Security Break In - how the hell



  •  So, someone logged into my gmail account somehow and spammed everybody I've ever e-mailed (friends, family, business contacts, etc) with a viagra ad. Not the end of the world to be sure, but embarassing to me; especially since I am relatively careful about computer security. Here's what I do for security:

    1. There are only 6 computers I use ever. Two at work (desktop and laptop) and four at home (wife's laptop, server, desktop, and netbook). If I'm using a different computer, I'm not typing any of my passwords to anything ever. The OSs are Windows XP, Win 7, and Ubuntu, all up to date.
    2. I use different passwords for most things, the ones I use on random forums are different than the ones used for gmail. Passwords are long and secure (at least 3 kinds of things, if not more (caps, lower, numeric, symbols)).
    3. I don't use stupid easy-to-guess "security question" answers, they're just different passwords that have nothing to do with the question, for example "what is your mother's maiden name" gets "p@ssworD" (not my real password obviously).
    4. I use a decent antivirus product, in addition to an anti-malware product. They're both relatively well spoken of by professionals and nerds. 
    5. My home wireless network is secured with a nice, long, good password and "more than WEP". Desktops use wired network.
    6. I don't visit any skeevy websites and don't pirate stuff typically. If I do, I usually run things in a VM so as to not contaminate things. 
    7. I use Firefox and no retarded plugins. 

    So WTF... Most people I know are retarded with security and they don't have issues, I'm not like a security-nazi or anything, but I make sure to try and follow good guidelines and don't do anything stupid and obviously bad. So how'd they get into my gmail account? Was it gmail fail, or did they get my password somehow? Do you all think I have some sort of keylogger/malware thing despite an antivirus and an antimalware product? Is there any other type of scanning thing I should run as well? 



  • I know Gmail has a text message option when you forget a password... maybe there's another "Forgot Password?" system that doesn't rely on a mobile phone?


  • Garbage Person

    Probably a Google vulnerability somewhere. Or your phone company is vulnerable. Or OpenID. Or you had a Gawker account. Or some shit like that.

    This shit happens - it's par for the course for toy services like Gmail. It's utterly impossible to actually secure a Google login account because the number of APIs and services giving inroads to those accounts is ever-expanding and changing, which means there's ALWAYS going to be a hole somewhere (unless there's some sort of Internet-wide social change - and that just plain isn't going to happen)

    As far as 'more scanning' goes, Microsoft Security Essentials is free, not predatory, plays nicely with the resource scheduler, doesn't jump at shadows (OMFG A COOKIE! YOUR DATA IS STOLEN!!!!!!!!!!!!) and astonishingly actually manages to work - which is a rarity in the antivirus/antimalware field today. My personal recommendation would be to throw whatever 'well recommended' piece of crap away and use that instead. 



  •  Thanks for the recommendation, Weng. I wouldn't have thought to try MS Essentials considering their track record. The two things I use are NOD32 and Malwarebytes, both of which are pretty good at not flipping out and staying the heck out of the way, though considering what happened, I wonder if that's because they don't work well? Bleh. I don't want to take it to the extreme and abandon gmail, facebook, etc... but shit like this makes me want to just do my own thing. I do like gmail's interface and convenience, and I do like seeing family photos on Facebook, but that's the only thing I use them for. 



  •  What doesn't count as a "toy" email service if gmail does? If I decide to switch to someone else (or do my own).



  • @EJ_ said:

     What doesn't count as a "toy" email service if gmail does? If I decide to switch to someone else (or do my own).

    Maybe it's a karma thing. The people who relax and don't worry about it don't have problems, and the guy stressing out is shilling Viagra. Maybe it wasn't a hacker, but God using his powers to teach you a valuable lesson about life!



  • @blakeyrat said:

    @EJ_ said:

     What doesn't count as a "toy" email service if gmail does? If I decide to switch to someone else (or do my own).

    Maybe it's a karma thing. The people who relax and don't worry about it don't have problems, and the guy stressing out is shilling Viagra. Maybe it wasn't a hacker, but God using his powers to teach you a valuable lesson about life!

     

    Oh man, I thought I'd already been taught my lesson... I accidentally knocked up a real dreamkiller, I thought that should just about cover any bad thing I'd ever done in my life, or will have done in the future.


  • Garbage Person

     @EJ_ said:

     What doesn't count as a "toy" email service if gmail does? If I decide to switch to someone else (or do my own).

