
Gmail security warnings for suspected state-sponsored attacks - alecbenzer
http://googleonlinesecurity.blogspot.com/2012/06/security-warnings-for-suspected-state.html
======
sneak
Too bad they are legally prohibited from doing this when the state-sponsored
attack is a PATRIOT NSL from the US government.

<http://en.wikipedia.org/wiki/National_security_letter>

China reading your mail: Big red flag.

USA reading your mail: Business as usual.

~~~
haberman
> USA reading your mail: Business as usual.

According to the first paragraph of the article you linked:

"NSLs can only request non-content information, such as transactional records,
phone numbers dialed or email addresses mailed to and from."

According to the sample NSL from the article you linked:

"We are not directing that you provide, and you should not provide,
information pursuant to this letter that would disclose the content of any
electronic communication. [...] Subject lines of emails and message content
are content information and should not be provided pursuant to this letter."

So NSL is not the USA "reading your email."

I'm not defending the NSL, but I am opposed to misinformation, as well as the
frequent attempts to paint the USA as being just as bad as China.

~~~
sneak
> NSLs can only request non-content information

NSLs can't legally request ANYTHING. They are UNCONSTITUTIONAL. The government
has NO AUTHORITY to issue them. The fact that they are presently limiting
themselves to illegal request x instead of illegal request y is not relevant.

Let's skip the abuses of the FBI et al and talk about the government as a
whole for a minute.

Are you aware that the NSA monitors _all_ traffic at major exchanges in the
US?

[http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_co...](http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy)

The USA reads your mail and messages at several different steps along the way.

See also: recent changes in Skype to allow for wiretapping at the request of
the US government.

~~~
tptacek
'haberman's comment includes actual information. Can we not punish people for
posting information? I doubt very much that 'haberman approves of NSLs,
especially since he said as much.

Moreover, your comment may actually be incorrect; a good chunk of all the mail
Gmail handles is never on the wire in a format that can be decrypted with any
known attack without access to Google's (often pinned) secret keys. The NSA's
ability to snarf it off the wire, stipulated, does not connote their ability
to read it.

~~~
chives
From a wired article:
[http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/al...](http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1)

"Before yottabytes of data from the deep web and elsewhere can begin piling up
inside the servers of the NSA’s new center, they must be collected. To better
accomplish that, the agency has undergone the largest building boom in its
history, including installing secret electronic monitoring rooms in major US
telecom facilities. Controlled by the NSA, these highly secured spaces are
where the agency taps into the US communications networks, a practice that
came to light during the Bush years but was never acknowledged by the agency.
The broad outlines of the so-called warrantless-wiretapping program have long
been exposed—how the NSA secretly and illegally bypassed the Foreign
Intelligence Surveillance Court, which was supposed to oversee and authorize
highly targeted domestic eavesdropping; how the program allowed wholesale
monitoring of millions of American phone calls and email. In the wake of the
program’s exposure, Congress passed the FISA Amendments Act of 2008, which
largely made the practices legal. Telecoms that had agreed to participate in
the illegal activity were granted immunity from prosecution and lawsuits. What
wasn’t revealed until now, however, was the enormity of this ongoing domestic
spying program."

Its a recent article outlining what's ahead (and presently implemented) for
the NSA. Given what is already known, the U.S. Govt already has access to your
e-mail, and they have the capabilities to decrypt it should your e-mail become
high priority.

I'm sorry, but the sky is falling.

~~~
harshreality
NSA ability to sniff traffic at major telecom exchanges is real. NSA ability
to break $cipher or $hash based on the hearsay journalism involving an
interview of (ex-)NSA employees (who would certainly be barred from talking
about any real non-public attacks) is not real [1]. It's possible the NSA is
setting up real systems that will brute force or factor or find collisions for
known borderline algorithms/keysizes. Maybe they have a collection of old DES-
encrypted traffic and they are building enough computing resources to do
large-scale cracking of DES keys.

The idea that they can create collisions for hashes or crack ciphers believed
to be relatively secure in the near to mid future is paranoid speculation.

However, if you're going to be paranoid, direct your attention to RSA and DH
(plain, not ECDH). In Suite B, which the NSA recommends for use by government,
RSA and DH are absent. If the NSA knows of a weakness in anything currently
believed to be secure (I think that's unlikely), I would bet that it's RSA and
DH, because the NSA no longer recommends them. I think RSA and DH are
superseded by ECDSA/ECDH simply because of speed at comparable key strengths,
not because the NSA knows something the public doesn't. As an aside, it
indicates that the NSA has a fair amount of confidence in ECDSA/ECDH.

I do not think the NSA is stupid enough to play chicken with the public crypto
community by recommending encrypting classified information with ciphers NSA
knows to be weak. The public could discover those weaknesses tomorrow. The
most sensitive information inside the U.S. government and military is
presumably protected by the NSA's Suite A algorithms, but other important
information is not, notably military communications between U.S. allies, for
which Suite B is recommended.

[1]
[https://www.schneier.com/blog/archives/2012/03/can_the_nsa_b...](https://www.schneier.com/blog/archives/2012/03/can_the_nsa_bre.html)

