Hacker News new | past | comments | ask | show | jobs | submit login
Google uncovers major account-hijacking campaign targeting senior US officials (googleblog.blogspot.com)
183 points by raldi on June 1, 2011 | hide | past | favorite | 85 comments



Does it bother anyone that China continues to hack us? It is very possible that this was a government-backed attack, which wouldn't be the first against Google by the Chinese government.

The biggest problem is that these don't seem to be sophisticated attacks. They didn't find a backdoor or install some malicious piece of code...they simply "hacked people" with phishing scams.

I think a great place for the US govt (and Google) to spend money would be to inform people about phishing and how to detect it. Being a savvy internet user, I sometimes forget that these scams that look ridiculous to me might very well look legitimate to someone else.


The reason we only see the unsophisticated attacks might well be that the ones that are carried out professionally are never caught.

If I was China and intent on this kind of cybercrime I wouldn't put all my eggs in one basket, but would try different avenues to get to my target. Resources don't seem to be a problem since it's apparently government backed.

I would see this as the top of the iceberg, and expect there to be more sophisticated attacks hiding out there that we might never know about.


> expect there to be more sophisticated attacks

Like hacking SecureID? The previous attack Google discussed? The fact that just about anyone on port 22 sees half or more of their port-knocking from China? Shawn Carpenter's Titan Rain? (oh, wait, EMC now owns RSA and NetWitness ...)


Yeah, it bothers someone:

http://www.bbc.co.uk/news/world-us-canada-13614125

Just today it is widely reported the Pentagon is setting a new policy that cyber attacks can be considered acts of war which lets the Pentagon retaliate with conventional weapons. Hack my email, get an ICBM.


I saw this a few days ago. I believe that if another country hacked the US and took top secret data, it could potentially cause as much damage as a conventional weapon. So, using conventional weapons in retaliation for cyber-attacks doesn't seem that far fetched.

We are definitely in an interesting time with regards to technology and policy. Both exciting and scary.


I would not be surprised if the United States got a specialized "Cyber Force" branch of the military sooner rather than later to go along with Army, Navy, and Air. There are apparently already papers about it like this one from 2008:

PDF: http://www.albanylawjournal.org/articles/solce_0609.pdf

Abstract: https://litigation-essentials.lexisnexis.com/webcd/app?actio...

Granted, that niche is somewhat filled by the NSA, but it is not a branch of the military per se. And increasingly cyberspace will be as important or more so than land, sea, and air.

The problem is any formal "Cyber Force" announcement will kick off the 21st Century arms race. But forming a Cyber Force in secret will severely limit effectiveness. I think we're about at the tipping point when the United States sees a hacker battalion here and there as not enough. It needs strong hacker branch.


I don't think you'll see a new branch, but there already is a Cyber Command - http://en.wikipedia.org/wiki/United_States_Cyber_Command


The problem is attribution. Imagine if all an Al-Qaeda hacker had to do to start a major war was to compromise a Chinese computer and use it to attack a sufficiently sensitive US military target.


Posturing.


That's a good 90% of their (The DOD's) job though.


I'd expect the US to be doing the exact same thing to China. I'd be surprised if they weren't.


Pretty much this. We spy on them, they spy on us. Not much to be done about it. It used to be bugs in hotel rooms, now it's email phishing schemes.


Bingo!!


I'm sure its no accident that the Pentagon stated they may treat cyber attacks as "acts of war" - http://www.bbc.co.uk/news/world-us-canada-13614125


Except that unless they actually do treat it as an act of war, it's an empty and pointless threat.

And they're clearly not treating it as an act of war, which is why the US (thankfully) isn't at war with China right now.

Politically, going to war with China just because they hacked the SecDef's email would be an impossible sell to the American people, who frankly aren't that keen on starting World War 3 unless it's absolutely necessary. If the Pentagon is getting hacked by China then the correct response is better security, not making threats, whether idle or serious.


