GMail User Using 2FA Warned of Access From China
A few months ago, after the infamous "Aurora" attack, it became known that GMail accounts are under active attack from entities in China. In response, Google added a warning banner to its GMail accounts notifying users if someone logged into the account from China recently.
We had one user reporting such an incident, and are wondering if others have seen this warning recently. This user did use Google's two factor authentication, which is of course in particular concerning.
What security precautions do you take if you use GMail? Do you archive/delete old email? Any scripts you use for it that you could share? Do you use Google's two factor authentication?
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
My next class:
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
×
![modal content]()
Diary Archives
Comments
Moriah
Apr 11th 2011
1 decade ago
But, when setting up the 2-factor you get 1-time-passwords sent over HTTPS (Can be listened to through root cert issued to bigbrother government like Tunesia), as well as a phone number for SMS or voice fallback.
A government can use the phone number to have google issue a one-time code. They can redirect the call/SMS. They can even just guess the phone number.
On top of all this, to use GMail/Reader etc from stand-alone clients, the clients will get a 16-char password that can be used to access all resources via non-web protocols.
I use 2-factor. But on a webcafe machine, that is hostile, they can just alter my input to google such that it will remember my 2-factor validation for 30 days in a cookie. And they can access my mail for 30 days without 2-factor.
Google 2-factor is good, but far from perfect. You still need to be on a secure machine, with only well trusted root certs in the browser.
CNNIC is a default trusted root in Firefox. As a result, nothing can be considered to be secure going in/out of China, before this is changed.
The whole idea of having all those untrustworthy trusted roots in the browser is wrong.
PHP
Apr 11th 2011
1 decade ago
jaybee
Apr 11th 2011
1 decade ago
Many issues just thinking about these few new vectors and again just my opinion, but what can I say I am a worrier. : )
Young
Apr 11th 2011
1 decade ago
Granted, this is a low hurdle, but why not offer the option?
John Hardin
Apr 11th 2011
1 decade ago
> "This account will never be accessed from China"
> and reject all logins originating from those netblocks
> if that is enabled.
I didn't know her name. The last thing I recall was seeing her standing over me, kicking me in the ribs, and smiling as I tried to get off the floor.
It was an evil type of smile.
The next thing I knew, I woke up in a strange hotel room. I hate it when this happens.
As I have done every day since I started this job, the first thing I did when I woke up was to check under the pillow, to make sure my handgun was there. I didn't expect it to be, but habits are habits.
I could see my clothes draped over the chair across the room. I got out of bed and got dressed. My wallet, phone, and keys were missing. Probably the same place as my sidearm.
Looking out the window, I recognized the view of Shanghai harbor. I'd done several jobs her back when I worked for The Company, before deciding that working for myself paid better.
I had no idea why I'd been left in a strange hotel room on the other side of the world, but I figured it wasn't a good idea to stick around. Without funds and without identification, going to the authorities was out of the question. Even if I did have my I.D., going to them for help would have been a bad idea anyway, considering what happened the last time I was in this city.
Though I didn't have my phone, I knew I could still contact some trusted buddies from the old days for help. I went down to the lobby. As expected, there were several internet kiosks available.
As I tried to log into my Gmail account, I got the following message:
"This Account Has Been Configured To Reject Logins From China."
Damn! Now what was I going to do?
It Was A Dark And Storm Center Night
Apr 11th 2011
1 decade ago
I have to wonder how accurate those reports may be.
Scott
Apr 11th 2011
1 decade ago
Obviously, it could as easily not redirect through China, but instead use the source PC as the outbound source, but that relies on the device being available when the attacker wants access. In practice this latter model is awkward, and it's simpler and more effective to have the malware not bother to intercept the 2FA but just intercept and re-use the connection (pre-encryption layer) to download/forward all email, and fetch from EvilEmpire emails to send, and/or other authenticated actions.
But like any attack vector, making it's exploit a bit harder makes it combinationally harder to get right reliably for large numbers of accounts. e.g. Antivirus is far from perfect, but it's enough of a hurdle to be worth applying, because _sometimes_ it gets you _some_ protection.
Simples.
Dom De Vitto
Apr 11th 2011
1 decade ago
rlocone
Apr 13th 2011
1 decade ago
SH
Apr 14th 2011
1 decade ago