, 2012 @06:44PM (#40226415)
      Using computer generated RSA/DSA keys is actually a bit less secure than the best option, SRP. I'm not clear on why the Secure Remote Password protocol [wikipedia.org] is not deployed more widely.

      Another point is that you can use Google authenticator rather than the SMS garbage. This is much more secure and uses HMAC-Based One-Time Password Algorithm (RFC 4226) [ietf.org] and Time-Based One-Time Password Algorithm (RFC 6238) [ietf.org]. It even has a PAM module that you can use with just about anything that supports PAM, and it has iOS, Android, and Blackberry versions of the client app.
    • Adding a phone based PIN via text to the authentication of Google accounts increases the complexity of an attack against the users authentication. It is not perfect but phone intercepts vs keyloggers are two very different levels of attack.
    • by DragonWriter (970822) on Tuesday June 05, 2012 @07:09PM (#40226683)

      Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys.

      Username and password with the authentication code is more secure than without it, though using the SMS or voice-channel option (which isn't the preferred two-factor mechanism) is a greater risk against an attacker with your password than the preferred two-factor method (which uses an app which generates computer-generated keys instead of sending them two you over a telecommunication network.)

      Using computer generated and invoked keys would solve the phishing and guessing attacks.

      It would be a single-factor authentication method subject to compromise of the device with the key-generating software. In practice, it would be less secure than using Google's existing two-factor authentication system using the preferred (mobile app) mechanism, which involves both device generating a limited-time authentication code and a regular password, so that compromise of either the password or the device doesn't compromise the account.

    • by Dan541 (1032000) on Tuesday June 05, 2012 @08:23PM (#40227429) Homepage

      Crap, I know practically nothing about crypto and can punch holes in Googles stuff. ;

      Thanks for the pointer. We would never have guessed.

    • by DrXym (126579)
      Google offers an app for various devices that provides 2 factor authentication. You get challenged during login with a number and you type the response that shows up on the app. Use that. There is nothing to say the phone, tablet or emulator you run it from even has to be attached to the internet or an active phone number. If you were super paranoid you'd buy some shitty android phone solely to run the app. Or launch an emulator from an encrypted volume. Or use it in conjunction with other measures such as
  • ...encrypting your email?
  • by Anonymous Coward on Tuesday June 05, 2012 @06:30PM (#40226253)

    One of two things are true:

    1) Google never ever receives any requests for information from the NSA;

    2) What Google actually means is that it will warn Gmail users about state-sponsored "attacks" from countries the US isn't on perfect terms with.

    It's one thing to have corporations battling with government for control. It's quite another when one information-gathering corporation has become so big that it's playing its own overt part in the propaganda war.

    • by Anonymous Coward
      If the NSA makes a request and Google compiles then it's not really an attack and the NSA can just use whatever access/API Google gives. Google doesn't need your credentials.
    • by mapkinase (958129)

      >What Google actually means is that it will warn Gmail users about state-sponsored "attacks" from countries the US isn't on perfect terms with

      Bingo.

  • This article shows Israeli security at the airport *demanding* incoming [ahram.org.eg] US passengers to open their Gmail accounts for perusal. Can imagine UK or US govt Nazi agencies pulling this sh|t sooner than later.
    • by St.Creed (853824)

      I can imagine them doing it this year. Employers are already demanding access to your facebook page, so this will probably be next. Time to create two new accounts for both.

      "This account is empty"
      "Yeah, I use POP to pull the messages out to my own account and set everything to remove it from the server. I like a clean mailaccount".

      "This facebook photo doesn't look like you, and you have no friends"
      "Yeah, it's so sad... After my disfiguring disease everyone left me" :)

      • by nurb432 (527695)

        "Sorry dear employer, i have neither, and if i did you wouldn't be getting the passwords anyway". Then flip them the bird as i walk.

    • by Psyborgue (699890)
      So? Don't want that level of security? Don't fly El Al. They may offend your delicate sensibilities but you can hardly argue with results. Personally I'd prefer their proven methods to our security theatre.
  • by Eightbitgnosis (1571875) on Tuesday June 05, 2012 @06:42PM (#40226391) Homepage
    Somehow I don't think I'd be getting a notification in this situation
  • by raque (457836) <{moc.cam} {ta} {llawmij}> on Tuesday June 05, 2012 @07:49PM (#40227085)

    We can argue the details of security from now to doomsday. It's a good thing that Google is doing this. Except it's of limited value. As has been pointed out in reference to the Flame attack, State sponsored hacking is very hard to detect. Google might be able to detect some, but how many? And when does Google encounter a conflict of interest? What happens then, and will we know? This is one reason I like the existence of things like Bing and Yahoo Axis, I get to spread things around. No, it's not a cure all and I'm aware that I still can be tracked, but I am raising the price (effort, etc) needed to get things on me.

    We're back to the price of Freedom is Eternal Vigilance. Some things don't change in the digital world. Politics didn't, Sex did. Go figure.

    This comment will not be saved until you click the Submit button below.

    • by iamacat (583406)

      OUR state sponsored hacking is very hard to detect. If you lock people up just for sending tweets, don't expect them to be great hackers.

      • by raque (457836)

        I would tend to think the opposite. If you have a reason to hide things, then you will find how to hide them. This is why repressive countries have significant organized crime issues (AFAIK).

  • Microsoft has been hob knobbing with China the past couple years. Bing is huge in China. Google is no more (in China). Now Windows phone is taking off like wildfire there. Google is talking about pulling Android out of China. Google has been cutting it's own throat. Microsoft stock is still cheap... way cheap. http://windowsphonethoughts.com/news/show/165736/a-sign-of-improving-times-for-windows-phone.html [windowsphonethoughts.com]
  • I think Google should notify me if they suspect any type of attack ,not just state sponsored ones.

It's time to boot, do your boot ROMs know where your disk controllers are?

Working...