Feeds

back to article Recipe for a bad day: 'State-backed hackers are attacking your PC'

Several Burmese journalists and foreign correspondents have been warned by Google that their Gmail accounts may have been compromised by “state-sponsored attackers”. The writers, when logging into the webmail service, were confronted with a warning message stating “we believe state-sponsored attackers may be attempting to …

COMMENTS

This topic is closed for new posts.
Silver badge
Big Brother

Would be nice if...

...Google also warned you that any country's court ordered mandate had required access to your Gmail logs, also.

Hey ho.

5
0

I wonder...

Would they do the same if the "state-sponsored" attackers in question were sponsored or directed by the USA?

4
0

Re: I wonder...

Why would they bother hacking? I would be very surprised if the CIA don't already have unlimited access to your Gmail account, your facebook and anything else hosted in the US.

4
0
Gold badge
Unhappy

Re: I wonder...

"Why would they bother hacking? I would be very surprised if the CIA don't already have unlimited access to your Gmail account, your facebook and anything else hosted in the US."

Look at the PATRIOT act first.

you don't need to be the CIA to get unlimited access.

2
0
Facepalm

Re: I wonder...

Well shucks I hadn't thought of that.

0
0

This post has been deleted by a moderator

FAIL

Re: Linux is a strong solution

Fishing much?

0
0

Re: Linux is a strong solution

Seriously Eadon, did you just cut and paste that in there from another article?

You might wanna go read the article again. It's mainly about gmail. Even the first line will give you a clue:

Several Burmese journalists and foreign correspondents have been warned by Google that their Gmail accounts may have compromised by “state-sponsored attackers”.

Now...tell me...how will Linux's "foundational security architecture" protect my gmail account...which is hosted at Google, and already on Linux (Wikipedia link), and built on possibly the world best and most customised high availabilty storage/OS stack?

LINUX, Apple or PC...if they are being targetted, the attack vector will be the feeble and gullible human, not the technical one, and the aim is to get them to compromise their own machines. Spear phishing, I think we call it these days.

The solution is to not trust the session, and use some 2FA at the front door. Which is exactly what Google are proposing to do for these guys.

8
0
Anonymous Coward

Re: Linux is a strong solution

Nope, secure VPN is what you need.

0
0

Re: Linux is a strong solution

Secure VPN is a no-no too...if the machine is compromised by the web channel, all it does is expose the machine to your internal network, unless you have some abstraction as well (eg Citrix apps) and no other routes out the VPN DMZ.

No, better to abstract the application layer, slap in some 2FA and do some session validation and mutual auth transport encryption.

2
0
Thumb Down

Re: Linux is a strong solution

Meanwhile once Google have your phone number for 2FA, they can sell it off to advertisers and you receive 'Targetted Ad's' by text message... yay!

1
2
Thumb Down

Re: Linux is a strong solution

@Eadon

Do you enjoy collecting downvotes, or is your reading comprehension really that poor?

5
0
Silver badge

Re: Linux is a strong solution

I'm counting the days till we get the following post from him saying -

"NEITHER! THEY ARE BOTH FAIL! Everyone knows that Linux is a far better solution than Coke or Pepsi!"

Then we can call in the guys with the white coats.

0
2
Thumb Down

Re: Linux is a strong solution

You are making a fool of yourself.

3
2
Gold badge

Re: Linux is a strong solution

Eadon, not quite, because the problem is not the client end, it's at the Google side.

If the email would contain malware, then there is indeed less scope for infection on a Linux box but the article here is about the server end.

BTW, "fundamental" is better than "foundational", that's not really English :).

1
2
Anonymous Coward

Re: Linux is a strong solution

The solution is to not trust the session, and use some 2FA at the front door. Which is exactly what Google are proposing to do for these guys.

That is based on the assumption that there isn't some backdoor on the Google end that is being used/abused. I would suspect that people with an active need for security would be capable of choosing a reasonable pass phrase, but then again, if they really were concerned about security they wouldn't be using Google in the first place but go to setups like Hushmail..

1
0

This post has been deleted by a moderator

Gold badge
Unhappy

Re: Linux is a strong solution

"Meanwhile once Google have your phone number for 2FA, they can sell it off to advertisers and you receive 'Targetted Ad's' by text message... yay!"

Yeah, that smells like creepy Eric's idea of a turning a frown upside down.

0
0

This post has been deleted by its author

Bronze badge
Windows

besides humag beings,@Silverburn

Yes, social vector is common, however there is also another vector -- your vulnerable Windows PC with IE, key loggers and other vulnerabilities. Think about non-trivial ways to update 3d party apps, installing software from the unknown sources.

This is what Eadon is driving at.

1
0
Bronze badge
Devil

@Fred Flintstone

because the problem is not the client end, it's at the Google side.

What is it, what is the vulnerability please tell us and Google?

