
Google uncovers major account-hijacking campaign targeting senior US officials - raldi
http://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html?
======
MatthewB
Does it bother anyone that China continues to hack us? It is very possible
that this was a government-backed attack, which wouldn't be the first against
Google by the Chinese government.

The biggest problem is that these don't seem to be sophisticated attacks. They
didn't find a backdoor or install some malicious piece of code...they simply
"hacked people" with phishing scams.

I think a great place for the US govt (and Google) to spend money would be to
inform people about phishing and how to detect it. Being a savvy internet
user, I sometimes forget that these scams that look ridiculous to me might
very well look legitimate to someone else.

~~~
ansy
Yeah, it bothers someone:

<http://www.bbc.co.uk/news/world-us-canada-13614125>

Just today it is widely reported the Pentagon is setting a new policy that
cyber attacks can be considered acts of war which lets the Pentagon retaliate
with conventional weapons. Hack my email, get an ICBM.

~~~
MatthewB
I saw this a few days ago. I believe that if another country hacked the US and
took top secret data, it could potentially cause as much damage as a
conventional weapon. So, using conventional weapons in retaliation for cyber-
attacks doesn't seem that far fetched.

We are definitely in an interesting time with regards to technology and
policy. Both exciting and scary.

~~~
ansy
I would not be surprised if the United States got a specialized "Cyber Force"
branch of the military sooner rather than later to go along with Army, Navy,
and Air. There are apparently already papers about it like this one from 2008:

PDF: <http://www.albanylawjournal.org/articles/solce_0609.pdf>

Abstract: [https://litigation-
essentials.lexisnexis.com/webcd/app?actio...](https://litigation-
essentials.lexisnexis.com/webcd/app?action=DocumentDisplay&crawlid=1&doctype=cite&docid=18+Alb.+L.J.+Sci.+%26+Tech.+293&srctype=smi&srcid=3B15&key=5d2635183c5a79a521ba646298d739b3)

Granted, that niche is somewhat filled by the NSA, but it is not a branch of
the military per se. And increasingly cyberspace will be as important or more
so than land, sea, and air.

The problem is any formal "Cyber Force" announcement will kick off the 21st
Century arms race. But forming a Cyber Force in secret will severely limit
effectiveness. I think we're about at the tipping point when the United States
sees a hacker battalion here and there as not enough. It needs strong hacker
branch.

~~~
dantheman
I don't think you'll see a new branch, but there already is a Cyber Command -
<http://en.wikipedia.org/wiki/United_States_Cyber_Command>

------
guelo
It is great that Google is open with this stuff and the security tips were
mostly good, but it was inappropriate to only recommend Chrome in a security
message. All modern browsers have anti-phishing features. This came off as
advertising.

~~~
Daniel14
Unless I'm much mistaken Chrome is the most secure browser out there, so it
makes in a video from Google about security imho.

~~~
rjbond3rd
More secure: the browser known as links.

------
ck2
Just imagine what China is doing with the official backdoor gmail is required
to have for warrantless searches in the USA.

Unlike TSA gropes, officials cannot legislate themselves out of the backdoor,
they might never know when their email is being read, and they did it to
themselves.

~~~
yanw
<http://news.ycombinator.com/item?id=2609457>

~~~
ck2
Wrong.

A law from 1986 that is being heavily abused ala Patriot Act, allows
government to read your email and any other stored data online that is more
than 180 days old without any judicial review (aka warrant).

This is fact, not speculation. To be fair it's not just gmail but yahoo, etc.

~~~
shareme
Are you referring to the law nicked named the Clinton computer law?

Read it again, any viewing of data on a computer requires notifying accused
180 days after the data view, no exceptions.

As I understand it, the Patriot act replaces that requirement.

~~~
ck2
The ironically named 1986 Electronic Communications _Privacy_ Act

<http://www.nytimes.com/2011/01/10/technology/10privacy.html>

 _the government does not notify people that they are searching their online
information or prove probable cause, and if the government violates the law in
obtaining information, defendants are generally unable to exclude that
evidence_

[http://www.wired.com/threatlevel/2010/03/google-microsoft-
ec...](http://www.wired.com/threatlevel/2010/03/google-microsoft-ecpa/)

[http://www.wired.com/threatlevel/2011/05/cloud-content-
warra...](http://www.wired.com/threatlevel/2011/05/cloud-content-warrants/)

Since the "Patriot" Act was renewed without discussion or change, there is
little hope IMHO that the 1986 law will be changed (except maybe make it
worse).

