Google Online Security against state-sponsored attacks

According to a post of Eric Grosse, VP of security engineering at Google, on Google Online Security blog the company is constantly monitoring the web for malicious activity on its systems, with particular attention to attacks made by third parties to illegally access into users’ accounts. Google declared that is ready to adopt measurements to mitigate cyber threats each time they receive an alert from intelligence or from their clients and also when their monitoring procedures reveal anomalies.

The company is preparing to offer a specific protection service for a restrict number of users that could be the target of state-sponsored attacks. Every user potentially at risk will be advised with a message like the one proposed in the following picture:

Of course, the message is just an alert and it must be clear that it doesn’t give the certainty that account has been hijacked, it’s a communication to inform the user that its account could be victims of a phishing campaign, of an APT attack or of a malware. Purpose of the initiative is to mitigate or prevent potential damage caused by the attack.

That Google alert remarks

“It’s important to note that Google’s internal systems are not compromised and that this message does not refer to one specific campaign,” the page read. “We routinely receive abuse reports from users, as well as from our internal systems that monitor for suspicious login attempts and other activity.”

The post also propose good practices to secure their account such as

• To Use a strong password.
• To enable 2-step verification as additional security.
• To maintain systems and application updated (e.g. browser).
• To check if your Gmail messages are being forwarded without user’s permission

In a typical attack scenario, the hacker tries to trick the victim into authenticating through a fake web page, a clone of the legitimate ones, to steal the credential.

The post invites the users to sign in looking https protocol in the Google login page.

Despite the good intents of the initiative, there are several concerns regarding how Google will be able to identify state-sponsored attacks.
The blog report:

“We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored.”

“We believe it is our duty to be proactive in notifying users about attacks or potential attacks so that they can take action to protect their information. And we will continue to update these notifications based on the latest information.”

The alert system already works in China where many users have been informed of possible attacks against their account. It’s not first time that Google provide similar alerts, it’s happened last year when it advised every Iranian user to check if their accounts had been hacked and also in early 2010, claiming that Chinese human rights activists had been targeted in an attack dubbed “Operation Aurora“.

It’s not clear how Google will be able to identify a state sponsored attacks, but many experts are critics on the alerting procedure. However, state-sponsored attacks are complex to be intercepted in time, for example it’s quite impossible to detect the exploits of a 0-day vulnerability before the attack can affect the victims.  Many experts believe that the company could access to a huge quantity of information to identify the possible source of the attacks.

Will be Google also efficient when US hackers will try to infiltrate foreign government account? How the data are collected? Where are data stored and for how much time?

Who will manage the situation, the US government or the private company?

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Google, state-sponsored attacks)

[adrotate banner=”5″]

[adrotate banner=”13″]