Top U.S. officials had their Gmail accounts compromised
Jun. 2, 2011
Google said earlier today that thousands of personal Gmail email accounts, including those of some senior U.S. government officials, were compromised as a result of a massive phishing attack originating from China.
The accounts that were hacked into were a result of stolen passwords, likely by malware installed on victims' computers or through victims' responses to previous emails from malicious hackers posing as trusted sources.
That type of a hack attack is known as phishing. Google believes the phishing attack emanated from Jinan, China. In addition to the U.S. government personnel, other targets included South Korean government officials and federal workers of several other Asian countries, Chinese political activists, military personnel and even journalists.
"The Department of Homeland Security is currently aware of Google's message to its customers," said Chris Ortman, a spokesman for the agency. "We are working with Google and our federal partners to review the matter, offer analysis of any malicious activity, and develop solutions to mitigate further risk."
Secretary of State Hillary Clinton addressed the issue this morning. "Google informed the State Department of this situation yesterday in advance of its public announcement," she said. "These allegations are very serious, and we take them very seriously, we're looking into them right now, and because this will be an ongoing investigation I would refer you to first Google for any details that they are able to share at this time, and to the FBI, which will be conducting the investigation."
FBI spokesman Paul Bresson said the agency is working with Google and with other U.S. government agencies "to review this matter further to identify the origin of this campaign and to see what information and what data may have been compromised to date."
As it's almost always the case in situations like these, Bresson declined to comment further on the investigation since it is ongoing.
The news comes a little more than a year after a separate hacking attempt originating from China affected Gmail accounts of Chinese human rights activists. In that particular case, attackers were able to break through Google's security systems, and two Gmail accounts were sucessfully hacked into.
That cyber attack set off a series of events that eventually led to Google ending its agreement with the Chinese government to censor certain search results, and the company physically moved its servers out of China.
Today, and after this most recent cyber attack, a Chinese official insisted that his government takes the attacks seriously.
"We firmly oppose any form of computer hacking or any illegal activity that harms Internet security and will severely punish anyone engaging in such activity according to law," said foreign ministry spokesman Hong Lei.
"Computer hacking is an international problem and China is also a victim. Any accusation linking China to such activity is baseless and with ulterior motives."
And this time, the successful hacking attempt appears much larger in scope, but Google itself was not attacked, the company claims. A person with knowledge of the attack's details said there was no apparent correlation between last year's attack and this one.
A spokesman from Google declined to comment on how the company obtained the information about the most recent hack. Public information, user reports and a third-party hacking blog called Contagio was used to determine the scope, targets and source of the attack.
Google said it notified the victims and disrupted the campaign.
The hackers were attempting to monitor the victims' emails, and some users' forwarding settings were in fact altered. Google urged users to "please spend ten minutes today taking steps to improve your online security so that you can experience all that the Internet offers, while also protecting your data."
The search giant provided several examples of how Gmail users can better protect themselves from phishing attacks on its blog, including enabling a setting that allows users to login to their accounts only after receiving a verification code on their phones.
Google also suggested that users monitor their settings for suspicious forwarding settings as well.
In other Internet security news
A newly discovered group of hackers have developed a series of new malware that runs on Mac OS X that avoids the need to enter an administrative password, representing a huge security risk to Mac users.
Earlier rogue anti-virus programs such as MacDefender need permission to run, an issue that MacGuard neatly sidesteps. MacGuard works on the assumption that home users have administrator rights, meaning they don't need to enter the administrator password to install software in the Applications folder. And the attackers know that and now they are exploiting that as much as they can.
MacGuard downloads itself into that folder rather than the default download folder. The downloader then connects to malicious IP addresses hidden in its own resources folder. The appearance of the malware means that advice to treat all unexpected requests for the administrator password with suspicion becomes null and void.
"This isn't the end of the world but it certainly does change the game somewhat," writes anti-malware researcher David Harley.
Mac security specialist Intego reports that MacGuard, which it describes as a variant of MacDefender, is being distributed via various portals offering fake security scans. These portals are getting promoted through search engine manipulation.
Several variants have since appeared: MacDefender, MacProtector and MacSecurity, all of which are the same malware but using different names. The goal of this fake antivirus software is to trick users into providing their credit card numbers to supposedly clean out infected files on their Mac machines.
Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts. The first part is a downloader, a tool that, after installation, downloads a payload from a web server. As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site, and then doesn't ask for a password to install itself.
And after advising support staff not to help users who might be infected by MacDefender, Apple rethought its position and posted an advisory on dealing with the malware on May 24. Part of its advice – to cancel the installation process and not to enter admin passwords – has been rendered redundant by the arrival of MacGuard.
Sophos has charted the evolution of Mac-specific malware which it says is "advancing fast and taking many cues from the Windows malware scene".
Although Mac OS X is generally considered a safer operating system than Windows since it is a variant of the Linux OS, Mac users are still advised to use caution when visiting sites that claim to 'have a solution to viruses' or other potential issues that are inherent in today's cyber environment.
In other Internet security news
The U.S. military says it will play a major role in defending homeland America from cyber attacks, and this will include providing cybersecurity and improved protection to key infrastructure on U.S. soil.
Deputy assistant secretary of defense for cyber policy Robert Butler briefed a few senators in Washington yesterday on the plans. Butler said that the Defense department would of course safeguard its own .mil domain, but would also closely collaborate with the Departments of Homeland Security and Justice to guard and patrol the rest of America's cyber territory in a diligent manner.
Philip Reitinger, a DHS senior manager, seemed to imply that the military would lead on cybersecurity even in the domestic sphere. "We each bring unique experience to the initiative," he added. "The DOD (Defense Department) has unparalleled technical expertise and cyber expertise."
Giving a hint as to just which parts of America the military would be the most eager to secure, Butler stated that the U.S. armed forces are critically dependent on the civilian power network, telecoms, transport and many other sectors that are currently run using various computer networks.
Source: Google Inc.
You can link to the Internet Security web site as much as you like.