Slashdot Mirror
Google Uncovers China-Based Password Collection Campaign
D H NG writes "Google announced that it recently uncovered a campaign to collect users' passwords. The campaign, apparently originating from China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior US government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists. Google said it detected and has disrupted this campaign and has notified victims and secured their accounts, as well as notified the relevant government authorities."
So is this an act of war by china?
...air strikes?
it isn't a data breach, Google has uncovered a campaign to steal passwords. Well done Google.
My wife's Gmail account got caught up in this! Last weekend I received some spam from _her_ gmail account. We immediately logged in and Google said that it had detected suspicious behavior and made her reset her password. It then showed us the connection log... and everything looked normal except one particular connection: FROM CHINA!
We were pissed.... but it doesn't appear that anything else was compromised (she didn't have anything sensitive in her Gmail account luckily).
Things really seem to be escalating on the 'net lately... from PS Network to Lockheed and now to Gmail. I really have to wonder if China is _actively_ participating at this point...
where the hell have you been?
"In its first formal cyber strategy, the Pentagon has concluded that computer sabotage by another country could constitute an act of war"
http://www.msnbc.msn.com/id/43224451/ns/us_news-security/t/sources-us-decides-cyber-attack-can-be-act-war/
The real reason Google is upset about this is because China isn't paying them to get the information like everyone else. Google is pissed that China is cutting out the middle man.
[Citation Needed]
Password
passw0rd
123456
hunter2
I eat only the real part of complex carbohydrates.
If only it didn't take so many clicks more people would do it.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'm just sayin, maybe turn the LOIC on China for a bit?
I think Sony may have learned at least a partial lesson now.
-AI
For me, it is far better to grasp the Universe as it really is than to persist in delusion
The question is (1) at what point the origin of a cyber-attack presents presumptive evidence of state action that must be rebutted, (2) whether the absence of a showing that the state was not involved means that the US should be launching reprisal cyber-attacks against China. Also, (3) whether it does so already and we just don't hear about it.
At this point, there is a pattern of cyber-attacks on the US originating in China. If China does not hunt down the perpetrators, it should be considered complicit and the United States should strongly consider response in kind.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
"as well as notified the relevant government authorities.""
"Yeah, we know.... Uh.. I mean really? Collecting passwords, you say?"
where they won't let you use your credit card account abroad unless you phone ahead and tell them you will abroad and its ok if they start getting charges from bangkok or antigua
maybe it's time for email providers to do the same: "no logging into my account from foreign ip blocks unless i tell you its ok"
and the default for this protection should be "on". your average user won't take the time to hunt for this menu item and enable it
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The world is currently in the early stages of a great depression. The huge increase in computer crime and the revolts in arab countries are just symptoms of that.
South Korea has a pivotal role in the whole North Korea issue. China is sort of like a "big brother" to North Korea and makes sure that no one is dealing unreasonably with it.
Two of my imaginary friends reproduced once
Well I think China quite likes the idea of a communist country with a huge army as a buffer between them and the US-allied south.
But they are well-advised to not support them officially, since they don't want to get drawn in into a war with America currently as it supplies them with consumers for their products. Also in case they do supply North Korea with Intel they better do so under the condition that they not start a nuclear war since atomic mushrooms in your neighboring countries are never a good thing.
So imo their best bet right now is to officially distance themselves but secretly support them under certain conditions. But having information about the nearest country with US Troops stationed sounds like something they could use themselves.
Have any details been released? This sounds curiously like an e-mail-based phishing campaign, if the passwords weren't obtained from Gmail's own systems and they weren't exploiting a software vulnerability.
Someday, you're going to die. Get over it.
If I were hacker, I wouldn't let you track and always pretend to be an easy target to blame, like China. Only fool can tell exactly where the hacker is.
Everything comes from nothing.
