Schneier on Security
A blog covering security and security technology.
« "Going Dark" vs. a "Golden Age of Surveillance" |
| Friday Squid Blogging: Argentina Attempts a Squid Blockade against the Falkland Islands »
January 13, 2012
Recovering a Hacked Gmail Account
Long (but well-written and interesting) story of someone whose Gmail account was hacked and erased, and eventually restored. Many interesting lessons about the security of largely support-free cloud services.
Posted on January 13, 2012 at 12:58 PM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Long, but an interesting and enjoyable read. Thank you for sharing.
Definitely interesting. One thing to mention is that gmail now supports 2-factor authentication via text message. It's easy to enable and certainly a good idea.
Password policies (both enforced and personal) are rather interesting. Security is often sacrificed for convenience, and in many cases convenience is sacrificed for a false sense of security.
Some common limits, like a maximum password length, are damaging to both usability and security. Longer passwords are more secure, passphrases are easier to remember and more secure (if generated well, such as with diceware) and programming in a length limit introduces another possible source of error. Since the best practice is to hash all passwords any length will produce a fixed-size hash output. If you're not hashing (and preferably salting) your passwords you have no right to be making an authentication system.
In the end, I developed a compromise system. My most secure passwords are protected by keepass password safe. My master password is a 6-word diceware passphrase. This keeps really important stuff, such as bank account passwords. I also store other passwords here as a backup in case I forget. All "security question" answers are random gibberish at least as complex as the password. My mother's maiden name is "kk&`V^522G/5O7t&5!#RBhrm\w.4lX". Yes, she is polish, how did you guess?
Next down I have a few 5-word diceware passphrases. 1 for my e-mail that is used nowhere else. The next in the form ThisIsFiveWordsLong+SITEURL. I copy+paste the URL when entering the password. I use it for sites/services where no financial information is given, I care about the account, and I have reason to believe the password is properly hashed and salted. Sites without that reason that I care about get keepass passwords.
Game logins use the same system as above, but with a different diceware phrase. Some fullscreen games get buggy when alt-tabbing out to keepass to copy & paste the password, so I have to be able to type it.
Then there are the 1-off sites, and the sites I use regularly but don't care about at all. For example, I use a site for midi soundfont downloads that requires an account. The account is purely for tracking, there's no forum or any real reason for login credentials. So I use physical or mathematical constants. Generally the golden ratio:
Upper case, lower case, numbers, punctuation, 12 characters! It's a perfect password for things that don't need a password. If any of the hundreds of sites I've made an account for and forgotten about is compromised I lose access to all of them, but I've already forgotten their existence anyway. I also don't use my real name or standard alias on such sites.
I've sacrificed security for convenience in the case of the 1-off sites, and convenience for security in the case of banking passwords (I don't actually know any of them. I've never even seen most of them, just copy+paste from keepass into the login page.)
How is two factor going to help -- when a common attack vector on GMAIL is when you mobile phone is stolen/lost?
A one time password on email would seem to answer 99% of the problems.
"my wife had been using the same password for her Gmail account as for some other, less secure sites, where her username was her Gmail address"
@Carl 'SAI' Mitchell
Nice comment Carl. Very informative for many people. I essentially use the exact same strategy as you do: unique keepass generated passwords for anything remotely important and complete gibberish for my security retrieval questions, as I find that these are typically some of the most glaringly easy to guess or glean from publicly available data. Common easy to remember passwords used for sites with non linkable usernames with NO important information stored.
Your password creation and management process conveniently ignore that 'password guessing' is just one attack vector and so your strategies are largely academic. A reasonably complex 10 character password that I can easily remember is just as sufficient as your multiword diceword password.
If you have to think about password creation for more than 30 seconds - the strategy already a failure.
I found that I stopped reading when the author went on and on about how unbelievable it was when thinking recovery was not possible. Would not the same fellow be outraged - OUTRAGED I say - to find a cloud company that "violates privacy" by NOT fully deleting data for which deletion has been requested? Sure in this case it was the attacker who requested ... but this fellow should keep that in mind when thinking he'll protect a source by deleting a message.
Yep, several morals to the story:
1) use a decent passkey
2) data in the cloud can neither be reliably recovered nor reliably deleted
3) it helps to know people in high places!