    That last thing you said. Seriously.

    Take your pick. They're all tangibly more sane than gmail. Email has evolved into the papertrail of modern society. Lets peer into my mailbox and find out exactly what you can find out about me:

    - A complete and exhaustive list of creditors and financial services that I use, including payment dates, payment amounts, account balances, and more.
    - A comprehensive list of service providers covering all aspects of my life from basic utilities to shipping to server colocation. A particular nicety here is that you can divine the exact physical location of a server hosting a number of client's things
    - A rather complete picture of mid-long range travel plans including air carriers, my frequent flier mile balances, destinations, and in the short term, precise timing.
    - A reasonably complete picture of my social plans and work schedules (exhaustively complete if you check my Outlook calendar - or for the Google analog, their calendar)
    - Excellent information as to my hobbies - thanks to forum memberships, newsletters and event planning overhead. As a bonus, you can also find out how miserably my racing team performed last season, and pictures of the inside of our motor showing exactly how boned we are for 2011.
    - A list of vendors and stores from which I purchase things - many of which just might have my CC info on file. These range from general goods to electronics to car parts to jewelry.
    - My online dating profile, which presents freely a lot of information you'd otherwise have to actually work for. This particular site is helpful to include in their emails a "Click here to be logged in instantly!" link that bypasses needing my password - so you can go dumpster-diving in my dating inbox and find all sorts of hilarious anecdotes which you could theoretically use for blackmail if I gave half a shit.
    - Exhaustive documentation of contract and subcontracting work including still-valid login credentials and source code.
    - Grades and other educational data.
    - Software licensing information
    - Unsanitized debug output from a web app I once worked on. (I should fix that.)
    - ALARMINGLY large amounts of spam.

    Google is an advertising company. If they can figure out how to parse that data (and much of it is VERY parseable), they WILL use it to 'give me a better advertising experience'. That in and of itself isn't particularly harmful and isn't a terrible price to pay in exchange for not having to maintain your own fucking servers. Gmail, however, does not exist in a vacuum. The same login credentials are usable for hundreds if not thousands of sites across the Internet, many of which aren't even Google's. All it takes is for one of them to implement things just slightly wrong and those credentials can be in ANYBODY'S hands. Sure, you could avoid using those credentials for anything but Gmail, but it's a huge hassle to do so. That, of course, will only be safe as long as Google itself is not directly broken. If Google is penetrated and the information therein is used for nefarious purposes - tough shit. "You shouldn't have stored that on our servers."

    Google's privacy policy says:

    We take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data. These include internal reviews of our data collection, storage and processing practices and security measures, including appropriate encryption and physical security measures to guard against unauthorized access to systems where we store personal data.

    We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to process it on our behalf. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

    As long as they take those 'appropriate measures' and there is no internal misuse, they have no responsibility to you. At all. It says so in their Universal Terms of Service.

    14.3 IN PARTICULAR, GOOGLE, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO YOU THAT:<font><font size="-1">
    	<p><b>(B)	YOUR USE OF THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR</b></p><p></blockquote> </p><p>Buttom line, by doing a mediocre job of running and securing your own mail server (or using a trusted communal one) you decrease your threat profile. Random attacks won't break a reasonably secured server, and you don't have the threat profile of a service containing that information for MILLIONS of individuals - just you. As such, your information is only vulnerable to very precisely targeted attacks - which aren't a big deal unless you're a celebrity or a politician. </p></blockquote></font></font></p>


  •  All good points, thanks.

     One concern I have is that setting up an e-mail server properly (with all of the requesite DNS requirements, let alone configuring the server to not be an open relay, etc) is a bit daunting. I work for a very small programming company, and we constantly have issues with e-mail. I'm not the person "in charge" of e-mail, but often get dragged into it (we don't have a dedicated IT person, it's a 7-man shop so everybody does everything really), and it's a huge pain in the ass with setting up reverse-dns, special other dns entries, etc etc.  I'd also need to rent a server somewhere to do this, not that that's a big deal, I've done that in the past and don't mind spending a little cash; ISPs from what I understand typically block server e-mail ports on consumer connections, so that'd be a requirement. 

    Any suggestions for those concerns other than "man-up, wuss" ? :)  I don't mind getting into it if that's just the best way to get it done, it's just beyond what I am comfortable with technically for the time being (the nitty gritty of e-mail and dns), though I know I could get a grasp on it with some time investment. 