Wrong. Google is not pissed about revenue loss. If they were worried about revenue loss they would have stayed in China, collected the advertising dollars in the growing market, and not given a sh!t about compromised users. Instead, they spurned the money on principle and withdrew from that market when the Chinese Government gave them crap conditions to operate under. Google's Sergei is particularly sensitive to repressive totalitarian governments like China because he grew up in the Soviet Union - and understands how bad such governments are to their own people (even if the people are brainwashed into believing it is good for them, and the government presents a happy face to the world while having a corrupt and brutal face internally). One the Chinese Government was implicated in the breaches of Google accounts Sergei was able to convince Larry to ignore the money and pull out on principle. This is actually a case of a big company doing something ethical (better late than never). But don't let me rain on your little conspiracy theory that Google is somehow more evil than the Chinese Government (something becoming fashionable to believe in the West, despite being a patent falsehood).
1. Declare "cyber-crime" against the government officially a war crime.
2. Release details on a not-so-friendly foreign nation's shady online behavior.
3. Boom???
4. Profit!!
The eternal struggle of good vs. evil begins within one's self.
There cannot be a WW3 yet, because WW2 has not really finished- just diffused here and there. Like so, more or less.
Let's hope it is going to be over soon, though I hardly think so- unless a world war is defined as a war between superpowers.
The three laws of thermodynamics:(1) You can't win. (2) You can't break even. (3) You can't even quit.
This happened to me but it was about a year ago. I went to check my gmail and it said it had recently been accessed from China. I immediately reset my password on every account that I had everywhere. Not that my passwords are the same, but with access to my gmail the attacker could change or find out my password for almost every site I visit. I have no idea how they figured out my password, I didn't use it elsewhere, it was a made up word, 9 digits long, with 2 numbers and a symbol in it. If they could guess that... well, I just dunno.
These people need professional advice, or common sense: Don't store highly valuable (i.e., dangerous to people's lives), confidential information on a free public webmail service!
Really, how hard is that to figure out? How many very well-publicized successful attacks has Google experienced, and they still haven't figured it out?
Do it!
why do chinese political aktivists use gmail there are far more secure email systems they can use and why would miltiary and political officials use it when they have acces to government email systems except when they dont want their emails to be read and archived for the public intrest. Also why is it only Gmail that keeps on getting attacked by the chinese are they the only ones who mention it?
The article says "The officials emphasize, however, that not every attack would lead to retaliation. Such a cyber attack would have to be so serious it would threaten American lives, commerce, infrastructure or worse, and there would have to be indisputable evidence leading to the nation state involved, NBC Pentagon correspondent Jim Miklaszewski said."
What that means in English is something like: If an hostile organization brought down the electric grid, or caused a meltdown in a nuclear plant, or caused airliners to crash, or did something equivalent, then that means that war is an option.
That makes sense IMHO.
You might think it's stupid for a big company to take a principled stand like that, and generally it is, but that decision lined up with Google's future potential in Europe/America: Google is nearly unique (meaning doomed to fail) in the tech world in that it relies almost entirely on the amount of trust users place with Google. Other corporations can survive overwhelming bad publicity; Google can't, and it hasn't had to.
I would assume that the burden of proof needed to declare war over a cyber-attack is no different than that needed for a physical attack. The Pentagon was basically just saying "cyberattacks aren't exempted from war - we will retaliate as we would for any other attack".
Now, if China were to launch a large-scale cyberattack, we'd know it was them, because they would simultaneously launch all kinds of other military attacks. If it's big enough to cause major problems, it's big enough to leave a trail, and eventually the culprit country will be hunted down. We know this. China knows this. Thus, any major cyberattack would be in combination with other attacks.
Hypothetical war scenario: First warning is a massive cyberattack. Goal is denial-of-service of the entire North American comms system. Whether by clever hacking or sheer numbers, the systems go down, and stay down. No Internet, no phone, nothing faster than Fedex. Second notice is a full ICBM launch. 300 missiles, their full inventory, each with nuclear warheads. Priority targets are the American missile fields. They're hit before they can receive orders to fire, or even confirm that there's an attack going on. Time elapsed: 20 minutes. US ICBMs are effectively gone. The only remaining nuclear option (the bombers were mothballed long ago) is submarine-launched missiles. Enough for some nasty payback, but not enough to turn the tide.
