We learned last week that a hacker in China reportedly obtained access to numerous Gmail accounts, including those of senior U.S. government officials, military personnel, Chinese political activists and journalists. How serious is this, and what is the best way to protect yourself and your users?
To summarize, here's how it's described by the New York Times:
Google officials had said last Wednesday that hackers in Jinan, a coastal city in eastern China’s Shandong Province, had sought to gain access to the Gmail accounts of hundreds of American government officials, Chinese political activists, military personnel, journalists and Asian officials. The attacks used a polished version of a rudimentary technique, called spear phishing, to trick recipients into revealing their e-mail passwords. American officials said they had no evidence that any confidential information was breached, or even that many people fell for the attack.
(For the record, China denies any involvement.)
One might wonder how senior government officials could fall for something like a phishing attack, but this is somewhat more sneaky than the typical phish. First, it was targeted against individuals who were known to have Gmail accounts. Second, it was spoofed to make it look like it came from someone they knew. Finally, it led them to a Google login page that has only a few differences from a standard page.
Google reportedly would not say who the victims were (whom they alerted), how many of them actually fell for the attempt, or how long the hackers had access to the accounts, though House Oversight Committee Chairman Darrell Issa (R-Calif.) wrote to Google CEO Larry Page earlier this week requesting more information, including the names of the people targeted, according to Hillicon Valley, Congressional website The Hill's technology blog.
A more pointed question is what senior U.S. government officials are doing potentially conducting government business using Gmail accounts rather than U.S. government accounts. Well, people are human. Still, it's important to impress upon users the following:
- Don't use personal accounts for work
- Be cautious if email or a website takes you to a login screen.
- Compare login screens with a known login screen before adding information
- Google also describes several other security measures to follow
For what it's worth, some security experts such as Bruce Schneier consider it all a tempest in a teapot, saying none of this is new. Still, there's nothing wrong with a reminder to be careful.