Does it bother anyone that China continues to hack us? It is very possible that this was a government-backed attack, which wouldn't be the first against Google by the Chinese government.
The biggest problem is that these don't seem to be sophisticated attacks. They didn't find a backdoor or install some malicious piece of code...they simply "hacked people" with phishing scams.
I think a great place for the US govt (and Google) to spend money would be to inform people about phishing and how to detect it. Being a savvy internet user, I sometimes forget that these scams that look ridiculous to me might very well look legitimate to someone else.
The reason we only see the unsophisticated attacks might well be that the ones that are carried out professionally are never caught.
If I was China and intent on this kind of cybercrime I wouldn't put all my eggs in one basket, but would try different avenues to get to my target. Resources don't seem to be a problem since it's apparently government backed.
I would see this as the top of the iceberg, and expect there to be more sophisticated attacks hiding out there that we might never know about.
Like hacking SecureID? The previous attack Google discussed? The fact that just about anyone on port 22 sees half or more of their port-knocking from China? Shawn Carpenter's Titan Rain? (oh, wait, EMC now owns RSA and NetWitness ...)
Just today it is widely reported the Pentagon is setting a new policy that cyber attacks can be considered acts of war which lets the Pentagon retaliate with conventional weapons. Hack my email, get an ICBM.
I saw this a few days ago. I believe that if another country hacked the US and took top secret data, it could potentially cause as much damage as a conventional weapon. So, using conventional weapons in retaliation for cyber-attacks doesn't seem that far fetched.
We are definitely in an interesting time with regards to technology and policy. Both exciting and scary.
I would not be surprised if the United States got a specialized "Cyber Force" branch of the military sooner rather than later to go along with Army, Navy, and Air. There are apparently already papers about it like this one from 2008:
Granted, that niche is somewhat filled by the NSA, but it is not a branch of the military per se. And increasingly cyberspace will be as important or more so than land, sea, and air.
The problem is any formal "Cyber Force" announcement will kick off the 21st Century arms race. But forming a Cyber Force in secret will severely limit effectiveness. I think we're about at the tipping point when the United States sees a hacker battalion here and there as not enough. It needs strong hacker branch.
The problem is attribution. Imagine if all an Al-Qaeda hacker had to do to start a major war was to compromise a Chinese computer and use it to attack a sufficiently sensitive US military target.
Except that unless they actually do treat it as an act of war, it's an empty and pointless threat.
And they're clearly not treating it as an act of war, which is why the US (thankfully) isn't at war with China right now.
Politically, going to war with China just because they hacked the SecDef's email would be an impossible sell to the American people, who frankly aren't that keen on starting World War 3 unless it's absolutely necessary. If the Pentagon is getting hacked by China then the correct response is better security, not making threats, whether idle or serious.
What bothers me at least is that although Google finds these things (thank you), how many non-gmail accounts have been hacked but nobody has noticed yet.
The US Government has backdoors into every large webservice in the world. China has to hack their way in. That's the main difference here, as the USG long ago stopped being "on our side".
Easy to read western propaganda and jump to conclusions without viewing the whole picture.
Of course the US hack the Chinese govt. Just because china don't publish accounts of attacks does not mean attacks are not occurring.
We already know Google are quite jaded towards China given their failure to succeed in the china market. Thus I take anything they comment about China with a grain of salt, given they clearly have an agenda.
An attack originating in Jinan does not necessarily mean chinese govt either. Given China's opaqueness on cyber issues, anyone wanting to hack anyone else could use china as a place to do it.
Though I agree, governments should invest in educating people on phishing scams.
> An attack originating in Jinan does not necessarily mean chinese govt either.
In that case, we should expect to see a vigorous Chinese investigation into this illegal activity that originated from China, right?
Just like there was a comprehensive Chinese response to the well-documented cyber attacks on several American tech companies that originated from China in Dec 2009?
Unfortunately, after seeing the firewall logs of several Internet facing machines in distinct hosting providers in different parts of the world, it's quite interesting to notice that 90% if not more of the port scans, http vulnerability scans, among others, come from network blocks from that part of the planet.
Even more illuminating that if their great firewall is so advanced, being able to block anything on a need basis, is not concerned on blocking these.
My understanding was the great firewall isn't so advanced. It is essentially a filter system, run in quite a manual fashion (i.e eyeballs on screens assessing if things should be blocked).
I'm not refuting attacks originating from china, there is piles of evidence that support this.
Things to keep in mind - there are more internet users in china, than anywhere else, so there is going to be more of 'everything' from china. One needs to convert the stats into per-capita ratios before making meaningful conclusions about % of attacks etc.
My main issue (in my original post) is the jump from "Attack from Chinese IP addresses on gmail accounts" to "China attacked us [The US]" - without any qualification.
It promotes a nationalistic 'Us against Them' mentality that is primarily based on hysteria rather than fact.