What bothers me at least is that although Google finds these things (thank you), how many non-gmail accounts have been hacked but nobody has noticed yet.


The US Government has backdoors into every large webservice in the world. China has to hack their way in. That's the main difference here, as the USG long ago stopped being "on our side".


Easy to read western propaganda and jump to conclusions without viewing the whole picture.

Of course the US hack the Chinese govt. Just because china don't publish accounts of attacks does not mean attacks are not occurring.

We already know Google are quite jaded towards China given their failure to succeed in the china market. Thus I take anything they comment about China with a grain of salt, given they clearly have an agenda.

An attack originating in Jinan does not necessarily mean chinese govt either. Given China's opaqueness on cyber issues, anyone wanting to hack anyone else could use china as a place to do it.

Though I agree, governments should invest in educating people on phishing scams.


> An attack originating in Jinan does not necessarily mean chinese govt either.

In that case, we should expect to see a vigorous Chinese investigation into this illegal activity that originated from China, right?

Just like there was a comprehensive Chinese response to the well-documented cyber attacks on several American tech companies that originated from China in Dec 2009?


> In that case, we should expect to see a vigorous Chinese investigation into this illegal activity that originated from China, right?

Tell you what, Chinese police never deal with "Internet Theft" or "online intrusion" unless a large amount money is envolved.

And why do they even bother to investigate Gmail which is constantly in-accessable in China?


50 cent army much?


Looks like it. 1 comment (the grandparent), account created 69 days ago, shilling for the Chinese government.

For those who don't get the reference, here's an article that explains it: http://www.guardian.co.uk/media/2008/sep/22/chinathemedia.ma...


I see, so rather than actually discuss the points I make, just attack me as some chinese govt astro-turfer... wtf!?

Just because I haven't commented before doesn't make my comment less valid... does it?


Unfortunately, after seeing the firewall logs of several Internet facing machines in distinct hosting providers in different parts of the world, it's quite interesting to notice that 90% if not more of the port scans, http vulnerability scans, among others, come from network blocks from that part of the planet.

Even more illuminating that if their great firewall is so advanced, being able to block anything on a need basis, is not concerned on blocking these.


My understanding was the great firewall isn't so advanced. It is essentially a filter system, run in quite a manual fashion (i.e eyeballs on screens assessing if things should be blocked).

I'm not refuting attacks originating from china, there is piles of evidence that support this.

Things to keep in mind - there are more internet users in china, than anywhere else, so there is going to be more of 'everything' from china. One needs to convert the stats into per-capita ratios before making meaningful conclusions about % of attacks etc.

My main issue (in my original post) is the jump from "Attack from Chinese IP addresses on gmail accounts" to "China attacked us [The US]" - without any qualification.

It promotes a nationalistic 'Us against Them' mentality that is primarily based on hysteria rather than fact.


Very well said. In fact, blind nationalism is the very same strategy the 50-cent party uses (referring to the parent comment).


I haven't heard the term "50 cent army" before. I assume it's not a rapper's fan club?



Ah, I see.

I'm a member of the Kiss Army, the Skynyrd Nation, and the Bananarama Republic.


It is great that Google is open with this stuff and the security tips were mostly good, but it was inappropriate to only recommend Chrome in a security message. All modern browsers have anti-phishing features. This came off as advertising.


Unless I'm much mistaken Chrome is the most secure browser out there, so it makes in a video from Google about security imho.


More secure: the browser known as links.


Chrome is generally regarded as the most secure browser around.

The sandboxed security model[1] is something nothing else offers, and it's had less exploitable security problems than any other browser.

It might be advertising, but it's also accurate.

[1] http://blog.chromium.org/2008/10/new-approach-to-browser-sec...


How does the sandboxed security model mitigate phishing risk?


Just imagine what China is doing with the official backdoor gmail is required to have for warrantless searches in the USA.

Unlike TSA gropes, officials cannot legislate themselves out of the backdoor, they might never know when their email is being read, and they did it to themselves.



Wrong.

