Google To Give Security Keys To 'High Risk' Users Targeted by Government Hackers (techcrunch.com) 23
Google has said it will provide 10,000 "high-risk" users with free hardware security keys, days after the company warned thousands of Gmail users that they were targeted by state-sponsored hackers. From a report: The warning, sent by Google's Threat Analysis Group (TAG), alerted more than 14,000 Gmail users that they had been targeted in a state-sponsored phishing campaign from APT28, also known as Fancy Bear, said to be made up of operatives of Russia's GRU intelligence agency. Fancy Bear has been active for more than a decade but it's widely known for hacking into the Democratic National Committee and its disinformation and election influencing campaign in the run-up to the 2016 U.S. presidential election. "These warnings indicate targeting not compromise. If we are warning you there's a very high chance we blocked," Google's TAG director Shane Huntley wrote in a Twitter thread on Thursday. "The increased numbers this month come from a small number of widely targeted campaigns which were blocked."
Re: (Score:2, Insightful)
You were doing okay until you tried to turn this into an extension of Hillary Clinton conspiracy theories...one might even think that if the DNC was "trying to cover up" for Hillary, they would have been more invested in cybersecurity, not less.
Could it be perhaps 1) for any number of reasons, DNC folks clicked on phishing links more readily 2) their cybersecurity/filters weren't as well set up for any number of reasons, or 3) as the article you linked pointed out "the cyber intruders were much less aggress
Re: (Score:2)
All actual evidence points to a Whistleblower copying the emails on the LAN to USB.
I can't recall off the top of my head who said it (either Assange, or some other involved party) that the data was delivered to Wikileaks via a retired US diplomat.
Were there any employees who would have had access to the LAN, and died around the time the leaks were revealed? Or would we just sweep coincidences under the carpet if they don't fit the Russia Hacked conspiracy theory that is laughable to any half competent IT gu
Re: (Score:3)
Yeah, you're right...Seth Rich was clearly murdered by Hillary. My bad.
I suppose we could look at how every government agency and credible news outlet discredited that theory...but...PSST...we all know they were in on it. When all the facts contradict you, it only proves the conspiracy is even BIGGER.
Re: (Score:2, Informative)
yeah, repeating the old lies.
1. Crowdstrike were forced to admit that they had zero evidence that Russia had exfiltrated any data - or source of the supposed hacks.
2. New Knowledge was the company that hired the Russian PR firms, in order to use that activity as PROOF to sell their social media monitoring product to the Feds.
3. Hillary's emails were transferred at speeds indicative of an external USB drive, exceeding the bandwidth of the internet connection the email server was on.
But hey - what better way
Security theater or false flag operation? (Score:2)
Obviously this will not prevent the NSA from having access, given that Google is forced to obey them and their NSLs.
And it might even deliberate, to get basically a MITM hardware device straight to the most interesting targets.
TL;DR: If you are "high-risk", trusting Google, of all choices, is a bit silly.
Re: (Score:3)
It is not MITM hardware, it is just a Titan security key.
A challenge-response device that signs a few bytes of data to confirm that the one who just tries to log in has the key in his possession. It doesn't do any kind of network processing.
The NSA could send hacking device mimicking a standard USB device, that's the kind of things they do, but I would expect them to get more "personal" and not implicate Google and have them tell the whole world about the operation.
Re: (Score:2)
Indeed.
Any entity that can be NSL'd into putting a backdoor or *cough* vulnerability *cough* via legal means cannot be trusted simply because the authorities using NSL's to do such things cannot be trusted.
Re: (Score:2)
I suppose that's good, but... (Score:2, Interesting)
I suppose that it's a good thing, and socially/politically responsible for Google to just push these folks to improve their security measures. On the other hand, I'm pretty sure these folks could buy their own Yubikeys (or whatever) for ~$50 and is it really Google's responsibility to protect these people if they are incapable of doing it themselves?
I just imaging them sending Donald Trump, Jr or Andrew Cuomo a 2FA key and them just being like "This is crap. I'm too smart for hackers!" and throwing it in th
Re: (Score:3)
It's probably cheaper for Google just to give these people security keys than to keep repelling attacks on their accounts that rely on them not having 2FA enabled, or on their phones not being compromised.
Re: (Score:2)
seeing messaging was compromised for a half dozen years or so, phone based 2FA doesn't really have a good reputation for security right now.
Re: (Score:2)
I don't mean SMS, I mean Google's app based 2FA where a message appears on your phone that requires you to unlock it and confirm the log in.
Re: (Score:2)
Re: (Score:3)
is it really Google's responsibility to protect these people if they are incapable of doing it themselves?
Google doesn't want to see headlines and news stories about some high profile user's gmail getting "hacked" because they used no or weak 2FA, so they have vested interest in seeing that doesn't happen. Google sells their Titan FIDO keys starting at $30. Even if they are selling them at zero margin, that's only $300,000 for some preemptive PR.
Who's really footing the bill for this hardware? (Score:3)
Re: (Score:2)
Re: (Score:2)
Why would the US pay for these?
So they could attach a GPS tracker and listening devices into them?
Into a FIDO key, that will spend 99.99% of its time unpowered? To get GPS tracking and audio from people who is almost assuredly also carrying a smart phone? Congrats, that's the dumbest fucking thing I've read on /. today.