Does it bother anyone that China continues to hack us? It is very possible that this was a government-backed attack, which wouldn't be the first against Google by the Chinese government.
The biggest problem is that these don't seem to be sophisticated attacks. They didn't find a backdoor or install some malicious piece of code...they simply "hacked people" with phishing scams.
I think a great place for the US govt (and Google) to spend money would be to inform people about phishing and how to detect it. Being a savvy internet user, I sometimes forget that these scams that look ridiculous to me might very well look legitimate to someone else.
The reason we only see the unsophisticated attacks might well be that the ones that are carried out professionally are never caught.
If I was China and intent on this kind of cybercrime I wouldn't put all my eggs in one basket, but would try different avenues to get to my target. Resources don't seem to be a problem since it's apparently government backed.
I would see this as the top of the iceberg, and expect there to be more sophisticated attacks hiding out there that we might never know about.
Just today it is widely reported the Pentagon is setting a new policy that cyber attacks can be considered acts of war which lets the Pentagon retaliate with conventional weapons. Hack my email, get an ICBM.
What bothers me at least is that although Google finds these things (thank you), how many non-gmail accounts have been hacked but nobody has noticed yet.
The US Government has backdoors into every large webservice in the world. China has to hack their way in. That's the main difference here, as the USG long ago stopped being "on our side".
Easy to read western propaganda and jump to conclusions without viewing the whole picture.
Of course the US hack the Chinese govt. Just because china don't publish accounts of attacks does not mean attacks are not occurring.
We already know Google are quite jaded towards China given their failure to succeed in the china market. Thus I take anything they comment about China with a grain of salt, given they clearly have an agenda.
An attack originating in Jinan does not necessarily mean chinese govt either. Given China's opaqueness on cyber issues, anyone wanting to hack anyone else could use china as a place to do it.
Though I agree, governments should invest in educating people on phishing scams.
It is great that Google is open with this stuff and the security tips were mostly good, but it was inappropriate to only recommend Chrome in a security message. All modern browsers have anti-phishing features. This came off as advertising.
Just imagine what China is doing with the official backdoor gmail is required to have for warrantless searches in the USA.
Unlike TSA gropes, officials cannot legislate themselves out of the backdoor, they might never know when their email is being read, and they did it to themselves.
Indeed. I'm not sure which is more disappointing: that China seems to be bringing things to a new level or that its cool to take advantage of a situation that many people won't understand by throwing that line in there in the midst of what reads as quite scary news.
Bad actors take advantage of the fact that most people aren’t that tech savvy—hijacking accounts by using malware and phishing scams that trick users into sharing their passwords, or by using passwords obtained by hacking other websites.
Passwords are obsolete. No improvement in storing or transmitting passwords securely will make them easier to remember or less likely to be shared. The approach is fundamentally flawed and cannot be used as a cradle-to-grave method of identity assurance. Unfortunately, nobody has developed an acceptable alternative.
Unfortunately, nobody has developed an acceptable alternative
In that case they're not really obsolete, are they? Things are obsolete because they're replaced by something better, not because they're imperfect.
All you really need to do is to get one of those crypto-card thingies implanted in your brain. Then every time you're prompted for a password you just have to type in the first string of numbers that pops into your head.
Public key authentication isn't an acceptable alternative?
You could have users unlock a keyring using a password containing a single, global public key for each machine they own. You could have them do the same with a thumbdrive or mobile phone. You could authenticate using a number of methods. It's really incrediably flexible.
I think the problem is not that there isn't something to replace it, it's that people are used to "username:password" and don't want to switch. Public key authentication has too many options while passwords are just single words.
Google should consider adding an option to lock your account access based on IP range or even a geo-located area based on IP address. There are some challenges to geo-locating IPs, and this wouldn't stop a determined hacker, but it could foil a significant number of attacks.
They also might want to provide some reporting for users to know when their account was accessed or attempted to be accessed and from where.
Is it possible for the government to establish a separate secure network? A North American network for government communication and infrastructure control use which was entirely separated from the internet would be very useful.
The government already does this for some things. SIPRnet is for the transmission of information classified up to secret and is airgapped from the public internet. This is where the Bradley Manning leaks came from. JWICS and NSANet are run along the same lines, but they transmit information classified up to Top Secret/SCI.
There are no 'backdoor' shenanigans, they comply with subpoenas like everyone else (they uniquely provide a transparency report) the Schneier claim was speculative and he dismissed it later.
