If you are a Gmail user do not be surprised when you log in to find a message from Google saying that you could be the target of a ‘State sponsored attack’ and advising you on the methods to adopt to stay secure. A recent blog by Eric Grosse, VO Security Engineering at Google describes this.
In a number of well publicized attacks, governments have sought to pressurize Google into letting them see the mail of dissidents and other citizens that it is otherwise apprehensive about. Readers many recall that some time ago, Google had to shut down its servers in mainland China and move them to Hong Kong when Chinese hackers broke into its servers in China. Apparently this kind of hacking and espionage is on the rise. Google has created some kind of an algorithm that looks out for malicious activity on their systems, identifies the target account and warns the users. The exact parameters that are being monitored are not detailed (for
In the past, Google has detected attacks originating from China targeting US officials, Senators, South Korean officials and military personnel etc. These attacks aim to log into Gmail accounts and read mail.
Besides issuing warnings, Google says that it “put(s) in place extra roadblocks to thwart these bad actors”. The warning Google sends to you is displayed on your log-in page and a sample is shown below –
Google is careful to stress that the internal security structures at the company are secure and have not been broken into. It’s the email accounts that have been compromised primarily by the bad guys obtaining passwords, access to secondary email accounts and through phishing. Once they have access to the account they want, the government hackers are able to map the email contact network of the person and spread their net wider.
There are many ways to thwart such an attack. Google gives a number of useful techniques. These are –
Enable two step verification on your sensitive account, this will ensure that every time you attempt to log in, you will be sent a verification code to your cell phone you have registered. You will need to log in with code as well. If you find this cumbersome, you can make this code permanent to your PC for 30 days.
It is critical to use a strong password that is a mix of upper and lowercase letters, numbers and special characters. Never enter your password into a pop up box, no matter how authentic it appears.
Once in a while go to your Gmail account and check that your mail is not being automatically forwarded to other accounts. This is a great feature in Gmail, but it can be easily misused if someone can access your account.
Besides securing your account as discussed above, separate your account for critical and non critical use. Do not make these accounts secondary to each other so that the password reset link for one account goes to another.