back to article Recipe for a bad day: 'State-backed hackers are attacking your PC'

Several Burmese journalists and foreign correspondents have been warned by Google that their Gmail accounts may have been compromised by “state-sponsored attackers”. The writers, when logging into the webmail service, were confronted with a warning message stating “we believe state-sponsored attackers may be attempting to …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Big Brother

    Would be nice if...

    ...Google also warned you that any country's court ordered mandate had required access to your Gmail logs, also.

    Hey ho.

  2. DF118

    I wonder...

    Would they do the same if the "state-sponsored" attackers in question were sponsored or directed by the USA?

    1. Alpha Tony

      Re: I wonder...

      Why would they bother hacking? I would be very surprised if the CIA don't already have unlimited access to your Gmail account, your facebook and anything else hosted in the US.

      1. John Smith 19 Gold badge
        Unhappy

        Re: I wonder...

        "Why would they bother hacking? I would be very surprised if the CIA don't already have unlimited access to your Gmail account, your facebook and anything else hosted in the US."

        Look at the PATRIOT act first.

        you don't need to be the CIA to get unlimited access.

      2. DF118
        Facepalm

        Re: I wonder...

        Well shucks I hadn't thought of that.

  3. This post has been deleted by a moderator

    1. Stuart Elliott
      FAIL

      Re: Linux is a strong solution

      Fishing much?

    2. Silverburn

      Re: Linux is a strong solution

      Seriously Eadon, did you just cut and paste that in there from another article?

      You might wanna go read the article again. It's mainly about gmail. Even the first line will give you a clue:

      Several Burmese journalists and foreign correspondents have been warned by Google that their Gmail accounts may have compromised by “state-sponsored attackers”.

      Now...tell me...how will Linux's "foundational security architecture" protect my gmail account...which is hosted at Google, and already on Linux (Wikipedia link), and built on possibly the world best and most customised high availabilty storage/OS stack?

      LINUX, Apple or PC...if they are being targetted, the attack vector will be the feeble and gullible human, not the technical one, and the aim is to get them to compromise their own machines. Spear phishing, I think we call it these days.

      The solution is to not trust the session, and use some 2FA at the front door. Which is exactly what Google are proposing to do for these guys.

      1. Gary 24
        Thumb Down

        Re: Linux is a strong solution

        Meanwhile once Google have your phone number for 2FA, they can sell it off to advertisers and you receive 'Targetted Ad's' by text message... yay!

        1. John Smith 19 Gold badge
          Unhappy

          Re: Linux is a strong solution

          "Meanwhile once Google have your phone number for 2FA, they can sell it off to advertisers and you receive 'Targetted Ad's' by text message... yay!"

          Yeah, that smells like creepy Eric's idea of a turning a frown upside down.

      2. jason 7

        Re: Linux is a strong solution

        I'm counting the days till we get the following post from him saying -

        "NEITHER! THEY ARE BOTH FAIL! Everyone knows that Linux is a far better solution than Coke or Pepsi!"

        Then we can call in the guys with the white coats.

      3. Anonymous Coward
        Anonymous Coward

        Re: Linux is a strong solution

        The solution is to not trust the session, and use some 2FA at the front door. Which is exactly what Google are proposing to do for these guys.

        That is based on the assumption that there isn't some backdoor on the Google end that is being used/abused. I would suspect that people with an active need for security would be capable of choosing a reasonable pass phrase, but then again, if they really were concerned about security they wouldn't be using Google in the first place but go to setups like Hushmail..

        1. eulampios
          Linux

          Re: Linux is a strong solution

          To guarantee 99.999% of security:

          A user just has to use

          -a proper system, like GNU/Linux (or even, OpenBSD for more security),

          -MAC system like SELinux/AppArmor and proper browser (with additionally a noscript add-on)

          -and/or IMAP/POP3 client to read mail: thunderbird, mutt, alpine, rmail, evolution etc

          -Gnupg/PGP with asymmetric key encription

          -his/her head to think, not to make stupid mouse-clickings movements

          1. M Gale

            Re: Linux is a strong solution

            I would love to be able to go to the bank manager and say "here's my GPG signature, you can use it to ensure that communications from me are both encrypted and authenticated. I suggest you do the same."

            ...and have her understand me.

            Unfortunately last time I used PGP (a while ago admittedly), it had no Joe Notageek Public mode. That and most institutions don't have a "please provide a cryptographic signature here"* (*optional) field.

            Would be nice to see more widespread adoption of a decentralised system for sending 4KB-key-encrypted emails though.

      4. eulampios
        Windows

        besides humag beings,@Silverburn

        Yes, social vector is common, however there is also another vector -- your vulnerable Windows PC with IE, key loggers and other vulnerabilities. Think about non-trivial ways to update 3d party apps, installing software from the unknown sources.

        This is what Eadon is driving at.

    3. Anonymous Coward
      Anonymous Coward

      Re: Linux is a strong solution

      Nope, secure VPN is what you need.

      1. Silverburn

        Re: Linux is a strong solution

        Secure VPN is a no-no too...if the machine is compromised by the web channel, all it does is expose the machine to your internal network, unless you have some abstraction as well (eg Citrix apps) and no other routes out the VPN DMZ.