As I suspected it was a pro-Google puff piece filled with tripe and FUD but I'll admit the article was worth it for one reason:
"This friend was not Eric Schmidt, the company’s longtime CEO and now executive chairman, whose family my wife and I had gotten to know long before his Google era. (Embarrassingly enough for us, and possibly for him, he had received one of the “Mugged in Madrid” notes, which he passed on to me with a terse “Deb’s e‑mail has been hacked” subject line.)"
That made me LOL. Especially if it went to his personal e-mail and not to his AA. Score one for da hackers.
Morals of the story:
1. Use a password manager and one kick-ass password to unlock it.
2. Use a different password for each site, made easy by (1.) above.
(and make multiple copies of your database and leave instructions with your will so your family can access them if the worst happens.)
Google has also feature "Application-specific passwords" but its f*cking joke, because first you need to enable 2-step verification. Why? Why? Why?
... and backup all your data *out of these clouds*. Always.
to me the story sounds like a pro-cloud / pro-Google piece extolling the virtues of cloud based storage and Google's heroes.
Sociologist would likely find analogies with it and the stories told by Communists in China and Russia between 1950s-1970s.
What is funny about it is the other recent article here at Schneier's that talks about increased Government surveillance. While all governments have increased their data gathering efforts, the populace keeps providing information to this by willingly posting photos and other details about themselves online.
remember when we all used to get email accounts from our ISP (or set up servers) and run our own mail accounts? there was no giant cloud with billions of people's data in it waiting to be released, hacked, leaked, stolen, or sold.
if you want a bulletproof secure email account have people send mail to your address on a nym server and forward to your own machine through tor. run your own mailservers and encryption.
could also use privacybox.de as a front for people to email you. everything they enter there is encrypted and forwarded secretly to some other address. google not needed.
@charlie: when setting up 2 factor authentication in Google, it generates a set of one time passwords for you to print and keep for sticky situations.
James Fallows was not writing a puff piece! He is a senior editor at The Atlantic Monthly and he was very upset at the disaster that occurred when his wife's gmail account was hacked and deleted so he wrote about it. What bothered me was that she had not backed up the content that she was storing on it.
I also enjoyed that piece, but again it made me wonder why so many people are willing to blindly hand over control of such an important aspect of their communications to a FREE service (granted, they pay for it with their data). Either email is important to you or it's not; if it is, you should be using a service that you control (including whether it's optimized for hard deletion or easy recovery).
(Yes, I run my own mail server. All the people I know who *used* to run their own mail servers seem to think I'm nuts.)
Given the length and puff in the article, its a shame that one of the more important points is brushed away with:
"For reasons too complex to explain here, even some systems, like Gmail’s, that don’t allow intruders to make millions of random guesses at a password can still be vulnerable to brute-force attacks."
Should we just assume that google's password hashe files are open to the internet?
I run my own mail server, too. Mostly for functionality - I can configure it however I like. All hosted email services are canned food for me :-)
I still had to rely on the 'cloud' to provide the virtual machine on which the mail (and other) software runs - my ISP hides my home connection behind NAT. I could get a plan with a public IP address for a higher price, but without revDNS... and all plans are highly assymetric like 8:1 to 12:1, so it's all futile. There are 'business' plans with symmetrical throughput and /26 or so IP address assignment, but the price skyrockets. Other ISPs in the area have similar terms. Therefore running a server from home is largely a non-option. And you still need a secondary NS, MX etc.
I have choosen a less-well-know and rather small company as the provider for the virtual machine - and I can say it was a good choice even if they had occasional failures as their customer support is quite responsive. The price is also competitive as they offer small and cheap plans and I don't need a lot of CPU/RAM/storage space for my petty server - the Big Ones sell their resources in truckloads.
Daily backups go to a different 'cloud' and I keep copies of the important data on my home computer, with an occassional offline backup on a CD.
I have another (paid) email account as a point of contact for the 'cloud' providers in case of trouble.
I can still loose a few weeks or months worth of email if someone hacks my server and cares to locate and wipe the automatic backups, too - but I think it is as much security as I need.
The article keeps mentioning strong passwords, but that may not even be an issue.
My girlfriend got hacked last year, and we are 99% sure that it happened while we were using wifi at an airport (I had a 3G connection, so I wasn't hacked).
The world's best password won't help if you are on an unsecured network. Throw-in some SSL spoofing, and the only way you will know that your email's been hacked is if the hacker decides to spam all your contacts.