~~~
taliesinb
I heard a story somewhere that public key cryptography was known to the NSA
long before the 70s. Maybe they are 30 years ahead in cryptographic number
theory? Maybe prime factorization isn't actually hard? Maybe...

~~~
taejo
What was essentially RSA was known to Britain's GCHQ (Government
Communications Headquarters) in 1973. Is this what you were thinking of?
Rivest, Shamir and Adleman rediscovered it in 1977.

------
jonknee
Google has stepped it up against China. First warning users about search terms
that trigger the Great Firewall and now this. Very interesting.

(Of course China wouldn't be the only one, but they have a history hacking
into people's Google accounts and I have to imagine are a major motivator in
this feature.)

~~~
Achshar
Another one that comes into mind is probably author or Flame and Stuxnet?

------
ph0rque
I wonder if google will be just as open if the state sponsoring the attack was
US.

~~~
jonknee
The US doesn't need to attack, they can just use their legal backdoor.

~~~
grandalf
Wouldn't that count as an attack vector?

~~~
jonknee
Not as far as Google is concerned, you can't do anything to secure your
account when the "attack" is utilizing Google's built-in snooping feature.

------
3pt14159
They should have included the words "if at all possible, format your compute
and reinstall a new operating system with latest updates _immediately_.

If someone has a keylogger on your computer it is game over anyways. (Since
they can "read" the mail you send just by recording the keystrokes)

~~~
cmelbye
I think this warning is referring to MITM hijacking attacks and things along
those lines, not key loggers.

------
markerdmann
Live from the scene: my partner just found that she wasn't able to log in to
her Gmail account because her password was suddenly invalid. Luckily she was
able to reset it quickly and regain control of the account. When she checked
the recent activity, though, it showed that all logins in the past 12 hours
came from her IP.

~~~
utlanning
Sounds like a setup to a thriller movie, but the relevance to the article is
lost on me. Am I just missing something?

~~~
markerdmann
Her account was affected this morning by the attack reported in the article.

~~~
utlanning
So she saw the alert described in the article? You didn't really mention that.

------
dguido
People that have received this warning so far:

* @gesa, Obama campaign web developer says an infosec staff member got one: <https://twitter.com/gesa/status/210184075149979649>

* @dandrezner, international relations professor: <https://twitter.com/dandrezner/status/210103984881549312>

* @TomLasseter, Bejing Bureau Chief for McClatchy Newspapers: <https://twitter.com/tomlasseter/status/210210259019640835>

* @JeffreyCarr, CEO of Taia Global and author of Inside Cyber Warfare: <https://twitter.com/jeffreycarr/status/210227611912257537>

* @snowfl0w, malware analyst for Contagio Dump: <https://twitter.com/snowfl0w/status/210207958376779776>

* @w7voa, Voice of America Bureau Chief covering Korea and Japan: <https://twitter.com/w7voa/status/210194791479250946>

* @marcambinder, national security reporter for The Atlantic and GQ: <https://twitter.com/marcambinder/status/210184141180911617>

* @DDysart, web developer?: <https://twitter.com/DDysart/status/210183540535590912>

This is not looking good... some people on this list have gone and installed
Google 2FA after realizing their computer might be compromised. Enabling two-
factor auth WILL NOT resolve this issue if your computer has been compromised.
If you get this warning, you need to bring your computer to someone with real
security expertise and have it checked out. Strongly consider cleanly
reinstalling your OS, then enable two-factor authentication.

EDIT: Here's the message that Google is giving to people that have been
affected:
[http://support.google.com/mail/bin/answer.py?hl=en&ctx=m...](http://support.google.com/mail/bin/answer.py?hl=en&ctx=mail&answer=2591015)

It looks like they're detecting exploit code sitting in people's accounts,
mostly in the form of PDF and Office docs and inside RARs. This might explain
why snowfl0w is on the list, since he handles a lot of this stuff daily and
some of it likely goes through his e-mail (on purpose). It's unclear if this
means that your account was successfully compromised. It's more likely that it
means someone is _attempting_ to get into your account.

------
eroei2012
Since New York Times recently reported that Stuxnet is a US State Sponsored
Cyber virus - which if you recall was accidentally released into the wild and
affected and attacked innocent end-user machines as collateral damage, and
with the ongoing US-Israeli state sponsored cyber warfare weapons of mass
destruction (operation Olympic Games) including the more recent releases of
Duqu and Flame virus.... can Google clarify if through its detailed analysis
as well as victim reports if Google will apply the same exacting standards and
warn end-users (both in the US and abroad, example: Iranian users) of these
domestic (US) state sponsored attacks as well? Even if Google was to choose to
go the higher route, wouldn't this kind of undermining and subterfuge (however
unintentional) really go unnoticed by its host nation? Or are exceptions of
convenience made in these cases due to the close ties that Google has with the
US intelligence agencies and the confirmed but secret and classified
collaboration that the Google has with the CIA and NSA in regards to GMail and
Google Accounts? No doubt there is a clear conflict of interest going on here.
To me this smells more like Google catering to State Sponsored Propaganda than
really caring about the security and privacy of their end-users.

------
dfc
Why the emphasis on state sponsored attacks? (I am aware of
stuxnet/flame/sanger's book) If google knows I am being targeted by a non-
state actor are they choosing not to notify me? Are we going back to a cold
war mentality where the only credible attacks are state sponsored?