It is great that Google is open with this stuff and the security tips were mostly good, but it was inappropriate to only recommend Chrome in a security message. All modern browsers have anti-phishing features. This came off as advertising.
Just imagine what China is doing with the official backdoor gmail is required to have for warrantless searches in the USA.
Unlike TSA gropes, officials cannot legislate themselves out of the backdoor, they might never know when their email is being read, and they did it to themselves.
A law from 1986 that is being heavily abused ala Patriot Act, allows government to read your email and any other stored data online that is more than 180 days old without any judicial review (aka warrant).
This is fact, not speculation. To be fair it's not just gmail but yahoo, etc.
the government does not notify people that they are searching their online information or prove probable cause, and if the government violates the law in obtaining information, defendants are generally unable to exclude that evidence
Since the "Patriot" Act was renewed without discussion or change, there is little hope IMHO that the 1986 law will be changed (except maybe make it worse).
Indeed. I'm not sure which is more disappointing: that China seems to be bringing things to a new level or that its cool to take advantage of a situation that many people won't understand by throwing that line in there in the midst of what reads as quite scary news.
Bad actors take advantage of the fact that most people aren’t that tech savvy—hijacking accounts by using malware and phishing scams that trick users into sharing their passwords, or by using passwords obtained by hacking other websites.
Passwords are obsolete. No improvement in storing or transmitting passwords securely will make them easier to remember or less likely to be shared. The approach is fundamentally flawed and cannot be used as a cradle-to-grave method of identity assurance. Unfortunately, nobody has developed an acceptable alternative.
Unfortunately, nobody has developed an acceptable alternative
In that case they're not really obsolete, are they? Things are obsolete because they're replaced by something better, not because they're imperfect.
All you really need to do is to get one of those crypto-card thingies implanted in your brain. Then every time you're prompted for a password you just have to type in the first string of numbers that pops into your head.
Except those crypto-card thingies (not the implantable ones) were duplicated as a result of the recent RSA breakin, which is how Lockheed was attacked.
The working theory is that RSA retained information on the crypto "seeds" used to initialize the hardware tokens at the factory. When this database was hacked the attackers obtained a copy of this seed material. This was enough to duplicate the code sequence displayed on the key, though possibly in conjunction with a phishing or social engineering attack to obtain the target user's serial number (or a few current codes).
That's the theory anyway. Not everyone agrees that it's the Chinese-attacking-US-defense-contractors story again.
What everyone does agree on though is that RSA is withholding critical information about the severity of the compromise, or maybe even being a little disingenuous about it.
Public key authentication isn't an acceptable alternative?
You could have users unlock a keyring using a password containing a single, global public key for each machine they own. You could have them do the same with a thumbdrive or mobile phone. You could authenticate using a number of methods. It's really incrediably flexible.
I think the problem is not that there isn't something to replace it, it's that people are used to "username:password" and don't want to switch. Public key authentication has too many options while passwords are just single words.
Practical pubkey verification & authentication requires a repository of public keys. Also, shudder password recovery/reset mechanisms.
I spent a few hours thinking about it once: this isn't much different from the DNS problem.
If a good distributed DNS system can be developed (ie, highly resistant to malicious poisoning), that algorithm can likely transfer to pubkey archives.
I agree that public key authentication is an improvement over passwords. Now show me a system that my mother-in-law can use (passphrases are out, she can't remember them).
SMS is not global and is quite expensive to get started with. Only the major players like Google can roll out worldwide SMS authentication. Email is out of the question because it often takes several minutes to receive an email (due to POP-fetching intervals etc)
Other than the current obvious UX deficiencies of installing and using them, a client certificate might help people like your mother-in-law. But one would ideally have a passphrase on their private key.
If you can't remember a passphrase, the "something you know" portion of "something you know and something you have" is kind of out.
Is it secret? If so, how do you change it if it gets disclosed? If not, how hard is it to make a fake eyeball?
How do you know the user's actually being authenticated and it's not just a replay of a previously captured image? Do you require a trusted hardware scanner now? If so, how do you deploy it to all your users? How do you keep the attacker from taking it apart and reverse engineering it?
But most of all, how do you know the user is actually intending to authenticate the thing that is being authenticated? E.g. the user is wants to open door A so they put their eyeball up to the scanner, but the bad guy has installed a skimmer (like on ATMs) which replays the users retina and lets him into door B.
Biometrics usually raise more questions than answers IMHO.
Awesome. I'm so glad that you have shown me the light. I now realize that we are perfectly and 100% secure right this very moment and that the security system of using the same password everywhere (e.g. password = 'password') is working out so well for people!
[Also: If a user enters <FORM OF AUTHENTICATION>, how do we know for sure that they aren't entering <FORM OF AUTHENTICATION> under duress? We'd better just scrap this whole authentication thing altogether.]
