The facts about the Gmail hack that the New York Times left out

When it comes to covering computers, the New York Times is frequently disappointing. Too often, stories are written by reporters without a technical background. 

I can't imagine that they cover other specialized fields without running things by an expert prior to publishing a story.  But, for some reason, computers get a pass. No technical review needed. 

Only an expert can put things in context. Only an expert can separate real issues from self-serving pronouncements. Only an expert can spot mistakes, both of omission and commission.

I mention this because of a page one story E-Mail Fraud Hides Behind Friendly Face in the June 3, 2011 paper.

To begin with, there's very little news in the story which boils down to bad guys trying to trick people into divulging their Gmail passwords. The only reason this gets mentioned in the media at all is because Google issued a virtual press release that said the attacks were coming from China.

Spear phishing is not news and by it's very definition, it targets people with information others consider valuable. Even Mila Parkour, who first broke this story back in February said "The spear phishing method used in this attack is far from being new or sophisticated."

Still, publicizing this latest attack can serve the public interest, if it also serves to educate. This where the Times failed.

The only Defensive Computing comments in the story were 

Companies and individuals can take steps to head off these attacks. For instance, Google encourages people to use a two-step process that sends a special code to their cellphone when they log into Gmail. The Defense Department asks its personnel to use a “digital signature” on their e-mails that verifies their identity.

Google's blog mentions six defensive measures that the story omits. The online version of the story doesn't even link to Google's blog.

Google specifically cited forwarding and delegation as the attack vectors. If the Times had at least mentioned these, then some people might check their Gmail settings. But no, the details were omitted.

The article does say that the scam involved a fake Gmail login page. But, it doesn't say which one. The page that Mila Parkour cited in her blog was at "google-mail.dyndns.org". The Times missed an opportunity to explain why this is not a Google controlled site. They didn't even mention the URL.

Instead we learn that Symantec intercepted 85 targeted attacks a day in March and the only month with more targeted attacks was March 2009. Great PR for Symantec, but useless information for readers of the newspaper. 

The story says that forgeries can be realistic, but doesn't say why. Here's why: it's easy to forge the from address of an email message.

Bruce Schneier, in the article, offers an example of good scam: " ... an e-mail message from your mother saying she needs your Social Security number for the will she’s doing."

This can only be a successful scam if the victim is ignorant of a basic fact of life online:

NEVER make any assumption about who sent an email message.

The Internet does not offer sender validation - another point the article failed to mention. 

Even if the message actually came from your mother's account, that doesn't mean she sent it. The bad guys may have her email password. 

Even the "digital signatures" used by the Defense Department are not an ironclad guarantee. They may insure that a message came from the computer of Person X, but that too doesn't mean that Person X sent it, their computer may have been remotely controlled. 

All that a digital signature guarantees is that the message was sent from a computer that has a special file on it. Trusting it, means trusting that the special file wasn't stolen or copied.  

But worse than any error of omission, is that the article passed along one of Google's security suggestions, using their new two factor authentication scheme without context.

The scheme sounds good, at first. When logging in, Google sends a second, temporary password to your cellphone and you can't fully login until you provide this second password. The theory being that a bad guy can't possibly have both your password and your cellphone.

There are two huge gotchas with this advice. 

The first issue is that a second password may not have prevented this particular attack.

The two password scheme assumes that you are connected to Google. That was not the case here, the victims were entering their passwords into a fraudulent web page at google-mail.dyndns.org. 

Any attack where the victim connects to a scam website can easily become a man-in-the-middle and thus thwart second passwords. The concept is simple.

The victim connects to a fake Gmail login page and enters their Gmail password. The bad guys then take the password and use it to logon to Gmail as the victim.

Then, if Gmail sends a second password to the victim's cellphone, the victim provides the second password to the bad guys who, in turn, provide it to Gmail. Now the bad guys just need to stall the victim for less than a minute while they silently change some account settings to enable their spying. 

Heck, if Google flew out an employee in a jet and whispered a third password in the victims ear, it wouldn't help.

The second issue has to do with your cellphone number. Google makes a living collecting data on people and providing them with your cellphone number is not something everyone would feel comfortable with.

My plan is to write soon about defending yourself from scam web pages and defending a Gmail account.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies