Sunday, September 05, 2010

After the Google Hack: Life in the transparent society

My Google Account (Gmail and more) was hacked on 9/3/10, a day before I wrote about the risks of online backup.

I had a 99th percentile password. It had six letters, four numbers, no words or meaningful sequences. It wouldn't be in a dictionary. On the other hand, like Schneier and other security gurus, I didn't change it often. I also had it stored locally on multiple desktop and iPhone apps. As far as I know it wasn't stored on any reasonably current web app.

If my password had been a bike lock, it would have been one of those high end models. Enough to secure a mid-range bike on the principle that better bikes with cheaper locks were easy to find.

That wasn't enough. For some reason a pro thief [2] decided to pinch my mid-range bike. They didn't do any damage, they didn't seem to send spam [1]. They seem to have unlocked my bike, peaked around, and locked it again.

Why would a pro bother? Trust me, I lead an intensely narrowcast life. It's interesting to only a few people, and boring to everyone else.

On the other hand, it wasn't always so. "I coulda been a contendah." I knew people who have had interesting lives, I still correspond with some. If a pro was interested in me, it was most likely because of someone like that. My visitor was probably looking for correspondence. Once they found it, or confirmed my dullness, they wouldn't have further interest in me.

Fortunately even that correspondence is quite dull.

I've changed my password. The new one is 99.9th percentile. Doesn't matter, I doubt I'm much more secure.

This isn't a complete surprise. Passwords died as a high end security measure about ten years ago. What's more surprising, except in retrospect, is that you don't have to really do anything or be anybody to get some high end attention. You only have to be within 1-2 degrees of separation of someone interesting. Security and "interest" are "social"; even a dull person like me can inherit the security risk of an interesting acquaintance or correspondent.

Welcome to the transparent society. If you put something in the Cloud, you should assume it's public. Draw your own conclusions about the corporate Cloud business model and online backup, and remember your Gmail is public.

footnotes --

[1] Of course they could erase the sent email queue, but I haven't gotten any bounce backs. Anyway, there are much easier ways to send spam.
[2] Russian pro, Chinese government equivalent, etc. Why pro? Because the hacker didn't change my password after they hacked the account, they didn't trash anything obvious, they didn't send out spam, and the access was by an abandoned domain. I'm not vulnerable to keystroke logger hacks except at my place of employment and wifi intercepts are relatively infrequent. Still, it's all probabilities.


Martin said...

How do you know about the hack?

JGF said...

There's a bit of detail in the tech post I link to.

If your Google account is accessed from an "unusual" location Google puts up a warning the next time you login. That's how I discovered "", a zombie domain, was accessing my account.

Google started doing this after the Chinese government started hacking dissident and other Gmail accounts.

Before this was introduced, I suspect there was no warning, I hack like this one would never be discovered (as long as the hackers didn't change the Google pw or do anything obvious with the account).

I don't know when this capability was turned on in the US.

Martin said...

What I actually wanted to ask: How do you know that your account was hacked, i.e. not access by other means such as phishing?

I mass hack of Google accounts would be quite a story …

JGF said...

I can't imagine a phishing scam I'd fall prey to Martin. A "man-in-the-middle" attack -- sure. But not any phishing scam I've ever heard of or read.

Did you read my tech blog summary? I don't know what led to the hack and I don't know how it was done. All I can say is it wasn't phishing, and I used a non-trivial password resistant to a dictionary attack.

My account would have fallen to a brute force attack, but that would have taken a large number of transactions -- and I don't think Google allows that.

So we're left with keystroke logging, wifi intercept, or a Google weakness. We have reason to suspect the latter given the China hack of last year.

It is interesting that the attacker didn't change my password and didn't do any obvious damage. That suggests they wanted something else. It could be they wanted to steal my identity, but, really, that's so easy to do hacking gmail is way overkill.

JGF said...

Oops, left out two other options:

1. I unwittingly stored my Google credentials on a web site that used them or was hacked. I warn against that on this blog, but maybe I did it a couple of years ago before I thought about it. I changed my pw last year though, so this is unlikely.

2. It leaked from a trojan iPhone app. Since the apps are supposed to only store the data on the phone that would have to be a true trojan.