------
radioactive21
"Review the security features offered by the Chrome browser. If you don’t
already use Chrome, consider switching your browser to Chrome."

Nice subtle suggestion.

~~~
mparr4
Indeed. I'm not sure which is more disappointing: that China seems to be
bringing things to a new level or that its cool to take advantage of a
situation that many people won't understand by throwing that line in there in
the midst of what reads as quite scary news.

~~~
enneff
Chrome is easily the most security-focused and has the best track record of
any of the major browsers. It is a totally reasonable suggestion.

------
qjz
_Bad actors take advantage of the fact that most people aren’t that tech
savvy—hijacking accounts by using malware and phishing scams that trick users
into sharing their passwords, or by using passwords obtained by hacking other
websites._

Passwords are obsolete. No improvement in storing or transmitting passwords
securely will make them easier to remember or less likely to be shared. The
approach is fundamentally flawed and cannot be used as a cradle-to-grave
method of identity assurance. Unfortunately, nobody has developed an
acceptable alternative.

~~~
windsurfer
Public key authentication isn't an acceptable alternative?

You could have users unlock a keyring using a password containing a single,
global public key for each machine they own. You could have them do the same
with a thumbdrive or mobile phone. You could authenticate using a number of
methods. It's really incrediably flexible.

I think the problem is not that there isn't something to replace it, it's that
people are used to "username:password" and don't want to switch. Public key
authentication has too many options while passwords are just single words.

~~~
qjz
I agree that public key authentication is an improvement over passwords. Now
show me a system that my mother-in-law can use (passphrases are out, she can't
remember them).

~~~
enneff
How about 2-factor authentication, as discussed in the article?

~~~
kristofferR
SMS is not global and is quite expensive to get started with. Only the major
players like Google can roll out worldwide SMS authentication. Email is out of
the question because it often takes several minutes to receive an email (due
to POP-fetching intervals etc)

~~~
sweis
Google supports HOTP-based codes that can be generated by a mobile application
or even a local bookmarklet. They also support printed one-time codes.

Here's the open source project for the mobile app and PAM module:
<http://code.google.com/p/google-authenticator/>

(Disclaimer: I worked on this.)

------
jonknee
Here's a pretty good review of what these attacks looked like. Apparently this
is part of how Google got tipped off... Spear phishing.

[http://contagiodump.blogspot.com/2011/02/targeted-attacks-
ag...](http://contagiodump.blogspot.com/2011/02/targeted-attacks-against-
personal.html)

------
krazybig
Google should consider adding an option to lock your account access based on
IP range or even a geo-located area based on IP address. There are some
challenges to geo-locating IPs, and this wouldn't stop a determined hacker,
but it could foil a significant number of attacks.

They also might want to provide some reporting for users to know when their
account was accessed or attempted to be accessed and from where.

------
stcredzero
Is it possible for the government to establish a separate secure network? A
North American network for government communication and infrastructure control
use which was entirely separated from the internet would be very useful.

~~~
wl
The government already does this for some things. SIPRnet is for the
transmission of information classified up to secret and is airgapped from the
public internet. This is where the Bradley Manning leaks came from. JWICS and
NSANet are run along the same lines, but they transmit information classified
up to Top Secret/SCI.

------
swaits
Why are "Senior US Officials" using gmail?

~~~
william42
It's their personal accounts.

~~~
swaits
Then why would it matter if it got hacked? Surely they aren't conducting any
official government "business" on their personal Gmail account, right?

------
motters
Does this have anything to do with the backdoor API, or were the passwords
just brute forced?

~~~
yanw
There are no 'backdoor' shenanigans, they comply with subpoenas like everyone
else (they uniquely provide a transparency report) the Schneier claim was
speculative and he dismissed it later.

In this case it's phishing, read the post.

~~~
andrewcooke
do you know where he dismissed it? the article at
<http://www.schneier.com/essay-306.html> is still up, with no disclaimer or
obvious link to a correction.

~~~
jonknee
A week or two later on his blog:

[http://www.schneier.com/blog/archives/2010/02/more_details_o...](http://www.schneier.com/blog/archives/2010/02/more_details_on.html)

"The rumor that China used a system Google put in place to enable lawful
intercepts, which I used as a news hook for this essay, has not been
confirmed. At this point, I doubt that it's true."

~~~
andrewcooke
thanks. i didn't know that. given how famous the other essay is, he should
really update it...

------
geoffreyvanwyk
Obvious sickening propaganda for closing down the Internet!

~~~
eli
Why would Google want to close down the Internet?

~~~
hugh3
Because... it's a conspiracy! Wake up, sheeple!