[+] [-] MatthewB|15 years ago|reply
The biggest problem is that these don't seem to be sophisticated attacks. They didn't find a backdoor or install some malicious piece of code...they simply "hacked people" with phishing scams.
I think a great place for the US govt (and Google) to spend money would be to inform people about phishing and how to detect it. Being a savvy internet user, I sometimes forget that these scams that look ridiculous to me might very well look legitimate to someone else.
[+] [-] mixmax|15 years ago|reply
If I was China and intent on this kind of cybercrime I wouldn't put all my eggs in one basket, but would try different avenues to get to my target. Resources don't seem to be a problem since it's apparently government backed.
I would see this as the top of the iceberg, and expect there to be more sophisticated attacks hiding out there that we might never know about.
[+] [-] ansy|15 years ago|reply
http://www.bbc.co.uk/news/world-us-canada-13614125
Just today it is widely reported the Pentagon is setting a new policy that cyber attacks can be considered acts of war which lets the Pentagon retaliate with conventional weapons. Hack my email, get an ICBM.
[+] [-] mike-cardwell|15 years ago|reply
[+] [-] marklabedz|15 years ago|reply
[+] [-] denimboy|15 years ago|reply
[+] [-] temphn|15 years ago|reply
[+] [-] Volpe|15 years ago|reply
Of course the US hack the Chinese govt. Just because china don't publish accounts of attacks does not mean attacks are not occurring.
We already know Google are quite jaded towards China given their failure to succeed in the china market. Thus I take anything they comment about China with a grain of salt, given they clearly have an agenda.
An attack originating in Jinan does not necessarily mean chinese govt either. Given China's opaqueness on cyber issues, anyone wanting to hack anyone else could use china as a place to do it.
Though I agree, governments should invest in educating people on phishing scams.
[+] [-] guelo|15 years ago|reply
[+] [-] Daniel14|15 years ago|reply
[+] [-] nl|15 years ago|reply
The sandboxed security model[1] is something nothing else offers, and it's had less exploitable security problems than any other browser.
It might be advertising, but it's also accurate.
[1] http://blog.chromium.org/2008/10/new-approach-to-browser-sec...
[+] [-] ck2|15 years ago|reply
Unlike TSA gropes, officials cannot legislate themselves out of the backdoor, they might never know when their email is being read, and they did it to themselves.
[+] [-] yanw|15 years ago|reply
[+] [-] radioactive21|15 years ago|reply
Nice subtle suggestion.
[+] [-] mparr4|15 years ago|reply
[+] [-] qjz|15 years ago|reply
Passwords are obsolete. No improvement in storing or transmitting passwords securely will make them easier to remember or less likely to be shared. The approach is fundamentally flawed and cannot be used as a cradle-to-grave method of identity assurance. Unfortunately, nobody has developed an acceptable alternative.
[+] [-] hugh3|15 years ago|reply
In that case they're not really obsolete, are they? Things are obsolete because they're replaced by something better, not because they're imperfect.
All you really need to do is to get one of those crypto-card thingies implanted in your brain. Then every time you're prompted for a password you just have to type in the first string of numbers that pops into your head.
[+] [-] guelo|15 years ago|reply
[+] [-] windsurfer|15 years ago|reply
You could have users unlock a keyring using a password containing a single, global public key for each machine they own. You could have them do the same with a thumbdrive or mobile phone. You could authenticate using a number of methods. It's really incrediably flexible.
I think the problem is not that there isn't something to replace it, it's that people are used to "username:password" and don't want to switch. Public key authentication has too many options while passwords are just single words.
[+] [-] jonknee|15 years ago|reply
http://contagiodump.blogspot.com/2011/02/targeted-attacks-ag...
[+] [-] krazybig|15 years ago|reply
They also might want to provide some reporting for users to know when their account was accessed or attempted to be accessed and from where.
[+] [-] stcredzero|15 years ago|reply
[+] [-] wl|15 years ago|reply
[+] [-] swaits|15 years ago|reply
[+] [-] abraham|15 years ago|reply
[+] [-] william42|15 years ago|reply
[+] [-] adolph|15 years ago|reply
http://motherjones.com/mojo/2010/06/starbucksgate-crew-calls...
Even in absence of some wrong-doing, officials are people too. Why would they conduct personal business using their work account?
[+] [-] motters|15 years ago|reply
[+] [-] yanw|15 years ago|reply
In this case it's phishing, read the post.
[+] [-] drivebyacct2|15 years ago|reply
[+] [-] geoffreyvanwyk|15 years ago|reply
[+] [-] eli|15 years ago|reply