When my PSN account was hacked I systematically went through all my accounts to put them in various levels of importance from bank accounts down to throwaway forum accounts. Fortunately I found this easy since I've used password safe for my most of my online passwords so I was able to sort accounts by password to see where the risk lay and take measures to correct it. I also tend to use one email alias for real life and several others for forums so if a forum password was stolen it might affect my forum reputation but wouldn't have an impact on my real life.
My biggest annoyance are sites which blithely store a strong password as plaintext on their servers. I've had a few experiences now where I've picked a strong password, forgotten it, asked for a reminder and had my password sent back to me. It's very annoying but serves as a reminder that it won't be the last time an account gets hacked so better minimize the damage even for the inconvenience of all these passwords.
I wonder why Western Union is permitted to exist in most EU countries. It's clear from the amount of fraud that goes on through it that it isn't doing a very good job stopping fraud. Given they skim 10% off the transaction that is not surprising, but it is surprising they should be allowed to get away with it.
Maybe if Western Union and its ilk were only permitted in banks and post offices and recipients were required to supply photo id and fingerprints it might be better brought under control.
I use Google Apps Sync for Microsoft® Outlook to create an exact replica of my Google gmail/calendar/contacts cloud data on my desktop.
One a week I start Outlook and let it sync. This gives me a last resort copy of the data on my discs.
There’s another side to this story that I think is important. What do YOU do when you get a email from a friend/family that’s a hack? I got an email from my Mom’s email address about a month ago that in no way could have been from her. The grammar, the spelling, what she was saying all said “HACK”. I deleted it immediately and called her to let her know her account had been hacked. I think there’s an equally important education campaign here, which is “what to do if you get a suspicious email from family/friends.”
Delete, delete, delete. Don’t respond - that’s just playing into their game. And call the person to let them know. Or drop by if you can- the victim could probably use a hug.
I see that anon sez:
I found that I stopped reading when the author went on and on about how unbelievable it was when thinking recovery was not possible. Would not the same fellow be outraged - OUTRAGED I say - to find a cloud company that "violates privacy" by NOT fully deleting data for which deletion has been requested?
If he hadn't stopped reading, he'd have seen that Fallows mentions that as a major legal concern of Google. He's a pretty decent journalist IMHO, and not the type to just emit a bunch of "outrage." I think it's worth at least skipping the entire article (which is available as a single page through a link at the bottom).
A few things struck me about the article:
1. Keeping years of valuable emails on a mail server is not the same as trusting your data to a cloud service provider is it?
2. Didn't everyone who ever had email without running their own server depend on someone else to take care of it? Why is this new?
3. How can someone apparently be an active computer user since 1980 AND friends with Eric Schmidt and still practice such bad computing?
How can someone apparently be an active computer user since 1980 AND friends with Eric Schmidt and still practice such bad computing
Hmm sounds like you've never realy had to support the Computer (ab)users you know...
I've not only been using them since well befor 1980 I was designing the pesky things as well (anyone remember 8080's and CP/M?) and even designing the ALU's and microcode state machines using 2900 Bitslice processors and good old fashioned 74LS TTL for very high end systems for imaging systems, and ECL for some crypto kit.
Like all humans I make mistakes and also rate things of different value than I should. Such as not remembering to make a backup copy of the phone numbers I was accumulating on a phone.
Simple question for you, "Who has the spare keys for your home, vehicle, bike locks, filing cabinet, safe etc?"
Locks and keys have been in everyday usage for atleast a hundred years and people still have not learnt about "backing them up" which is why locksmiths can make such a good living out of "call outs".
Humans are well... Human after all.
I enjoyed the article. Could somebody give me a short answer why bruteforcing works against sites like gmail. does it not cut the connection and not let it back in if cracker spams 1000+x password tries in half a second? even if you can change constantly your ip address (proxy) would not their supposedly smart analyzing software recognize the pattern and act?
I am a person who has never understood people who create ridiculously difficult email passwords. I have got hacked few times. Always by hackers cracking the badly secured user database and posting logins and passwords of the whole site online, never by anybody "guessing" my password. thanks in advance.
This highlights factors that I and many of my associates are seeking support for. I thank you for covering it with so much authority.
Tor Mail works well, not sure about recovery efforts, but it's more secure than SSL:
In order to load the site you need Tor installed, but that is trivial. It's not related to the official Tor Project.
Quick signup, free, no strings.
Re: passwords, it's all well and good saying to use long passwords and passphrases, but when silly sites such as UK National Savings & Investments (NS&I) limits their users' password to a paltry 8 characters, it's all rather academic.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.