I now realize that we are perfectly and 100% secure right this very moment
Lol. :-)
If a user enters <FORM OF AUTHENTICATION>, how do we know for sure that they aren't entering <FORM OF AUTHENTICATION> under duress?
Haven't you heard of the three factors of authentication?
Something they steal, something they chop off, and something they beat out of you...
We'd better just scrap this whole authentication thing altogether.
You can't. It's a fundamental activity, as old as the the first cell membrane (this is me, this is not me). Multicellular organisms have immune systems (which are often fooled). Babies (sometimes switched at birth) recognize their mother's voices right when they're born. Ever visit another city and people there can just tell right away you're from out-of-town?
The irony is that millions of years of evolution has given us humans so much built-in natural hardware for authentication that we're now doomed to underestimate the inherent complexity and subtlety of the problem.
> Haven't you heard of the three factors of authentication?
>
> Something they steal, something they chop off, and something they
> beat out of you...
I have, but 3-factor authentication doesn't prevent duress. If someone
puts a gun to your head and tells you to enter your password + SecureID
+ retinal scan, what are you going to do?
> The irony is that millions of years of evolution has given us humans
> so much built-in natural hardware for authentication that we're now
> doomed to underestimate the inherent complexity and subtlety of the
> problem.
That was sort of my point. The problem is so complex that there is no
silver bullet solution. The only thing that we can do is incrementally
improve our solutions. Using a hash of a retinal scan as a passphrase in
order to make public key cryptography more mainstream could be a good
thing compared to what we have now. It wouldn't be perfect, but
questions like "do you trust the hardware" are not unique to this
solution. You could pose the same question about using a keyboard to
enter a password.
If someone puts a gun to your head and tells you to enter your password + SecureID + retinal scan, what are you going to do?
Wish I'd never agreed to the biometric factor.
That was sort of my point.
Look dude, I may agree with you, but don't expect me to defend to the death your right to say it. Well, maybe this time, but just this once, OK? :-)
The problem is so complex that there is no silver bullet solution. The only thing that we can do is incrementally improve our solutions.
An important thing to recognize here is that there are often multiple stakeholders involved, sometimes with competing interests. E.g., your bank, your employer, or your email provider's website... and you. There's not always agreement on what constitutes improvement. An employer may love the biometrics idea, but as you point out, it could easily make its employees targets of physical violence.
Typically the party that chooses the authentication scheme is the one that writes the check for it. This is not always the party with the most to lose and is almost never the actual user being authenticated.
Using a hash of a retinal scan as a passphrase in order to make public key cryptography more mainstream could be a good thing compared to what we have now."
I disagree, but you haven't described anything concrete enough for us to discuss.
It wouldn't be perfect, but questions like "do you trust the hardware" are not unique to this solution. You could pose the same question about using a keyboard to enter a password.*
Right. People get their keystrokes captured all the time, so unless your solution addresses the common issues too it's not worth going inside the eyeball for it. At least passwords are easy to change.
It seems that widely adopted authentication systems can never guarantee a strongly trusted endpoint. It always comes down to trying to lock secrets in some box which is then distributed as widely as possible. This idea has failed every time it's been tried.
Google should consider adding an option to lock your account access based on IP range or even a geo-located area based on IP address. There are some challenges to geo-locating IPs, and this wouldn't stop a determined hacker, but it could foil a significant number of attacks.
They also might want to provide some reporting for users to know when their account was accessed or attempted to be accessed and from where.
Is it possible for the government to establish a separate secure network? A North American network for government communication and infrastructure control use which was entirely separated from the internet would be very useful.
The government already does this for some things. SIPRnet is for the transmission of information classified up to secret and is airgapped from the public internet. This is where the Bradley Manning leaks came from. JWICS and NSANet are run along the same lines, but they transmit information classified up to Top Secret/SCI.
There are no 'backdoor' shenanigans, they comply with subpoenas like everyone else (they uniquely provide a transparency report) the Schneier claim was speculative and he dismissed it later.
do you know where he dismissed it? the article at http://www.schneier.com/essay-306.html is still up, with no disclaimer or obvious link to a correction.
"The rumor that China used a system Google put in place to enable lawful intercepts, which I used as a news hook for this essay, has not been confirmed. At this point, I doubt that it's true."
People seem to randomly downvote a post they think is "wrong", with no explanation. Asking for one seems to make it worse.
(eg: http://news.ycombinator.com/item?id=2586625. Perhaps I was a touch rude, but a better response would have been to reply politely, point out where I was wrong and make me seem like a small-minded fool. Instead, downvotes are the response.)
The biggest problem is that these don't seem to be sophisticated attacks. They didn't find a backdoor or install some malicious piece of code...they simply "hacked people" with phishing scams.
I think a great place for the US govt (and Google) to spend money would be to inform people about phishing and how to detect it. Being a savvy internet user, I sometimes forget that these scams that look ridiculous to me might very well look legitimate to someone else.