A law from 1986 that is being heavily abused ala Patriot Act, allows government to read your email and any other stored data online that is more than 180 days old without any judicial review (aka warrant).

This is fact, not speculation. To be fair it's not just gmail but yahoo, etc.


Are you referring to the law nicked named the Clinton computer law?

Read it again, any viewing of data on a computer requires notifying accused 180 days after the data view, no exceptions.

As I understand it, the Patriot act replaces that requirement.


The ironically named 1986 Electronic Communications Privacy Act

http://www.nytimes.com/2011/01/10/technology/10privacy.html

the government does not notify people that they are searching their online information or prove probable cause, and if the government violates the law in obtaining information, defendants are generally unable to exclude that evidence

http://www.wired.com/threatlevel/2010/03/google-microsoft-ec...

http://www.wired.com/threatlevel/2011/05/cloud-content-warra...

Since the "Patriot" Act was renewed without discussion or change, there is little hope IMHO that the 1986 law will be changed (except maybe make it worse).


"Review the security features offered by the Chrome browser. If you don’t already use Chrome, consider switching your browser to Chrome."

Nice subtle suggestion.


Indeed. I'm not sure which is more disappointing: that China seems to be bringing things to a new level or that its cool to take advantage of a situation that many people won't understand by throwing that line in there in the midst of what reads as quite scary news.


Chrome is easily the most security-focused and has the best track record of any of the major browsers. It is a totally reasonable suggestion.


Bad actors take advantage of the fact that most people aren’t that tech savvy—hijacking accounts by using malware and phishing scams that trick users into sharing their passwords, or by using passwords obtained by hacking other websites.

Passwords are obsolete. No improvement in storing or transmitting passwords securely will make them easier to remember or less likely to be shared. The approach is fundamentally flawed and cannot be used as a cradle-to-grave method of identity assurance. Unfortunately, nobody has developed an acceptable alternative.


Unfortunately, nobody has developed an acceptable alternative

In that case they're not really obsolete, are they? Things are obsolete because they're replaced by something better, not because they're imperfect.

All you really need to do is to get one of those crypto-card thingies implanted in your brain. Then every time you're prompted for a password you just have to type in the first string of numbers that pops into your head.


Except those crypto-card thingies (not the implantable ones) were duplicated as a result of the recent RSA breakin, which is how Lockheed was attacked.


Yeah, I really don't understand how that happened.


The working theory is that RSA retained information on the crypto "seeds" used to initialize the hardware tokens at the factory. When this database was hacked the attackers obtained a copy of this seed material. This was enough to duplicate the code sequence displayed on the key, though possibly in conjunction with a phishing or social engineering attack to obtain the target user's serial number (or a few current codes).

That's the theory anyway. Not everyone agrees that it's the Chinese-attacking-US-defense-contractors story again.

What everyone does agree on though is that RSA is withholding critical information about the severity of the compromise, or maybe even being a little disingenuous about it.


As stated in the article Google already provides 2-step verification as an alternative.


Public key authentication isn't an acceptable alternative?

You could have users unlock a keyring using a password containing a single, global public key for each machine they own. You could have them do the same with a thumbdrive or mobile phone. You could authenticate using a number of methods. It's really incrediably flexible.

I think the problem is not that there isn't something to replace it, it's that people are used to "username:password" and don't want to switch. Public key authentication has too many options while passwords are just single words.


Practical pubkey verification & authentication requires a repository of public keys. Also, shudder password recovery/reset mechanisms.

I spent a few hours thinking about it once: this isn't much different from the DNS problem.

If a good distributed DNS system can be developed (ie, highly resistant to malicious poisoning), that algorithm can likely transfer to pubkey archives.


I agree that public key authentication is an improvement over passwords. Now show me a system that my mother-in-law can use (passphrases are out, she can't remember them).


How about 2-factor authentication, as discussed in the article?