  • @EJ_ said:

     What doesn't count as a "toy" email service if gmail does? If I decide to switch to someone else (or do my own).

     

    I've been using Yahoo! as my primary email for almost ten years now. I get maybe one or two spam message a month, and as far as I know they have a much better track record than Google when it comes to spying on you and giving all your personal information and browsing history to third parties. The only thing I don't like about it is how it always tells me my screen on my netbook is too low resolution and I have to click a button basically saying "I don't care, show me my email!"



  • @mott555 said:

    @EJ_ said:
     What doesn't count as a "toy" email service if gmail does? If I decide to switch to someone else (or do my own).
     

    I've been using Yahoo! as my primary email for almost ten years now.

    I'm sorry, I count Yahoo as much a toy mail as Hotmail or Gmail (btw I use or have used all three). You still don't have control over the mail server.

    On the original issue: I haven't heard of Gmail being hacked other than by getting your username/pwd in some way, usually through a keylogger. So I'd still be a bit concerned about that one. I've used SuperAntiSpyware with good results (in that it found something nasty when I used it). Also, have you checked recent activity in Gmail and forwarded the headers of the spam to Google support?



  •  If a primary aspect of a non-toy email service is that you run your own server, then fuck it, toy service it is.



  • One aggravating thing is - I've scanned every computer I use with three different anti-badstuff scanners and all are good (one found some unrelated minor stuff on another partition that isn't used on my desktop, but that was it). I don't know if I should keep scanning, or blame gmail at this point. I do want to have secure systems, but I don't want to jump to extremes (nuke/pave everything). At what point do I pass the line of "due dillegence" and blame google, resting assured my computers are safe for another day? 



  • @EJ_ said:

    keep scanning, or blame gmail

    I'm all in favor of blaming Gmail, but don't you think that if they were compromised, that it would make the frontpages on every media? I mean, they have close to 200 million users.



  • @b-redeker said:

    I'm all in favor of blaming Gmail, but don't you think that if they were compromised, that it would make the frontpages on every media? I mean, they have close to 200 million users.

     

    Well I don't know. There's lots of stuff on teh interwebs about gmail being insecure - but it's hard to separate out the anti-fanboys and idiots from the people with a clue who have had actual issues.


  • Garbage Person

    @b-redeker said:

    I'm all in favor of blaming Gmail, but don't you think that if they were compromised, that it would make the frontpages on every media? I mean, they have close to 200 million users.
    That's the thing - with Google's quasi-universal login across all their sites and made available to third parties, it totally doesn't need to be Google that gets compromised.

    Also, security breaches only make the news when the company fesses up to it. Anything less is a libel suit waiting to happen. Studies indicate that most security breaches, including customer data breaches, are handled internally. If your entire business model is "GIVE ALL YOUR DATA TO ME! I WANT TO FIND A WAY TO INDRECTLY MONETIZE IT!", you sure as shit aren't going to say a fucking word about anything.

    I've been part of an organization that used a credit monitoring service as hush money - and it worked.



  • Next time, check the Details on the bottom of the Gmail page, it'll show the recent activity on your Gmail account (and allows you to end all other sessions).



  • @Weng said:

    you sure as shit aren't going to say a fucking word about anything.

    So how about the users? Vulnerabilities in either Hotmail, Yahoo or GMail are usually widely published, and for good reasons; it's just too important to too many people. Sometimes the spammers find out first, but it's always a big deal to anyone interested.



  • @XIU said:

    Next time, check the Details on the bottom of the Gmail page, it'll show the recent activity on your Gmail account (and allows you to end all other sessions).
     

    Sure, I did that within minutes of them logging in - I was logged in and started immediately getting failure bounces, discovered what it was from and booted them off using the details link... but it still doesn't explain how the fuck they got onto my account in the first place, and they were still able to spam hundreds of people I've e-mailed in the past within that time-frame. It's a cleanup measure, not preventative. 



  •  Probable cause found: I just got an e-mail from sourceforge saying they had a security break in the day before my e-mail got hijacked. I had signed up with my gmail address most likely, and also most likely had used the same password (I'm pretty sure when I signed up for sourceforge it was before I had started using different passwords for stuff, I didn't even remember I had an account with them). The email says "we're pretty sure they didn't get anybody's details" but it seems like too much of a coincidence that it happened the day before... 

    I've scanned every computer I use in multiple ways, also in safe mode, and found no obvious threats, so oh well. 


Log in to reply