Google Warning Gmail Users About State-Sponsored Attacks

← Back to Stories (view on slashdot.org)

Google Warning Gmail Users About State-Sponsored Attacks

Posted by Soulskill on Tuesday June 5, 2012 @10:15AM from the state-of-distributed-denial dept.

Trailrunner7 writes "Google, whose users have been frequent targets of suspected attacks by foreign governments, is deploying a new warning system for users who may be victims of those kinds of attacks. The new system is in addition to existing warnings that Google will show Gmail users when their accounts may have been accessed by attackers. Gmail users have been on the receiving end of a number of known attacks, including the infamous Google Aurora attack that has been blamed on China. Part of that operation was aimed at a specific subset of Gmail users, including Chinese dissidents and journalists. Now, Google says it will warn users about exactly that kind of activity."

8 of 69 comments (clear)

Min score:

Reason:

Sort:

Google thinks texting is secure??? by madbavarian · 2012-06-05 10:17 · Score: 5, Insightful

Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys. I believe that browsers already allow client certificates for setting up https connections. Using computer generated and invoked keys would solve the phishing and guessing attacks. The keys would have a high enough search space that guessing would be impossible. The connections would be authenticated in a way that wouldn't expose the private key itself, so phishing wouldn't work. 1) the google server key would be checked in a secure crypto manner and a MITM attack wouldn't be possible. 2) the user's key would be checked in they standard public key crypto manner also, which wouldn't expose the private key in the process of authentication. Crap, I know practically nothing about crypto and can punch holes in Googles stuff. They don't think the equivalent of some evil country's NSA could do much better?ï
1. Re:Google thinks texting is secure??? by Catskul · 2012-06-05 10:32 · Score: 4, Insightful
  
  I think the text message is not supposed to be 100% secure, but another obstacle to put in the way of attackers. It's an 80% solution.
  
  --
  
  Im not here now... Im out KILLING pepperoni
2. Re:Google thinks texting is secure??? by DragonWriter · 2012-06-05 11:09 · Score: 4, Insightful
  
  Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys.
  
  Username and password with the authentication code is more secure than without it, though using the SMS or voice-channel option (which isn't the preferred two-factor mechanism) is a greater risk against an attacker with your password than the preferred two-factor method (which uses an app which generates computer-generated keys instead of sending them two you over a telecommunication network.)
  
  Using computer generated and invoked keys would solve the phishing and guessing attacks.
  
  It would be a single-factor authentication method subject to compromise of the device with the key-generating software. In practice, it would be less secure than using Google's existing two-factor authentication system using the preferred (mobile app) mechanism, which involves both device generating a limited-time authentication code and a regular password, so that compromise of either the password or the device doesn't compromise the account.
Armchair experts by Namarrgon · 2012-06-05 10:38 · Score: 4, Insightful

I know practically nothing about crypto
That should be a sign right there that they've likely thought this through more than you have. What makes you think the entirety of their security policy is accurately conveyed in TFA?
PINs through texts are not bulletproof, but they do add security. So do the other methods Google offers, like locally-generated tokens. Certificates are hardly bulletproof either, as Microsoft recently found out. And most methods will fail if you've got a state-sponsored infection like Flame on your system...

--
Why would anyone engrave "Elbereth"?
How about the American government? by Eightbitgnosis · 2012-06-05 10:42 · Score: 5, Insightful

Somehow I don't think I'd be getting a notification in this situation
Re:How about... by Smallpond · 2012-06-05 11:09 · Score: 4, Insightful

"...encrypting your email?"
Encryption for email has been widely available since the mid 1990s, with native support or plugins for almost (but not quite) every major mailer, yet almost no one uses it. That shows just how much most people care about security of online communication.
Which email client has encryption installed out of the box? How "widely available" is it if I have to go download a plugin, then find out how to generate keys, then somehow get my public key to all of the people that I want to communicate with? None of this process being standardized or documented in one place.
Re:so what about NSA accesses? by daveschroeder · 2012-06-05 11:24 · Score: 3, Insightful

Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.
The CONTENT of the private communications of US Persons are off limits without an individualized warrant from a court of competent jurisdiction. It's our friends across the Pacific that are monitoring the content of communications, including of their own citizens.
Google isn't doing this with direct knowledge that a particular person is being spied on by their government. They're doing it based on aggregate evidence in nations known to be monitoring certain groups of internet users en masse; i.e., NOT the United States.
Do you think the US government and US corporations should follow the law, or not? If not, what should govern it?
Your opinion?
Communications metadata in various forms has been fair game for decades (i.e., not a "new" or "post-9/11" construct), and has been validated by the US Supreme Court. How do you propose identifying and targeting specific foreign communications — the content of which does not require, and never has required, a warrant — now increasingly traveling on systems and networks within the US, without first having a mechanism to first identify and target those communications?
Try to get out of your bubble where you perceive that the government is out to "get you" and take away your rights, and realize that the US has adversaries — not even of our own creation! — and that most in government and military leadership take their obligations to the law, the Constitution, and the people of the United States seriously.
Re:so what about NSA accesses? by russotto · 2012-06-05 13:45 · Score: 4, Insightful

Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.
If a US agency (law enforcement or no) with no warrant makes a request to a US corporation, that US corporation (e.g. AT&T) complies. Because if that corporation (e.g. Qwest) resists, their principals end up on the wrong end of an investigation of the sort Cardinal Richelieu made famous ("If you give me six lines..."). Because we're not actually a nation of laws.