Google's Worst Security Idea Ever

Wednesday, June 06, 2012

Jeffrey Carr

296634767383f056e82787fcb3b94864

Google announced that it will notify a subset of its Gmail customers if they're the victim of a State-sponsored attack.

The actual wording is "Warning. We believe that state-sponsored attackers may be attempting to compromise your account or computer."

However as you read further down Google's blog posting, it seems like an actual attack isn't required to receive this warning. Google may send it to you if they believe that you "may" be targeted.

"If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware ...."

The warning then makes recommendations that you increase your security by selecting a strong password, using Google's two-step verification, updating your browser, etc.

There are so many things wrong with this new Google initiative that I hardly know where to begin.

First, it generates fear on the part of Google's customers because regardless of the fine print, such a warning will most likely send the recipient into panic mode when there's no reason to panic.

Second, it makes a claim which upon investigation is so vague that it's meaningless. You may be the victim of a state or someone working on a state's behalf? That's pretty much the case for all targeted attacks.

Third, if you are a target of interest for a foreign intelligence service (FIS), one of the first things you should do is STOP USING GMAIL or any popular cloud-based service that cannot guarantee you where in the world on its many data farms your data resides.

If the Mossad, the FSB, the MSS, or the NSA is interested in you, they'll find a way to legally and covertly intercept your data without sending a spear phishing email to your Gmail account.

Spear phishing attacks are used by both financial cyber criminals as well as hacker crews who, having cracked a high value target's account, will sell that information to a FIS, a corporate competitor, or some other customer.

Security advice for a high value target (which is what my firm specializes in) could range from moderately to highly restrictive depending on who you are but one thing's for sure.

None of Google's recommendations will keep you safe if you're in that group.

On the other hand, if you aren't a HVT, read my article "Cyber Self Defense for Non Geeks" to understand what your best security options are.

The bottom line as far as Google's advice is concerned is that it's FUD-inducing for the people who aren't targets and its insufficient for those who are. I have to wonder what Google was thinking when it created this awful program.

Possibly Related Articles:
9678
Vulnerabilities
Information Security
Google Gmail Security Awareness Access Control hackers spear-phishing FUD Targeted Attacks Advisory online safety
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.