This could be either the prelude to an invasion, or simply a preventative measure - getting us out of the way so they can "finish" the Korean War, maybe. Perhaps even just a defensive distraction, should China feel that the American army is uncomfortably close to their border.
OK, so I'm not Tom Clancy here, but that's the most plausible scenario I can imagine for a military cyberattack. Political or espionage, sure, there's plenty of those, but when was the last time we declared war over a spy?
Look at China's attitude towards everything going on in the world.
The only thing China is concerned about is their own stability and economic growth.
They didn't openly pick a side in the war on "terrorism".
No reaction to the conflict in Libiya, or any other conflict going on in the world.
Their only reaction was to shorten the leash on their own people. (I know because I live in Beijing).
China wants nothing to stand in the way of their growth.
They used to be North-koreas only ally, they still are. But they are now backing away from that as well. Asking Kim Jong ill to stop the nuclear projects.
But still being friendly to North Korea, to not anger any side.
I don't think they will risk foreign relationships by hacking people like this. Only if they feel it is justifiable.
Is anyone really surprised by this? I don't mean to cast aspersions on everyone in China but dammit if they don't have a huge right wing group of people who are hell bent on enforcing totalitarianism on not only themselves but the world at large.
And the kicker is that we have had our own group of people who viewed 1984 as a manual rather than a cautionary tail working since the 60's.
I'm sorry but for everyone that view the right wing slide as OK you are so wrong. So very wrong.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
United States should strongly consider response in kind?
Russia learned in the early 1950s that its mil radio communication was under constant threat. They changed to one time pads and hardened their communications networks.
China did not leak much signal info during the cold war and if they where wise would not have much on any open networks now.
Why the US would have any info on open networks beyond honeytraps/boondoggle efforts is very strange/sloppy/dumb.
Domestic spying is now "Benign Information Gathering"
I had a few clients of mine experience this over the last few weeks. It has not been pleasant to say the least! It took me almost 3-4 days to recover the "password and account" on one of the Gmail accounts that had been "flagged" (so to speak) which I thought was RIDICULOUS. I mean if you "live and die" by your email - like I do, 3-4 days would be an ETERNITY. My thoughts anyhow. Nice post!
The Nerd Blurb - If a Nerd Doesn't Know, No One Knows!
After harvesting your password, they would then try to change your forwarding and delegation settings. Since this would be done from their machine, they'd face a 2-factor challenge prompt from gmail which they could not meet, unless they had also stolen your phone.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
I use Lastpass (which got hacked recently, but my LastPass crypto password was pretty secure). I also use the Google 2 Step Authentication. Once Facebok implements this as well, I will switch immediately. I log in to most sites with either Google or Facebook. I prefer Google, because it's usually just confirming the email, whereas apps that log in to Facebook want access to data, my wall, my friends, etc. That's as stupid, imo, as an app or site asking, "Login with Google, and give us permission to read your email and send email as you."
What many people don't know is that Google has some privacy features built in if you know where to look. At the bottom of the page it says something like:
Last account activity: 4 minutes ago at this IP (127.0.0.1). Details
Click Details and you'll see:
This account does not seem to be open in any other location. However, there may be sessions that have not been signed out.
Browser * United States (NY) (127.0.0.1) 5:45 am (0 minutes ago)
Browser United States (NY) (127.0.0.1) 5:39 am (5 minutes ago)
Mobile United States (NY) (127.0.0.1) 4:03 am (1.5 hours ago)
Mobile United States (CA) (127.0.0.2) 6:19 pm (11 hours ago)
Browser United States (NY) (127.0.0.1) Jun 1 (18 hours ago)
Mobile United States (NY) (127.0.0.3) Jun 1 (20 hours ago)
Now, unless you were in CA recently (or have a proxy), this shows that someone hacked your account 11 hours ago from California.
Click the "Sign out all other sessions" button, then go change your password ASAP and enable 2 Step Authentication if you haven't already.
I8-D
These people need professional advice, or common sense: Don't store highly valuable (i.e., dangerous to people's lives), confidential information on a free public webmail service!
What evidence is there that the victims stored such information on public servers? A personal account with no work mails could still give enough info to compromise accounts elsewhere.
