Google Warning Gmail Users About State-Sponsored Attacks

Trailrunner7 writes "Google, whose users have been frequent targets of suspected attacks by foreign governments, is deploying a new warning system for users who may be victims of those kinds of attacks. The new system is in addition to existing warnings that Google will show Gmail users when their accounts may have been accessed by attackers. Gmail users have been on the receiving end of a number of known attacks, including the infamous Google Aurora attack that has been blamed on China. Part of that operation was aimed at a specific subset of Gmail users, including Chinese dissidents and journalists. Now, Google says it will warn users about exactly that kind of activity."

Google thinks texting is secure???

[madbavarian]

Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys. I believe that browsers already allow client certificates for setting up https connections. Using computer generated and invoked keys would solve the phishing and guessing attacks. The keys would have a high enough search space that guessing would be impossible. The connections would be authenticated in a way that wouldn't expose the private key itself, so phishing wouldn't work. 1) the google server key would be checked in a secure crypto manner and a MITM attack wouldn't be possible. 2) the user's key would be checked in they standard public key crypto manner also, which wouldn't expose the private key in the process of authentication. Crap, I know practically nothing about crypto and can punch holes in Googles stuff. They don't think the equivalent of some evil country's NSA could do much better?ï

Re:Google thinks texting is secure???

First, there is an Android/iPhone/BlackBerry authenticator app (software one-time pad) that you can and should use instead of SMS-sent confirmation code if you don't have a dumbphone.

Second, if you cannot use such an app: obviously SMS represents in no way a secure channel, but it still adds another unsecure channel a potential attacker has to identify then crack (although wiretapping SMS is peanut butter for NSA and friends, linking phone number to Google account might not always be trivial when using prepaid cards for example).

Re:Google thinks texting is secure???

[Catskul]

I think the text message is not supposed to be 100% secure, but another obstacle to put in the way of attackers. It's an 80% solution.

Re:Google thinks texting is secure???

[utkonos]

Using computer generated RSA/DSA keys is actually a bit less secure than the best option, SRP. I'm not clear on why the Secure Remote Password protocol is not deployed more widely.

Another point is that you can use Google authenticator rather than the SMS garbage. This is much more secure and uses HMAC-Based One-Time Password Algorithm (RFC 4226) and Time-Based One-Time Password Algorithm (RFC 6238). It even has a PAM module that you can use with just about anything that supports PAM, and it has iOS, Android, and Blackberry versions of the client app.

Re:Google thinks texting is secure???

[DragonWriter]

Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys.

Username and password with the authentication code is more secure than without it, though using the SMS or voice-channel option (which isn't the preferred two-factor mechanism) is a greater risk against an attacker with your password than the preferred two-factor method (which uses an app which generates computer-generated keys instead of sending them two you over a telecommunication network.)

Using computer generated and invoked keys would solve the phishing and guessing attacks.

It would be a single-factor authentication method subject to compromise of the device with the key-generating software. In practice, it would be less secure than using Google's existing two-factor authentication system using the preferred (mobile app) mechanism, which involves both device generating a limited-time authentication code and a regular password, so that compromise of either the password or the device doesn't compromise the account.

Re:Google thinks texting is secure???

[Dan541]

Crap, I know practically nothing about crypto and can punch holes in Googles stuff. ;

Thanks for the pointer. We would never have guessed.

Re:Google thinks texting is secure???

[swillden]

First, there is an Android/iPhone/BlackBerry authenticator app (software one-time pad) that you can and should use instead of SMS-sent confirmation code if you don't have a dumbphone.

Second, if you cannot use such an app: obviously SMS represents in no way a secure channel, but it still adds another unsecure channel a potential attacker has to identify then crack (although wiretapping SMS is peanut butter for NSA and friends, linking phone number to Google account might not always be trivial when using prepaid cards for example).

Another option is to pre-generate a list of codes, print them out and cross them off as you use them. When you get low, log in and generate and print another set.

so what about NSA accesses?

One of two things are true:

1) Google never ever receives any requests for information from the NSA;

2) What Google actually means is that it will warn Gmail users about state-sponsored "attacks" from countries the US isn't on perfect terms with.

It's one thing to have corporations battling with government for control. It's quite another when one information-gathering corporation has become so big that it's playing its own overt part in the propaganda war.

Re:so what about NSA accesses?

[daveschroeder]

Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.

The CONTENT of the private communications of US Persons are off limits without an individualized warrant from a court of competent jurisdiction. It's our friends across the Pacific that are monitoring the content of communications, including of their own citizens.

Google isn't doing this with direct knowledge that a particular person is being spied on by their government. They're doing it based on aggregate evidence in nations known to be monitoring certain groups of internet users en masse; i.e., NOT the United States.

Do you think the US government and US corporations should follow the law, or not? If not, what should govern it?

