Skip to main content

Google email Accounts Compromise

I was asked to comment yesterday on the story that emerged about the Google mail accounts that were compromised over the last few days, so I thought I'd put some of my answers down here. First off, Google wasn't compromised; a set of phishing emails were sent out and a fake Gmail login set up to harvest login details. These were used to set up forwarding rules to copy mail to another account.

Unfortunately, although a large number of people are aware of phishing and are (to a certain extent) vigilant, it only takes one person within the organisation to fall for the attack to compromise security. The scammers are becoming better at targeting people and making the initial phishing contact more believable to some people. Phishing is not just about email, although that is the most common avenue for the initial contact. Social media is also commonly used and we have seen the use of SEO to force phishing sites to the top of search engine rankings as well. User education is the only real way out of this.

Could this be cyber espionage? I would think that is most likely given the profile of those targeted. Information is worth a lot of money and political weight. In recent years we have seen a decrease in attacks designed to deface/destroy/delay/deny services and information. Instead, we are now seeing information and identity theft as major goals. Viruses won't necessarily stop your computer from working, but they will use Trojans to steal your login credentials. Malware now will silently sign your machine up to botnets rather than perform an obviously malicious action.

What can companies like Google do to stop this? Well, they can improve their SPAM filtering for a start. It is possible to eliminate the vast majority of phishing emails, which would drastically reduce the problems. However, many of the major vendors aren't strong enough on this. Secondly, user education would help a lot, but can't always help you against the best social engineers. To be honest, though, the governments and organisations that these people work for shouldn't allow the use of gmail, or other accounts (which have fewer controls than a corporate email setup), for official business and should educate their users to use different passwords, be vigilant, etc.

Spear phishing is a more difficult one to combat as it targets a specific user or group of users that the attacker has knowledge of. If I know your habits and who your friends are then I can use that information to trick you much more easily. If you receive an email or Facebook message from your partner, do you hesitate before opening it? The reason this doesn't happen more is that it takes background research and, by definition, targets very few people. This technique is only relevant if you want what that specific user has access to. Hence it is more likely to be information that they were after.

Another way to combat these types of attack is to use one-time passwords as well, so that intercepting a single logon only gives you access during that session, and isn't valid in the future. However, tokens are prohibitively expensive for Google to hand out to everyone. There are other solutions such as SMS tokens, but these aren't all that cheap, when multiplied up by the number of gmail users, and aren't without their problems. Software token solutions such as Swivel, GrIDsure, FireID, etc., are possibly cost-effective enough to be implemented and could drastically reduce the success of these attacks. However, none of these stop the man-in-the-middle (MITM) attack, so you could still hijack the session and set up a forwarding rule to obtain a copy of all their mail. Google do allow you to set up alerts and have to validate changes through a 2-step process, but you have to enable this. This should be the default for all of these services. Perhaps they could also add a footer to all versions of the email to specify where it has been forwarded to.

How worrying is this sort of attack? Well, that depends. Most people can be socially engineered - look at Derren Brown! For the individual, spear phishing is unlikely to be a problem, but with a lack of education they may well fall for a bulk phishing scam anyway (thousands do or nobody would bother). However, for those with access to secrets or other valuable information, it is a serious issue. It all comes down to how good the attacker is. I believe that HM Treasury is the most attacked entity in this country and that is mostly for information rather than evading tax or performing Denial-of-Service, etc. They should be worried about this type of attack.


Popular Posts

Trusteer or no trust 'ere...

...that is the question. Well, I've had more of a look into Trusteer's Rapport, and it seems that my fears were justified. There are many security professionals out there who are claiming that this is 'snake oil' - marketing hype for something that isn't possible. Trusteer's Rapport gives security 'guaranteed' even if your machine is infected with malware according to their marketing department. Now any security professional worth his salt will tell you that this is rubbish and you should run a mile from claims like this. Anyway, I will try to address a few questions I raised in my last post about this. Firstly, I was correct in my assumption that Rapport requires a list of the servers that you wish to communicate with; it contacts a secure DNS server, which has a list already in it. This is how it switches from a phishing site to the legitimate site silently in the background. I have yet to fully investigate the security of this DNS, however, as most

Security Through Obscurity

I have been reminded recently, while looking at several products, that people still rely on the principle of 'security through obscurity.' This is the belief that your system/software/whatever is secure because potential hackers don't know it's there/how it works/etc. Although popular, this is a false belief. There are two aspects to this, the first is the SME who thinks that they're not a target for attack and nobody knows about their machines, so they're safe. This is forgivable if misguided and false. See my post about logging attack attempts on a home broadband connection with no advertised services or machines. The second set of people is far less forgivable, and those are the security vendors. History has shown that open systems and standards have a far better chance of being secure in the long run. No one person can think of every possible attack on a system and therefore they can't secure a system alone. That is why we have RFCs to arrive at ope

Web Hosting Security Policy & Guidelines

I have seen so many websites hosted and developed insecurely that I have often thought I should write a guide of sorts for those wanting to commission a new website. Now I have have actually been asked to develop a web hosting security policy and a set of guidelines to give to project managers for dissemination to developers and hosting providers. So, I thought I would share some of my advice here. Before I do, though, I have to answer why we need this policy in the first place? There are many types of attack on websites, but these can be broadly categorised as follows: Denial of Service (DoS), Defacement and Data Breaches/Information Stealing. Data breaches and defacements hurt businesses' reputations and customer confidence as well as having direct financial impacts. But surely any hosting provider or solution developer will have these standards in place, yes? Well, in my experience the answer is no. It is true that they are mostly common sense and most providers will conform