BitDefender researcher says this is exactly what he was expecting: more and more companies that keep large amounts of personal/confidential/private data being attacked.
"We believe that fraudsters are corroborating all these information (corporate hacks or leaks), malicious mobile and social network apps into creating profiles of people everywhere in the world, with the purpose of creating better social engineered attacks, and everybody is a possible victim." says Catalin Cosoi from the Online Threats Lab."
And also: "Monitoring a political personality's email (especially a personal one) can lead to a really nice profit for an attacker, no matter if he is just a hacker or a bigger organization is involved. Besides personal information, monitoring the private conversations can lead to blackmail and extortion and/or manipulation of the individual into performing different actions."
You underestimate how many of those ICBMs were removed from stationary silos onto warships and submarines. Strangely enough, a large amount of the current number of nuclear arms in our inventory happen to be within easy striking distance of China via bodies of water near the Iraq and Afghan campaigns...
BTW, right now Congress is attempting to force Obama into upgrading the rest of the stockpile now that we signed the new START and left the previous anti-nuke treaty that had been signed under an older administration. Republicans (with the backing of several Dems) have tied this into an appropriations bill, namely the kind that the president is not allowed to veto by law.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
"Blaming these misdeeds on China is unacceptable," Chinese foreign ministry spokesman Hong Lei told a news briefing in Beijing, according to The Telegraph.
"Hacking is an international problem and China is also a victim. The claims of so-called Chinese state support for hacking are completely fictitious and have ulterior motives."
Here is a picture of the spokesman.
I8-D
i hate facebook, but i'll be the first to agree with you that facebook deserves praise and admiration for initiating this genius account policy. good job facebook
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
A lot of the problem stems from the fact that the US and other Western countries have got into the habit of licking the asses of the Chinese in order to maintain trade relationships. Acceptance of the principle that China has committed an act of war might presuppose that other sanctions are fair game, but Big Business always squeals when any political move is made counter to their short-term interests.
It is perfectly possible for the rest of the world to pull the plug on China, leaving them to howl for any resources they need to maintain growth and dominance, but it would mean growing a pair. If we aren't prepared to fight back or isolate hostile attackers, then all we can do is play whack-a-mole with them.
"Invalid username and/or password. Please enter your email password, not your LinkedIn account password"
You can try that yourself, using any dummy email address.
I saved a screenshot here.
(notice that it's not even a secure -https- page!)
Ok, I said to my myself, it seems I must enter my google password... I entered it, press "continue"... and two seconds later I though:
"Wait a moment... What...? What I have done?? How can linkedin ask me to sent to THEM my Google password ? Are they nuts? Am I nuts?"
I immediately went to my Google account and changed my password, just in case. But I still can't understand it.
The nuclear payload from just 1 submarine is capable of more than payback. And your scenerio also does not take into consideration that there are protocols in place to respond to certain types of threats even with coms down. That's even assuming they could take down the military coms at all. Do you think the military has not gone to great pains to harden their systems against EMP and position redundant satellites? The civilian communication networks could be crashed but I don't believe the military has their ICBM launch controls wired into the Internet.
I mean, don't use any webmail at all. Use your own local mail server.
So, uh, I trust my security to... myself? Instead of someone whose job it is to keep on top of shit like this? Even my work offers webmail with their email addresses.
I think that is a valid issue (though I'm not sure what your workplace has to do with it, unless you work with top secret data). But I think it's overridden by the fact that Google and GMail are huge targets for attackers; that their service, by design, makes the confidential data accessible from any computer in the world via a web browser; that thousands of Google employees and contractors (I'm guessing at the number) have access to the data and/or physical access to the servers; and that you are putting life-and-death information in the hands of an outside company (Google).
No security consultant would recommend that design for highly valuable confidential data. That's not how the military or NSA stores its most valuable data.
They need private mail servers, with proxies and firewalls between the servers and the public Internet (and attackers), with proper security including minimized access, even for authorized users.
Let me guess? Weiner had his password stolen, and a private photo was leaked to twitter?
No, I will not work for your startup