~~~
twoodfin
Presumably if it's a serious attack by a non-state actor, Google's lawyers are
on the job in the relevant state(s) getting police involved, for whatever
that's worth.

In the state actor case, there's little or nothing they can do to make it stop
happening, hence the special warning.

It's also a high-profile jab at the unnamed state actors, which is nice.

~~~
dfc
So its not worth letting me know I am 0wned because google's lawyers are on
the case?

~~~
trotsky
I assure you that the grandparent is misinformed, the chance of google's
lawyers and/or the police being involved if some individual is sending you
targeted malware (aka spear phishing) is essentially 0%.

------
thetable
Since Google doesn't tell you why they're showing this warning to you, and
only tell you to follow standard security guidelines ("don't get phished"), I
suspect people will quickly be trained to ignore this message.

My girlfriend received the warning message today. She has already activated
2-factor auth, so I'm really not sure what she's supposed to do with this
information.

------
seanp2k2
_groan_ so we live in /this/ era now, where politicians try to weaponize the
Internet. Kill me now.

------
dreamdu5t
How do we know this isn't state-sponsored propaganda!?

~~~
saraid216
Because we already know that Gmail has been hacked by the Chinese in order to
obtain information about their dissenters?

------
jcromartie
aka China, right?

~~~
duskwuff
Mostly! I believe there's been some tampering noticed in various Middle
Eastern countries (such as Iran and Syria) as well, and I suspect this warning
is targeted at them too.

~~~
pooriaazimi
I guess so. A couple weeks ago I experienced something spooky (like session
hijack) in Iran and contacted them...

------
NathanKP
I think this is a great idea. I would be interested if it could tell you what
state though, and/or what group.

------
forgotusername
What kind of productive, actionable result can this notification lead to for a
regular user? "Oh, my government may-or-may-not be attacking me, I'm not even
sure because it doesn't say, in any case I better just push this magic fix-it-
all-up button I have right here."

I can't see how this can be differentiated from simple underhanded FUD-driven
political activism.

~~~
babar
How about the steps noted in the post? Make sure you have a good password, use
two-factor authentication, and be careful about clicking on any login links?
It could also be incentive to change accounts, or change to a different
communication mechanism. As long as this warning is triggered by actual data,
I am not sure how you could categorize it as "FUD" or even political activism.
Hacking into accounts should not be political - it should be criminal.

~~~
forgotusername
> Here are some things you should do immediately: create a unique password
> that has a good mix of capital and lowercase letters, as well punctuation
> marks and numbers; enable 2-step verification as additional security; and
> update your browser, operating system, plugins, and document editors.
> Attackers often send links to fake sign-in pages to try to steal your
> password, so be careful about where you sign in to Google and look for
> <https://accounts.google.com/> in your browser bar. These _warnings are not
> being shown because Google’s internal systems have been compromised or
> because of a particular attack._

How does _any_ of this differ from regular user advice? And note the last
sentence, they are explicitly admitting the warning relates to nothing in
reality beyond the normal environment. Do we suppose that people in China
aren't aware their government spies on them? Do you suppose your own
government does not?

I don't understand why this banner isn't shown to all users - China or
otherwise, or why show it at all. Do something actionable and meaningful -
introduce password complexity requirements, mandatory 2 factor authentication,
require use of a signed browser with pinned SSL certificates - anything but
non-specific nonsense that does little but promote unactionable fear in the
hearts of thousands of users.

~~~
TeMPOraL
Don't forget that _government officials_ , _defense contractors_ , etc. also
use Google products. Not all hacking is criminal or local. Some of it is
geopolitical in nature.

------
rdl
I wonder if anyone on HN has gotten this warning yet.

------
Toshio
I like how "state-sponsored" is pretty much an euphemism for "we're pretty
confident it was the Chinese who did it but we can't say so on our official
blog".

