Recipe for a bad day: 'State-backed hackers are attacking your PC'
Several Burmese journalists and foreign correspondents have been warned by Google that their Gmail accounts may have been compromised by “state-sponsored attackers”. The writers, when logging into the webmail service, were confronted with a warning message stating “we believe state-sponsored attackers may be attempting to …
This topic is closed for new posts.
Would be nice if...
...Google also warned you that any country's court ordered mandate had required access to your Gmail logs, also.
Hey ho.
I wonder...
Would they do the same if the "state-sponsored" attackers in question were sponsored or directed by the USA?
Re: I wonder...
Why would they bother hacking? I would be very surprised if the CIA don't already have unlimited access to your Gmail account, your facebook and anything else hosted in the US.
Re: I wonder...
"Why would they bother hacking? I would be very surprised if the CIA don't already have unlimited access to your Gmail account, your facebook and anything else hosted in the US."
Look at the PATRIOT act first.
you don't need to be the CIA to get unlimited access.
Linux is a strong solution
It's much more difficult to attack *nix systems due to their foundational security architecture.
Re: Linux is a strong solution
Seriously Eadon, did you just cut and paste that in there from another article?
You might wanna go read the article again. It's mainly about gmail. Even the first line will give you a clue:
Several Burmese journalists and foreign correspondents have been warned by Google that their Gmail accounts may have compromised by “state-sponsored attackers”.
Now...tell me...how will Linux's "foundational security architecture" protect my gmail account...which is hosted at Google, and already on Linux (Wikipedia link), and built on possibly the world best and most customised high availabilty storage/OS stack?
LINUX, Apple or PC...if they are being targetted, the attack vector will be the feeble and gullible human, not the technical one, and the aim is to get them to compromise their own machines. Spear phishing, I think we call it these days.
The solution is to not trust the session, and use some 2FA at the front door. Which is exactly what Google are proposing to do for these guys.
Re: Linux is a strong solution
Nope, secure VPN is what you need.
Re: Linux is a strong solution
Secure VPN is a no-no too...if the machine is compromised by the web channel, all it does is expose the machine to your internal network, unless you have some abstraction as well (eg Citrix apps) and no other routes out the VPN DMZ.
No, better to abstract the application layer, slap in some 2FA and do some session validation and mutual auth transport encryption.
Re: Linux is a strong solution
Meanwhile once Google have your phone number for 2FA, they can sell it off to advertisers and you receive 'Targetted Ad's' by text message... yay!
Re: Linux is a strong solution
@Eadon
Do you enjoy collecting downvotes, or is your reading comprehension really that poor?
Re: Linux is a strong solution
I'm counting the days till we get the following post from him saying -
"NEITHER! THEY ARE BOTH FAIL! Everyone knows that Linux is a far better solution than Coke or Pepsi!"
Then we can call in the guys with the white coats.
Re: Linux is a strong solution
You are making a fool of yourself.
Re: Linux is a strong solution
Eadon, not quite, because the problem is not the client end, it's at the Google side.
If the email would contain malware, then there is indeed less scope for infection on a Linux box but the article here is about the server end.
BTW, "fundamental" is better than "foundational", that's not really English :).
Re: Linux is a strong solution
The solution is to not trust the session, and use some 2FA at the front door. Which is exactly what Google are proposing to do for these guys.
That is based on the assumption that there isn't some backdoor on the Google end that is being used/abused. I would suspect that people with an active need for security would be capable of choosing a reasonable pass phrase, but then again, if they really were concerned about security they wouldn't be using Google in the first place but go to setups like Hushmail..
Re: Linux is a strong solution
"Do you enjoy collecting downvotes"
I simply point out the truth. If others downvote me, that's down to the windows group think around here.
Linux is more secure even with external trojan threates, because, unlike windows, it does not execute stuff by default and does not hide file extensions. (juicy-model.jpg.exe looks like juicy-model.jpg in windows.
The downvoters simply refuse to accept what everyone else knows, that Windows is not to be trusted on the Internet. I didn't say that Linux is absolutely impenetrable, only that it is more secure and safer.
Anyway, back to your groupthink Wintards! Downvoting Eadon may make you feel better, but in effect you are hoping to censor the truth. How does it feel? Good, I know :-)
For sensible discussions on tech, for those with a clue, this is not the forum, but it's quite a lot of fun.
Re: Linux is a strong solution
"Meanwhile once Google have your phone number for 2FA, they can sell it off to advertisers and you receive 'Targetted Ad's' by text message... yay!"
Yeah, that smells like creepy Eric's idea of a turning a frown upside down.
besides humag beings,@Silverburn
Yes, social vector is common, however there is also another vector -- your vulnerable Windows PC with IE, key loggers and other vulnerabilities. Think about non-trivial ways to update 3d party apps, installing software from the unknown sources.