1
0
Bronze badge
Linux

Re: Linux is a strong solution

To guarantee 99.999% of security:

A user just has to use

-a proper system, like GNU/Linux (or even, OpenBSD for more security),

-MAC system like SELinux/AppArmor and proper browser (with additionally a noscript add-on)

-and/or IMAP/POP3 client to read mail: thunderbird, mutt, alpine, rmail, evolution etc

-Gnupg/PGP with asymmetric key encription

-his/her head to think, not to make stupid mouse-clickings movements

2
0
Silver badge

Re: Linux is a strong solution

I would love to be able to go to the bank manager and say "here's my GPG signature, you can use it to ensure that communications from me are both encrypted and authenticated. I suggest you do the same."

...and have her understand me.

Unfortunately last time I used PGP (a while ago admittedly), it had no Joe Notageek Public mode. That and most institutions don't have a "please provide a cryptographic signature here"* (*optional) field.

Would be nice to see more widespread adoption of a decentralised system for sending 4KB-key-encrypted emails though.

0
0
Joke

“state-sponsored attackers”

It reminds me of those PBS TV shows that are "underwritten" or "sponsored" by companies and organisations...

"This hacking attempt is brought to you by - North Korea! For all your nuclear testing needs you can rely on North Korea! Part of the Axis of Evil group of countries."

5
0
Mushroom

Re: “state-sponsored attackers”

"I am Kim Jong Un and I approve of this hacking."

(paid for by the committee do make Kim Jong Un the first president of the world)

Nuke because it just seems appropriate..

3
0
Flame

@Eadon

Okay, you're officially starting to get on my tits now too. Change the fucking record.

1
1
Devil

The Internet in Myanmar was always a bit shaky

The "government" always censored everything, and the only way to browse the web was to use a VPN. When I went there regularly in 2006/2007, I used to use Your Freedom (a tunnel service).

All web access had to go through "government" proxies, so the tunnel was the only way to go.

The biggest problems we had was actually with the power constantly going down. I can only hope that things have improved over the intervening years.

0
0
Thumb Up

Am I the only one..

.. that's impressed with Aye Aye Win's name?

2
0
Gold badge
FAIL

You bet your gmail account has been compromised.

Starting with Google.

gmail is complimentary.

It's not "free."

0
1
Gold badge

Re: You bet your gmail account has been compromised.

No, no, Gmail IS free. Schmidt said so himself, and we all know that Google will do no evil.

/sarcasm

2
1
Silver badge

Ooooh those wicked foreign governments!

'Several Burmese journalists and foreign correspondents have been warned by Google that their Gmail accounts may have been compromised by “state-sponsored attackers”.'

How different from our own home life in Britain and the USA, where we KNOW that ALL our accounts have been compromised by state-sponsored attackers.

http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/

http://www.dailymail.co.uk/news/article-2124821/Will-NSAs-new-2bn-spy-center-monitoring-you.html

http://www.guardian.co.uk/technology/2012/sep/15/data-whistleblower-constitutional-rights

1
0
Silver badge
Big Brother

Let's not overlook the obvious

Let's look at "what if" differently. What if there is no attempted hack? What if Google just wants your phone number (more personal data) under the guise of "you need more security"? Everybody want's my damn cell phone number for "security". I gave it one time and suddenly I was riddled with spam calls. pffffftttttttttt....

2
0
Gold badge

Re: Let's not overlook the obvious

Yeah, they tried that with me too, both Farcebook and Google, which triggered my twisted sense of humour.

I think they may have discovered by now that the number I gave was that of the UK Information Commissioner :)

1
0
Silver badge
Facepalm

Oh so fun.

When Google talks about "two-factor authentication", I assume they mean "wonky SMS auth" as their second factor, as opposed to actual secure tokens? (yeah, yeah, I know that even those have been pwned, see SecurID but at least it's much harder to do)

If you're wary of your government, they're sure as HELL going to read your incoming SMS. So that kind of 2FA is useless for them.

0
0
Bronze badge

Re: Oh so fun.

I did actually activate 2FA with Google for one of my Gmail accounts. There were several flavours, depending on what you were going for. One was printing a list of one-off authentication numbers and putting it in your wallet. The other was (you are right) sending a number to your mobile phone (for which Google bears the whole cost here in Oz at least). The third one was downloading a Google App which generates a number every 30-odd seconds.

1
0
Gold badge
Meh

Re: Oh so fun.

"One was printing a list of one-off authentication numbers and putting it in your wallet."

"The third one was downloading a Google App which generates a number every 30-odd seconds."

Interesting.

Neither seem to need your actual phone number.

But I wonder what else that friendly, helpful Google app does?

Suspicious. Moi?

0
0
Anonymous Coward

Lot of it about

I got a warning from them yesterday morning that someone/something with a california ip had got hold of my password somehow. Either they are pushing 2FA for their own sinister reasons or there has been a big leak of passwords e.g. via people using the same pwd for facebook and gmail (which I did, like an arse). Or its a concidence.

0
0
This topic is closed for new posts.