        No, better to abstract the application layer, slap in some 2FA and do some session validation and mutual auth transport encryption.

    4. ed2020
      Thumb Down

      Re: Linux is a strong solution

      @Eadon

      Do you enjoy collecting downvotes, or is your reading comprehension really that poor?

      1. This post has been deleted by a moderator

        1. This post has been deleted by its author

    5. Anonymous Coward
      Thumb Down

      Re: Linux is a strong solution

      You are making a fool of yourself.

    6. Fred Flintstone Gold badge

      Re: Linux is a strong solution

      Eadon, not quite, because the problem is not the client end, it's at the Google side.

      If the email would contain malware, then there is indeed less scope for infection on a Linux box but the article here is about the server end.

      BTW, "fundamental" is better than "foundational", that's not really English :).

      1. eulampios
        Devil

        @Fred Flintstone

        because the problem is not the client end, it's at the Google side.

        What is it, what is the vulnerability please tell us and Google?

  4. LinkOfHyrule
    Joke

    “state-sponsored attackers”

    It reminds me of those PBS TV shows that are "underwritten" or "sponsored" by companies and organisations...

    "This hacking attempt is brought to you by - North Korea! For all your nuclear testing needs you can rely on North Korea! Part of the Axis of Evil group of countries."

    1. nitbix
      Mushroom

      Re: “state-sponsored attackers”

      "I am Kim Jong Un and I approve of this hacking."

      (paid for by the committee do make Kim Jong Un the first president of the world)

      Nuke because it just seems appropriate..

      1. DF118
        Flame

        @Eadon

        Okay, you're officially starting to get on my tits now too. Change the fucking record.

  5. Scott Earle
    Devil

    The Internet in Myanmar was always a bit shaky

    The "government" always censored everything, and the only way to browse the web was to use a VPN. When I went there regularly in 2006/2007, I used to use Your Freedom (a tunnel service).

    All web access had to go through "government" proxies, so the tunnel was the only way to go.

    The biggest problems we had was actually with the power constantly going down. I can only hope that things have improved over the intervening years.

  6. nitbix
    Thumb Up

    Am I the only one..

    .. that's impressed with Aye Aye Win's name?

  7. John Smith 19 Gold badge
    FAIL

    You bet your gmail account has been compromised.

    Starting with Google.

    gmail is complimentary.

    It's not "free."

    1. Fred Flintstone Gold badge

      Re: You bet your gmail account has been compromised.

      No, no, Gmail IS free. Schmidt said so himself, and we all know that Google will do no evil.

      /sarcasm

  8. Anonymous Coward
    Anonymous Coward

    Ooooh those wicked foreign governments!

    'Several Burmese journalists and foreign correspondents have been warned by Google that their Gmail accounts may have been compromised by “state-sponsored attackers”.'

    How different from our own home life in Britain and the USA, where we KNOW that ALL our accounts have been compromised by state-sponsored attackers.

    http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/

    http://www.dailymail.co.uk/news/article-2124821/Will-NSAs-new-2bn-spy-center-monitoring-you.html

    http://www.guardian.co.uk/technology/2012/sep/15/data-whistleblower-constitutional-rights

  9. Mark 85 Silver badge
    Big Brother

    Let's not overlook the obvious

    Let's look at "what if" differently. What if there is no attempted hack? What if Google just wants your phone number (more personal data) under the guise of "you need more security"? Everybody want's my damn cell phone number for "security". I gave it one time and suddenly I was riddled with spam calls. pffffftttttttttt....

    1. Fred Flintstone Gold badge

      Re: Let's not overlook the obvious

      Yeah, they tried that with me too, both Farcebook and Google, which triggered my twisted sense of humour.

      I think they may have discovered by now that the number I gave was that of the UK Information Commissioner :)

  10. Daniel B.
    Facepalm

    Oh so fun.

    When Google talks about "two-factor authentication", I assume they mean "wonky SMS auth" as their second factor, as opposed to actual secure tokens? (yeah, yeah, I know that even those have been pwned, see SecurID but at least it's much harder to do)

    If you're wary of your government, they're sure as HELL going to read your incoming SMS. So that kind of 2FA is useless for them.

    1. Neoc

      Re: Oh so fun.

      I did actually activate 2FA with Google for one of my Gmail accounts. There were several flavours, depending on what you were going for. One was printing a list of one-off authentication numbers and putting it in your wallet. The other was (you are right) sending a number to your mobile phone (for which Google bears the whole cost here in Oz at least). The third one was downloading a Google App which generates a number every 30-odd seconds.

      1. John Smith 19 Gold badge
        Meh

        Re: Oh so fun.

        "One was printing a list of one-off authentication numbers and putting it in your wallet."

        "The third one was downloading a Google App which generates a number every 30-odd seconds."

        Interesting.

        Neither seem to need your actual phone number.

        But I wonder what else that friendly, helpful Google app does?

        Suspicious. Moi?

  11. Anonymous Coward
    Anonymous Coward

    Lot of it about

    I got a warning from them yesterday morning that someone/something with a california ip had got hold of my password somehow. Either they are pushing 2FA for their own sinister reasons or there has been a big leak of passwords e.g. via people using the same pwd for facebook and gmail (which I did, like an arse). Or its a concidence.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019