This is what Eadon is driving at.
@Fred Flintstone
because the problem is not the client end, it's at the Google side.
What is it, what is the vulnerability please tell us and Google?
Re: Linux is a strong solution
To guarantee 99.999% of security:
A user just has to use
-a proper system, like GNU/Linux (or even, OpenBSD for more security),
-MAC system like SELinux/AppArmor and proper browser (with additionally a noscript add-on)
-and/or IMAP/POP3 client to read mail: thunderbird, mutt, alpine, rmail, evolution etc
-Gnupg/PGP with asymmetric key encription
-his/her head to think, not to make stupid mouse-clickings movements
Re: Linux is a strong solution
I would love to be able to go to the bank manager and say "here's my GPG signature, you can use it to ensure that communications from me are both encrypted and authenticated. I suggest you do the same."
...and have her understand me.
Unfortunately last time I used PGP (a while ago admittedly), it had no Joe Notageek Public mode. That and most institutions don't have a "please provide a cryptographic signature here"* (*optional) field.
Would be nice to see more widespread adoption of a decentralised system for sending 4KB-key-encrypted emails though.
“state-sponsored attackers”
It reminds me of those PBS TV shows that are "underwritten" or "sponsored" by companies and organisations...
"This hacking attempt is brought to you by - North Korea! For all your nuclear testing needs you can rely on North Korea! Part of the Axis of Evil group of countries."
Re: “state-sponsored attackers”
"I am Kim Jong Un and I approve of this hacking."
(paid for by the committee do make Kim Jong Un the first president of the world)
Nuke because it just seems appropriate..
@Eadon
Okay, you're officially starting to get on my tits now too. Change the fucking record.
The Internet in Myanmar was always a bit shaky
The "government" always censored everything, and the only way to browse the web was to use a VPN. When I went there regularly in 2006/2007, I used to use Your Freedom (a tunnel service).
All web access had to go through "government" proxies, so the tunnel was the only way to go.
The biggest problems we had was actually with the power constantly going down. I can only hope that things have improved over the intervening years.
Am I the only one..
.. that's impressed with Aye Aye Win's name?
You bet your gmail account has been compromised.
Starting with Google.
gmail is complimentary.
It's not "free."
Re: You bet your gmail account has been compromised.
No, no, Gmail IS free. Schmidt said so himself, and we all know that Google will do no evil.
/sarcasm
Ooooh those wicked foreign governments!
'Several Burmese journalists and foreign correspondents have been warned by Google that their Gmail accounts may have been compromised by “state-sponsored attackers”.'
How different from our own home life in Britain and the USA, where we KNOW that ALL our accounts have been compromised by state-sponsored attackers.
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/
http://www.dailymail.co.uk/news/article-2124821/Will-NSAs-new-2bn-spy-center-monitoring-you.html
http://www.guardian.co.uk/technology/2012/sep/15/data-whistleblower-constitutional-rights
Let's not overlook the obvious
Let's look at "what if" differently. What if there is no attempted hack? What if Google just wants your phone number (more personal data) under the guise of "you need more security"? Everybody want's my damn cell phone number for "security". I gave it one time and suddenly I was riddled with spam calls. pffffftttttttttt....
Re: Let's not overlook the obvious
Yeah, they tried that with me too, both Farcebook and Google, which triggered my twisted sense of humour.
I think they may have discovered by now that the number I gave was that of the UK Information Commissioner :)
Oh so fun.
When Google talks about "two-factor authentication", I assume they mean "wonky SMS auth" as their second factor, as opposed to actual secure tokens? (yeah, yeah, I know that even those have been pwned, see SecurID but at least it's much harder to do)
If you're wary of your government, they're sure as HELL going to read your incoming SMS. So that kind of 2FA is useless for them.
Re: Oh so fun.
I did actually activate 2FA with Google for one of my Gmail accounts. There were several flavours, depending on what you were going for. One was printing a list of one-off authentication numbers and putting it in your wallet. The other was (you are right) sending a number to your mobile phone (for which Google bears the whole cost here in Oz at least). The third one was downloading a Google App which generates a number every 30-odd seconds.
Re: Oh so fun.
"One was printing a list of one-off authentication numbers and putting it in your wallet."
"The third one was downloading a Google App which generates a number every 30-odd seconds."
Interesting.
Neither seem to need your actual phone number.
But I wonder what else that friendly, helpful Google app does?
Suspicious. Moi?
Lot of it about
I got a warning from them yesterday morning that someone/something with a california ip had got hold of my password somehow. Either they are pushing 2FA for their own sinister reasons or there has been a big leak of passwords e.g. via people using the same pwd for facebook and gmail (which I did, like an arse). Or its a concidence.
This topic is closed for new posts.
