Ask HN: Google warned me that a state organized hacking group targeted me
Has anyone of you guys gotten that message?
I'm still not sure why they targeted me nor how? I'm neither famous nor a journalist or blogger or scientist or something like that.
Nonetheless,what can I do to find out how they tried it? Or if they broke in or if my network is comprised?
And what can I do to prevent in future? Beside 2fa.
42 comments
[ 6.4 ms ] story [ 111 ms ] threadI first thought that too.and tried another browser ( got that message in Vivaldi first,than tried IE) Same result.
Here are some old articles about that:
https://www.recode.net/2017/3/24/15054954/google-reassures-u...
http://www.zdnet.com/article/google-heres-why-you-shouldnt-f...
Why would you say not?
I'm not trying to be rude or anything. Let's have a discussion, and if I can convince you to do use one, I'd have made one more person safer.
[1] I made this for a dead simple way to make passphrases: https://amingilani.github.io/password-maker/
Even if in theorie they are safe. Even the slight chance that a single failure could lead to all my passwords getting in the wrong hands at once just is to scary.
EDITED to add: I am using Password Safe which is recommended by Bruce Schneier. What you describe would be an absolute noob mistake. He would be pretty embarrassed if you were right.
1. Are all your passwords unique?
2. If I discovered some of your passwords, will the rest of your passwords stay secure?
3. Were all your passwords created using at least 32 bits of entropy?
4. Are your passwords stored only in encrypted form?
5. Do you perfectly remember every single password you’ve used when signing up?
6. Do you turn up positive for a password leak at this website?
If you answer "no" to any of these questions, you'll benefit from a password manager.
About storing passwords, I use LastPass and they use client-side encryption[1], which means even they don't have the decryption key to read my passwords. So, you'll be fine as long as you have a secure passphrase and 2FA :)
https://lastpass.com/support.php?cmd=showfaq&id=6926
[1]: Please skip to "Strategy No. 1: Proper Password Management" @ https://www.toptal.com/remote/best-security-practices-for-re...
And nobody hacks into your machine...
Some believe that the "something you know" should be stored inside your head. I personally use a password manager, but can understand the viewpoint.
Password managers lie somewhere between 2 different factors, "have" (the password DB) and "know" (only your master password). For those who use a laptop as their 2nd factor (yubikey plugged into a USB port, a token on the system itself) and get their laptop stolen, a compromise of the password safe could result in both factors being breached.
trusting your bank / email and other important password is an unneeded risk.
Your turn why should I rely on someone and their servers to save my passwords why a good password and 2fa will protect my account?
Seriously now, even though you're not famous or a jounalist you might have some type of valuable access in your life? Or maybe it's just a false positive from google. Or maybe you weren't being especially targetted, and instead your e-mail ended up in some list of valuable e-mails (rightly or wrongly).
So the message can be read more like: a non-allied state actor has targeted your email and we are notifying you to show how good we are. Please note we will not reveal when you are targeted by an allied state intelligence. Privacy is relative, mostly an illusion. Thank you for your cooperation.
It's not America. More likely is Russia,China,Japan, Germany or God knows...
But they didn't tell me...
That's bad I guess.
Other indicators can include malware sample hashes or actor-specific detection rules (Example: YARA,Snort or Netwitness rules).
These indicators are typically not public. Some can be accessed if you pay the right sum of money and undergo vetting,still,some are kept private within the relevat security firms or organizations.
As you can imagine,Google has their hands in many pies including security research and threat intelligence collection(Everyone loves their VirusTotal intelligence product). They can scan email metadata for any of these indicators as they see fit.
Generally speaking,some indicators are of such high quality, they can be used to detect well crafted spear phishing by a nation state actor. But most are good only to detect untargeted attacks or targeted attacks that include a large number of targets.
Hope that answered your question.
Geo-political intelligence analysts and sometimes field officers (aka spies) also play a role. For example,if a specific journalist was attacked while working on an article critical of a specific country and at least one indicator was traced to an a real human associated with that country's spy agency the a confident attribution can be made.
The term "nation state" does sound a bit fancy but it is different from "country" in that many nation states do not act on behalf of their people or to protect the interests of their conuntry. If you use "country" that would include the people of the country while "nation state" simply means the organization running the country. Plus you have situations like taiwan,hong kong and chechnya where those nations are effectively their own nation state but they are under the control of a different country.
Here is a good reference attribution of APT3 (Chinese Ministry of State Security (MSS)): https://threatpost.com/apt3-linked-to-chinese-ministry-of-st...
The most important point is that this indicates signs of targeting not compromise. Also,like all systems there are false positives especially for security researchers and the similar types but we hope it is a useful indicator to reassess your security posture.
Also: should I tell my coworkers what happened?
I'm really curious what they hoped for though.
I have nothing of interest. I do nothing interesting ( except they get really excited about people working in IT consulting) which probably would be millions by now...
Never worked for any military or weapons org or other stuff.
Currently I'm working to create a community portal for a bank. Which will only be used by developers in b2b. ( Documentation and stuff)
But maybe they hoped for weakest link? That's why I'm thinking about to tell my co workers about it.
Then they also moved the keys also to China. Then on top removed the VPN apps from the app store.
Google Gmail was getting hacked by China gov so they warned and ultimately left China.
Even Amnesty International has opened a campaign on Apple and their disregard for privacy.
https://www.amnesty.org/en/latest/news/2018/03/apple-privacy... Campaign targets Apple over privacy betrayal for Chinese iCloud ...