Your opinion?

Communications metadata in various forms has been fair game for decades (i.e., not a "new" or "post-9/11" construct), and has been validated by the US Supreme Court. How do you propose identifying and targeting specific foreign communications — the content of which does not require, and never has required, a warrant — now increasingly traveling on systems and networks within the US, without first having a mechanism to first identify and target those communications?

Try to get out of your bubble where you perceive that the government is out to "get you" and take away your rights, and realize that the US has adversaries — not even of our own creation! — and that most in government and military leadership take their obligations to the law, the Constitution, and the people of the United States seriously.

Re:so what about NSA accesses?

[russotto]

Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.

If a US agency (law enforcement or no) with no warrant makes a request to a US corporation, that US corporation (e.g. AT&T) complies. Because if that corporation (e.g. Qwest) resists, their principals end up on the wrong end of an investigation of the sort Cardinal Richelieu made famous ("If you give me six lines..."). Because we're not actually a nation of laws.
 

Re:so what about NSA accesses?

[Runaway1956]

"if a US law enforcement entity with a warrant makes a request "

I don't know for sure, but I get the impression that you've been sleeping for most of a decade. Remember all the hoopla over warrantless taps? Warrantless searches and seizures? In one single instance, virtually all United States telcos were ordered by the US government to cooperate with federal officials to monitor email communications for hints of terroristic threats. Long afterward, the courts started to get involved, and started to find all that shit was unconstitutional. In fact, Congress passed a special law to indemnify all those telcos against being sued for cooperating with the government.

Obsessions? Pal - the government may or may not "be out to get you", but if you believe for one moment that the government is your friend, then you are a fool.

The very men who created this country warned us that it was our duty to guard against government intrusion on our rights.

Armchair experts

[Namarrgon]

I know practically nothing about crypto

That should be a sign right there that they've likely thought this through more than you have. What makes you think the entirety of their security policy is accurately conveyed in TFA?

PINs through texts are not bulletproof, but they do add security. So do the other methods Google offers, like locally-generated tokens. Certificates are hardly bulletproof either, as Microsoft recently found out. And most methods will fail if you've got a state-sponsored infection like Flame on your system...

How about the American government?

[Eightbitgnosis]

Somehow I don't think I'd be getting a notification in this situation

Re:How about...

[Smallpond]

"...encrypting your email?"

Encryption for email has been widely available since the mid 1990s, with native support or plugins for almost (but not quite) every major mailer, yet almost no one uses it. That shows just how much most people care about security of online communication.

Which email client has encryption installed out of the box? How "widely available" is it if I have to go download a plugin, then find out how to generate keys, then somehow get my public key to all of the people that I want to communicate with? None of this process being standardized or documented in one place.

Re:How about...

[betterunixthanunix]

Which email client has encryption installed out of the box?

Outlook, Thunderbird, the mail client in OS X, Evolution, and KMail all come to mind -- they all at least support S/MIME out of the box. Now, I think S/MIME is not appropriate for the typical PC user's email and the PGP's web-of-trust approach is a lot better, but it is not as though there is no encryption option available in popular email clients.

find out how to generate keys

This is definitely the weakest link in the chain for email encryption -- I do not think any of the clients I mentioned above have an automatic key generation process. Maybe Google should submit a patch to Thunderbird instead of working on better ways to let people know that they have been compromised (or perhaps in conjunction with that).

somehow get my public key to all of the people that I want to communicate with?

S/MIME does this automatically when you send signed email to people.

Google is doing a good thing - mostly

[raque]

We can argue the details of security from now to doomsday. It's a good thing that Google is doing this. Except it's of limited value. As has been pointed out in reference to the Flame attack, State sponsored hacking is very hard to detect. Google might be able to detect some, but how many? And when does Google encounter a conflict of interest? What happens then, and will we know? This is one reason I like the existence of things like Bing and Yahoo Axis, I get to spread things around. No, it's not a cure all and I'm aware that I still can be tracked, but I am raising the price (effort, etc) needed to get things on me.

We're back to the price of Freedom is Eternal Vigilance. Some things don't change in the digital world. Politics didn't, Sex did. Go figure.

This comment will not be saved until you click the Submit button below.

Re:How about...

[wintersdark]

Which email client has encryption installed out of the box? How "widely available" is it if I have to go download a plugin, then find out how to generate keys, then somehow get my public key to all of the people that I want to communicate with? None of this process being standardized or documented in one place.

And, of course, what of your recipients? I'd love to encrypt all my mail, but having to have everyone I converse with do the same *AND* use the same set of plugins, clients, etc? Particularly considering most access their email over a variety of clients, browsers, and even operating systems? I know I access mine over three separate OS's on a daily basis.

Yeah, that's just not going to happen. Sure, you can secure point to point email that really needs to be, but otherwise it's entirely impractical.