Google announced yesterday that hackers in China had gotten access to hundreds of Gmail accounts. And it wasn’t just anyone’s email. The attack targeted senior government officials in the United States, Chinese political activists, officials in several Asian countries, military personnel, and journalists.
I have a feeling we will hear a lot more about this over the next few days. For the moment, let’s take a look at the details we know so far….
From the official Google blog:
The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings.
Eric Grosse, the Engineering Director of Google’s Security Team, wrote on the Google blog that the victims’ passwords were probably compromised via phishing scams.
It’s a little disturbing that hundreds of apparent VIPs got conned into giving up their passwords. As the Wall Street Journal explains, phishing schemes trick users into sharing their passwords.
Protecting yourself from phishing, a.k.a. personalized email spam, should be a part of Basic Computer Knowledge 101. If you’re paying attention to your email, even well-constructed phishing emails are usually recognizable as such.
UPDATE (6/3/11): More details have come out about the style of these attacks. Turns out they were significantly more complex than your average phish. From the New York Times’ informative follow-up article:
That led her to discover a fake but convincing Gmail login screen that attackers used to dupe targets into submitting their passwords. She said the messages indicated that the phishing attempts had begun at least a year before she learned of them — early in 2010.
“I thought it was interesting because they did it for so long,” Ms. Parkour said. She said she also saw screens that mimicked the login pages for the Web portals of corporate e-mail systems.
Because so many individuals did fall for this, I shudder to think how many other important people were targeted but managed to avoid it.
Hopefully most of these folks weren’t conducting official business through their personal email.
Either way, the news may be indicative of a broader lack of technological competence — even at high levels — that not only leads to national security risks but also legal liability. When this kind of thing happens at a company or law firm, the lawsuits often start dropping before you can say, “It wasn’t me!”
More from the WSJ:
[Google] notified victims of the hijackings and secured their accounts and added that it “notified relevant government authorities.”
Mr. Grosse also encouraged Gmail users to better protect their information online by using what’s called a “two-step verification” when logging into Gmail so that the system can recognize the computer or mobile device from which a user is logging in, not just his or her password. The process “protected some accounts” from the China-based attack, he said.
I would love to know how long it took for Google to discover the hackings. It would be reassuring if they found the problem, like, 20 minutes after the accounts were compromised, before there was time for any damage to be done. Google’s vaguely worded update doesn’t provide much clarity, and the company hasn’t made any other public comment.
As a side note, this isn’t the first time Google has blamed China for cyberattacks. Google reported in January 2010 that it, along with several dozen other companies, had faced a “highly sophisticated and targeted attack on our corporate infrastructure.” Apparently the attackers wanted to access the accounts of Chinese human-rights activists.
In response, Google said it would stop obeying the Chinese government’s requirement to censor search results, which it had been following since its China-based Web-search site opened in 2006. China’s own Internet filters now censor Google’s searches.
Eric Schmidt, Google’s chairman, said Tuesday the company has made many improvements to its security systems since the initial attack.
Google says it’s beefed up security systems over the last year and a half. That’s all well and good. But in the end, if you don’t want anyone to know your password, don’t put it in a freakin’ email.
It’s just like how we weren’t supposed to take candy from strangers as kids. Don’t give out sensitive info over email, even if the message is really friendly and claims to be from some guy in tech support. It might be some guy named Ted in Palo Alto, or it might be the Communists. You can’t be too careful.
Ensuring your information is safe online [Official Google Blog]
Google Discloses China-Based ‘Hijacking’ of Gmail Accounts [Wall Street Journal]
Christopher Danzig is a writer in Oakland, California. He previously covered legal technology for InsideCounsel magazine. Follow Chris on Twitter @chrisdanzig or email him at [email protected]. You can read more of his work at chrisdanzig.com.