Google says owners of compromised Gmail accounts should change their
password. But Web security expert Caleb Sima says that advice is
woefully inadequate. Read his thoughts on how to secure your e-mail
account after a compromise, prevent snooping and keep your account from
getting hijacked all over again.
Threatpost reported recently on a wave of warnings about Gmail account compromises linked to IP addresses in China. In at least one case, the account in question belonged to a prominent UK online privacy activist that has been critical of censorship of the Internet by China’s ruling Communist Party. While declining to comment on the specific attacks, a Google spokesman noted the company’s seven month old policy of notifying users when their accounts have been accessed from suspicious IP addresses and the company’s advice to users to change their passwords after a compromise.
But merely changing the password on a compromised account doesn’t even begin to repair the damage, says Caleb Sima, a Web application security expert and CEO of Armorize. In this column, Sima explains why and provides guidance on what users should do to secure their accounts after a compromise.
I recently read an article warning of attacks against Gmail accounts being conducted by the Chinese government. The article provided one solution to fix a hacked Gmail account: change your password. That’s good advice, but insufficient. Any decent attacker will have at least one backdoor to regain control of your account so quickly that it will make your head spin.
People are baffled when their Gmail account is re-compromised and often have no idea how it keeps happening. So I’ve laid out some of the more obvious items that need to be checked to ensure that your Gmail/Google account is locked down.
Mind your filters
The best method for an attacker to get back into your account is to keep reading your emails even after you’ve changed your password. So the basics of any Gmail backdoor will be to setup some email forwarding rules that send him or her a copy of your messages as they arrive – including password reset messages. Make sure you disable these following any compromise.
Under Settings->Forwarding and POP/IMAP ensure that disable forwarding is selected and that your incoming email is not being forwarded to the attacker. Next, check your filters list in Gmail and make sure there are not any rules setup that forward email to the attacker.
Check the Password Recovery settings
The next best method of a backdoor is for the attacker to have the ability to recover or reset your password. This is not the sneakiest of routes but it accomplishes the job well. Ensure an additional recovery email address was not added to your account.This will allow an attacker to get the password reset link straight to his email.
Go to settings->Accounts and Import->Google account settings->Change password recovery options->Email.
Make sure the SMS number has not been changed in Google account settings. Also, make sure your security question has not been changed to a question known by the attacker. Sneaky attackers will leave your question the same but change the answer to one they know. Go ahead and change your question and answer.
Watch out for rogue applications
Gmail isn’t just an email program, its part of an entire Web based application ecosystem. Check your authorized applications to see if the attacker added their own malicious application to be allowed on your account. This is my personal favorite. Everyone today adds social applications and gives permission to their Facebook/Google accounts through third party applications. Most people don’t even look at what permissions the third party applications have. In Gmail applications can pretty much do everything an attacker would want to do. Even better, from the attacker’s stand point, is that no one even knows where how to revoke or check permissions on these applications once they’ve been approved, they’re forgotten. There are open source applications will grant full IMAP/SMTP access using OAUTH. (The Python scripts from the open source google-mail-xoauth-tools project are an example). Once the Gmail account is hijacked, an attacker can run this script and grant access to the application for full privileges. Even if you change your password multiple times, a rogue application can continue reading your email and accessing your personal data.
Think beyond e-mail
Not only back doors allowing full access to read email should be considered. Attackers have several options to obtain your data in the world of open social collaboration that is easier then ever. If you have Google voice, go into voice settings and make sure voicemail and text messages are not being sent to additional email addresses.
If you have important Google documents in Google Docs, ensure the attacker has not enabled sharing. Google calendar is a very nice backdoor. I’m sure you don’t want someone unexpectedly dropping in and listening on your next board meeting. If so, there are a couple areas you need to check.
In the Calendar Settings, click on your calendars to display the detailed view and make sure you click “reset private URLs” in the private address section. This will change the private address that can be used to retrieve your calendar feed. As an attacker I can easily just copy this URL and monitor your calendar. Next, click ‘Share this calendar’ tab and make sure that no email addresses are added that you don’t recognize.
Caleb Sima is CEO of Armorize Technologies