SMS is not global and is quite expensive to get started with. Only the major players like Google can roll out worldwide SMS authentication. Email is out of the question because it often takes several minutes to receive an email (due to POP-fetching intervals etc)


Google supports HOTP-based codes that can be generated by a mobile application or even a local bookmarklet. They also support printed one-time codes.

Here's the open source project for the mobile app and PAM module: http://code.google.com/p/google-authenticator/

(Disclaimer: I worked on this.)


The 2-factor auth process doesn't use SMS, it uses a one-time-password generator app that you can run on modern smartphones.


You don't need to have data access to use Google's two-factor authentication.


Other than the current obvious UX deficiencies of installing and using them, a client certificate might help people like your mother-in-law. But one would ideally have a passphrase on their private key.

If you can't remember a passphrase, the "something you know" portion of "something you know and something you have" is kind of out.


I'm thinking that he/she was meaning that she can't remember a passphrase so would end up only using a weak password.


How about adding in another factor of authentication and make the passphrase a hash of data from a biometric scan (e.g. retina scan)?


Is it secret? If so, how do you change it if it gets disclosed? If not, how hard is it to make a fake eyeball?

How do you know the user's actually being authenticated and it's not just a replay of a previously captured image? Do you require a trusted hardware scanner now? If so, how do you deploy it to all your users? How do you keep the attacker from taking it apart and reverse engineering it?

But most of all, how do you know the user is actually intending to authenticate the thing that is being authenticated? E.g. the user is wants to open door A so they put their eyeball up to the scanner, but the bad guy has installed a skimmer (like on ATMs) which replays the users retina and lets him into door B.

Biometrics usually raise more questions than answers IMHO.


Awesome. I'm so glad that you have shown me the light. I now realize that we are perfectly and 100% secure right this very moment and that the security system of using the same password everywhere (e.g. password = 'password') is working out so well for people!

[Also: If a user enters <FORM OF AUTHENTICATION>, how do we know for sure that they aren't entering <FORM OF AUTHENTICATION> under duress? We'd better just scrap this whole authentication thing altogether.]


I now realize that we are perfectly and 100% secure right this very moment

Lol. :-)

If a user enters <FORM OF AUTHENTICATION>, how do we know for sure that they aren't entering <FORM OF AUTHENTICATION> under duress?

Haven't you heard of the three factors of authentication?

Something they steal, something they chop off, and something they beat out of you...

We'd better just scrap this whole authentication thing altogether.

You can't. It's a fundamental activity, as old as the the first cell membrane (this is me, this is not me). Multicellular organisms have immune systems (which are often fooled). Babies (sometimes switched at birth) recognize their mother's voices right when they're born. Ever visit another city and people there can just tell right away you're from out-of-town?

The irony is that millions of years of evolution has given us humans so much built-in natural hardware for authentication that we're now doomed to underestimate the inherent complexity and subtlety of the problem.


  > Haven't you heard of the three factors of authentication?
  >
  > Something they steal, something they chop off, and something they
  > beat out of you...
I have, but 3-factor authentication doesn't prevent duress. If someone puts a gun to your head and tells you to enter your password + SecureID + retinal scan, what are you going to do?

  > The irony is that millions of years of evolution has given us humans
  > so much built-in natural hardware for authentication that we're now
  > doomed to underestimate the inherent complexity and subtlety of the
  > problem.
That was sort of my point. The problem is so complex that there is no silver bullet solution. The only thing that we can do is incrementally improve our solutions. Using a hash of a retinal scan as a passphrase in order to make public key cryptography more mainstream could be a good thing compared to what we have now. It wouldn't be perfect, but questions like "do you trust the hardware" are not unique to this solution. You could pose the same question about using a keyboard to enter a password.


If someone puts a gun to your head and tells you to enter your password + SecureID + retinal scan, what are you going to do?

Wish I'd never agreed to the biometric factor.

That was sort of my point.

Look dude, I may agree with you, but don't expect me to defend to the death your right to say it. Well, maybe this time, but just this once, OK? :-)

The problem is so complex that there is no silver bullet solution. The only thing that we can do is incrementally improve our solutions.

