slfisher

Lessons Learned from the Government Gmail Hack

by slfisher ‎08-06-2011 07:58 AM - edited ‎07-06-2011 07:27 PM

We learned last week that a hacker in China reportedly obtained access to numerous Gmail accounts, including those of senior U.S. government officials, military personnel, Chinese political activists and journalists. How serious is this, and what is the best way to protect yourself and your users?

To summarize, here's how it's described by the New York Times:

Google officials had said last Wednesday that hackers in Jinan, a coastal city in eastern China’s Shandong Province, had sought to gain access to the Gmail accounts of hundreds of American government officials, Chinese political activists, military personnel, journalists and Asian officials. The attacks used a polished version of a rudimentary technique, called spear phishing, to trick recipients into revealing their e-mail passwords. American officials said they had no evidence that any confidential information was breached, or even that many people fell for the attack.

(For the record, China denies any involvement.)

One might wonder how senior government officials could fall for something like a phishing attack, but this is somewhat more sneaky than the typical phish. First, it was targeted against individuals who were known to have Gmail accounts. Second, it was spoofed to make it look like it came from someone they knew. Finally, it led them to a Google login page that has only a few differences from a standard page. 

Google reportedly would not say who the victims were (whom they alerted), how many of them actually fell for the attempt, or how long the hackers had access to the accounts, though House Oversight Committee Chairman Darrell Issa (R-Calif.) wrote to Google CEO Larry Page earlier this week requesting more information, including the names of the people targeted, according to Hillicon Valley, Congressional website The Hill's technology blog.

A more pointed question is what senior U.S. government officials are doing potentially conducting government business using Gmail accounts rather than U.S. government accounts. Well, people are human. Still, it's important to impress upon users the following:

  • Don't use personal accounts for work
  • Be cautious if email or a website takes you to a login screen.
  • Compare login screens with a known login screen before adding information
  • Google also describes several other security measures to follow

For what it's worth, some security experts such as Bruce Schneier consider it all a tempest in a teapot, saying none of this is new. Still, there's nothing wrong with a reminder to be careful.

Labels:
Article Options
Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 

The HP Input Output site is sponsored by HP and features articles and content from HP and third-party contributors. Third-party articles and content, while paid for by HP, do not necessarily represent the views and opinions of HP. HP does not endorse this content and is not responsible for its accuracy, availability and quality.

Follow Us
Spotlight
"It's Not My Job" - Handling the Vendor Finger-Pointing Trap Is Teamwork Dead? A Post-Agile Prognosis Improving Your Personal Brand with Social Networking 5 Types of Meetings Every Business Must Explore
┼ Based on energy, paper and toner savings from regular printer usage. Results may vary.