An important thing to recognize here is that there are often multiple stakeholders involved, sometimes with competing interests. E.g., your bank, your employer, or your email provider's website... and you. There's not always agreement on what constitutes improvement. An employer may love the biometrics idea, but as you point out, it could easily make its employees targets of physical violence.

Typically the party that chooses the authentication scheme is the one that writes the check for it. This is not always the party with the most to lose and is almost never the actual user being authenticated.

Using a hash of a retinal scan as a passphrase in order to make public key cryptography more mainstream could be a good thing compared to what we have now."

I disagree, but you haven't described anything concrete enough for us to discuss.

It wouldn't be perfect, but questions like "do you trust the hardware" are not unique to this solution. You could pose the same question about using a keyboard to enter a password.*

Right. People get their keystrokes captured all the time, so unless your solution addresses the common issues too it's not worth going inside the eyeball for it. At least passwords are easy to change.

It seems that widely adopted authentication systems can never guarantee a strongly trusted endpoint. It always comes down to trying to lock secrets in some box which is then distributed as widely as possible. This idea has failed every time it's been tried.


Here's a pretty good review of what these attacks looked like. Apparently this is part of how Google got tipped off... Spear phishing.

http://contagiodump.blogspot.com/2011/02/targeted-attacks-ag...


Google should consider adding an option to lock your account access based on IP range or even a geo-located area based on IP address. There are some challenges to geo-locating IPs, and this wouldn't stop a determined hacker, but it could foil a significant number of attacks.

They also might want to provide some reporting for users to know when their account was accessed or attempted to be accessed and from where.


Is it possible for the government to establish a separate secure network? A North American network for government communication and infrastructure control use which was entirely separated from the internet would be very useful.


The government already does this for some things. SIPRnet is for the transmission of information classified up to secret and is airgapped from the public internet. This is where the Bradley Manning leaks came from. JWICS and NSANet are run along the same lines, but they transmit information classified up to Top Secret/SCI.


Why are "Senior US Officials" using gmail?


Google Apps provides a government edition: http://www.google.com/apps/intl/en/government/index.html


It's their personal accounts.


Then why would it matter if it got hacked? Surely they aren't conducting any official government "business" on their personal Gmail account, right?


To keep discussions off the public record.

http://motherjones.com/mojo/2010/06/starbucksgate-crew-calls...

Even in absence of some wrong-doing, officials are people too. Why would they conduct personal business using their work account?


Does this have anything to do with the backdoor API, or were the passwords just brute forced?


There are no 'backdoor' shenanigans, they comply with subpoenas like everyone else (they uniquely provide a transparency report) the Schneier claim was speculative and he dismissed it later.

In this case it's phishing, read the post.


do you know where he dismissed it? the article at http://www.schneier.com/essay-306.html is still up, with no disclaimer or obvious link to a correction.


A week or two later on his blog:

http://www.schneier.com/blog/archives/2010/02/more_details_o...

"The rumor that China used a system Google put in place to enable lawful intercepts, which I used as a news hook for this essay, has not been confirmed. At this point, I doubt that it's true."


thanks. i didn't know that. given how famous the other essay is, he should really update it...


why do people downvote questions like this? it makes no sense to me at all. am i doing something wrong? i thought i was polite and on-topic.


I've noticed this a lot lately.

People seem to randomly downvote a post they think is "wrong", with no explanation. Asking for one seems to make it worse.

(eg: http://news.ycombinator.com/item?id=2586625. Perhaps I was a touch rude, but a better response would have been to reply politely, point out where I was wrong and make me seem like a small-minded fool. Instead, downvotes are the response.)


Neither, did you read the post?


Obvious sickening propaganda for closing down the Internet!


Why would Google want to close down the Internet?


Because... it's a conspiracy! Wake up, sheeple!


1. Get tons of cash by being successful & selling bonds 2. Buy up every short call and option on any tech company 3. destroy the Internet 4. Profit!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: