New Password Not Enough to Secure Hacked E-mail Account

HED: New Passwords Not Enough to Secure Hacked E-mail AccountDEK: Google’s Advice to Owners of Compromised Accounts Woefully Inadequate, Says Web Security ExpertBY CALEB SIMA, CEO, Armorize TechnologiesThreatpost reported recently on a wave of warnings about Gmail account compromises linked to IP addresses in China. IN at least one case, the account in question belonged to a prominent UK online privacy activist that has been critical of censorship of the Internet by China’s ruling Communist Party. While declining to comment on the specific attacks, a Google spokesman noted the company’s seven month old policy of notifying users when their accounts have been accessed from suspicious IP addresses and the company’s advice to users to change their passwords after a compromise. But merely changing the password on a compromised account doesn’t even begin to repair the damage, says Caleb Sima, a Web application security expert and CEO of Armorize. In this column, Sima explains why and provides guiance on what users should do to secure their account after a compromise. I recently read an article warning of attacks against Gmail accounts being conducted by the Chinese government. [http://threatpost.com/en_us/blogs/google-warning-gmail-users-china-spying-attempts-092310]. The article provided one solution to fix a hacked Gmail account. Change your password.  Changing your password is good advice, but its extremely insufficient. Any decent attacker will have at least one backdoor to regain control of your account so quickly that it will make your head spin. People are baffled when their Gmail account is re-compromised and often have no idea how it keeps happening. I’ve laid out some of the more obvious items that need to be checked to ensure that your Gmail/Google account is locked down. >Disable any malicious forwarding and filters The best method for an attacker to get back into your account is to keep reading your emails even after you’ve changed your password. So the basics of any Gmail backdoor will be to setup some email forwarding rules that send him or her a copy of your messages as they arrive – including password reset messages. Make sure you disable these following any compromise.   Under Settings->Forwarding and POP/imap ensure that disable forwarding is selected and that your incoming email is not being forwarded to the attacker. Next, check your filters list in Gmail and make sure there are not any rules setup that forward email to the attacker.>Check the Password Recovery SettingsThe next best method of a backdoor is for the attacker to have the ability to recover or reset your password. This is not the sneakiest of routes but it accomplishes the job well. Ensure an additional recovery email address was not added to your account.This will allow an attacker to get the password reset link straight to his email.Go to settings->Accounts and Import->Google account settings->Change password recovery options->Email. Make sure the SMS number has not been changed in Google account settings. Also, make sure your security question has not been changed to a question known by the attacker. Sneaky attackers  will leave your question the same but change the answer to one they know. Go ahead and change your question and answer. >Watch out for rogue applications. Gmail isn’t just an email program, its part of an entire Web based application ecosystem. Check your authorized applications to see if the attacker added their own malicious application to be allowed on your account. This is my personal favorite. Everyone today adds social applications and gives permission to their Facebook/Google accounts through third party applications. Most people don’t even look at what permissions the third party applications have. In Gmail applications can pretty much do everything an attacker would want to do. Even better, from the attacker’s stand point, is tha no one even knows where how to revoke or check permissions on these applications once they’ve been approved, they’re forgotten. There are open source applications will grant full IMAP/SMTP access using OAUTH. (The Python scripts from the open source google-mail-xoauth-tools project are an example). [http://code.google.com/p/google-mail-xoauth-tools/wiki/XoauthDotPyRunThrough]. Once the Gmail account is hijacked, an attacker can run this script and grant access to the application for full privileges. Even if you change your password multiple times, a rogue application can continue reading your email and accessing your personal data.>Think beyond e-mail Not only backdoors allowing full access to read email should be considered. Attackers have several options to obtain your data in the world of open social collaboration that is easier then ever. If you have Google voice, go into voice settings and make sure voicemail and text messages are not being sent to additional email addresses. If you have important Google documents in Google Docs, ensure the attacker has not enabled sharing. Google calendar is a very nice backdoor. I’m sure you don’t want someone unexpectedly dropping in and listening on your next board meeting. If so, there are a couple areas you need to check.In the Calendar Settings, click on your calendars to display the detailed view and make sure you click “reset private URLs” in the private address section.  This will change the private address that can be used to retrieve your calendar feed. As an attacker I can easily just copy this URL and monitor your calendar. Next, click ‘Share this calendar’ tab and  make sure that no email addresses are added that you don’t recognize.Google says owners of compromised Gmail accounts should change their
password. But Web security expert Caleb Sima says that advice is
woefully inadequate. Read his thoughts on how to secure your e-mail
account after a compromise, prevent snooping and keep your account from
getting hijacked all over again.

HED: New Passwords Not Enough to Secure Hacked E-mail Account
DEK: Google’s Advice to Owners of Compromised Accounts Woefully Inadequate, Says Web Security Expert
BY CALEB SIMA, CEO, Armorize Technologies
Threatpost reported recently on a wave of warnings about Gmail account compromises linked to IP addresses in China. IN at least one case, the account in question belonged to a prominent UK online privacy activist that has been critical of censorship of the Internet by China’s ruling Communist Party. While declining to comment on the specific attacks, a Google spokesman noted the company’s seven month old policy of notifying users when their accounts have been accessed from suspicious IP addresses and the company’s advice to users to change their passwords after a compromise. 
But merely changing the password on a compromised account doesn’t even begin to repair the damage, says Caleb Sima, a Web application security expert and CEO of Armorize. In this column, Sima explains why and provides guiance on what users should do to secure their account after a compromise. 
I recently read an article warning of attacks against Gmail accounts being conducted by the Chinese government. [https://threatpost.com/google-warning-gmail-users-china-spying-attempts-092310/]. The article provided one solution to fix a hacked Gmail account. Change your password.  Changing your password is good advice, but its extremely insufficient. Any decent attacker will have at least one backdoor to regain control of your account so quickly that it will make your head spin. People are baffled when their Gmail account is re-compromised and often have no idea how it keeps happening. I’ve laid out some of the more obvious items that need to be checked to ensure that your Gmail/Google account is locked down.
 
>Disable any malicious forwarding and filters
 
The best method for an attacker to get back into your account is to keep reading your emails even after you’ve changed your password. So the basics of any Gmail backdoor will be to setup some email forwarding rules that send him or her a copy of your messages as they arrive – including password reset messages. Make sure you disable these following any compromise.  
 
Under Settings->Forwarding and POP/imap ensure that disable forwarding is selected and that your incoming email is not being forwarded to the attacker. Next, check your filters list in Gmail and make sure there are not any rules setup that forward email to the attacker.
>Check the Password Recovery Settings
The next best method of a backdoor is for the attacker to have the ability to recover or reset your password. This is not the sneakiest of routes but it accomplishes the job well. Ensure an additional recovery email address was not added to your account.
This will allow an attacker to get the password reset link straight to his email.
Go to settings->Accounts and Import->Google account settings->Change password recovery options->Email. Make sure the SMS number has not been changed in Google account settings. Also, make sure your security question has not been changed to a question known by the attacker. Sneaky attackers  will leave your question the same but change the answer to one they know. Go ahead and change your question and answer.
 
>Watch out for rogue applications. 
Gmail isn’t just an email program, its part of an entire Web based application ecosystem. Check your authorized applications to see if the attacker added their own malicious application to be allowed on your account. This is my personal favorite. Everyone today adds social applications and gives permission to their Facebook/Google accounts through third party applications. Most people don’t even look at what permissions the third party applications have. In Gmail applications can pretty much do everything an attacker would want to do. Even better, from the attacker’s stand point, is tha no one even knows where how to revoke or check permissions on these applications once they’ve been approved, they’re forgotten. There are open source applications will grant full IMAP/SMTP access using OAUTH. (The Python scripts from the open source google-mail-xoauth-tools project are an example). [http://code.google.com/p/google-mail-xoauth-tools/wiki/XoauthDotPyRunThrough]. Once the Gmail account is hijacked, an attacker can run this script and grant access to the application for full privileges. Even if you change your password multiple times, a rogue application can continue reading your email and accessing your personal data.
>Think beyond e-mail 
Not only backdoors allowing full access to read email should be considered. Attackers have several options to obtain your data in the world of open social collaboration that is easier then ever.
 
If you have Google voice, go into voice settings and make sure voicemail and text messages are not being sent to additional email addresses. If you have important Google documents in Google Docs, ensure the attacker has not enabled sharing.
 
Google calendar is a very nice backdoor. I’m sure you don’t want someone unexpectedly dropping in and listening on your next board meeting. If so, there are a couple areas you need to check.
In the Calendar Settings, click on your calendars to display the detailed view and make sure you click “reset private URLs” in the private address section.  This will change the private address that can be used to retrieve your calendar feed. As an attacker I can easily just copy this URL and monitor your calendar. Next, click ‘Share this calendar’ tab and  make sure that no email addresses are added that you don’t recognize.

Google says owners of compromised Gmail accounts should change their
password. But Web security expert Caleb Sima says that advice is
woefully inadequate. Read his thoughts on how to secure your e-mail
account after a compromise, prevent snooping and keep your account from
getting hijacked all over again.

Threatpost reported recently on a wave of warnings about Gmail account compromises linked to IP addresses in China. In at least one case, the account in question belonged to a prominent UK online privacy activist that has been critical of censorship of the Internet by China’s ruling Communist Party. While declining to comment on the specific attacks, a Google spokesman noted the company’s seven month old policy of notifying users when their accounts have been accessed from suspicious IP addresses and the company’s advice to users to change their passwords after a compromise. 

But merely changing the password on a compromised account doesn’t even begin to repair the damage, says Caleb Sima, a Web application security expert and CEO of Armorize. In this column, Sima explains why and provides guidance on what users should do to secure their accounts after a compromise. 

I recently read an article warning of attacks against Gmail accounts being conducted by the Chinese government. The article provided one solution to fix a hacked Gmail account: change your password.  That’s good advice, but insufficient. Any decent attacker will have at least one backdoor to regain control of your account so quickly that it will make your head spin.

People are baffled when their Gmail account is re-compromised and often have no idea how it keeps happening. So I’ve laid out some of the more obvious items that need to be checked to ensure that your Gmail/Google account is locked down.

Mind your filters

The best method for an attacker to get back into your account is to keep reading your emails even after you’ve changed your password. So the basics of any Gmail backdoor will be to setup some email forwarding rules that send him or her a copy of your messages as they arrive – including password reset messages. Make sure you disable these following any compromise.

Under Settings->Forwarding and POP/IMAP ensure that disable forwarding is selected and that your incoming email is not being forwarded to the attacker. Next, check your filters list in Gmail and make sure there are not any rules setup that forward email to the attacker.

Check the Password Recovery settings

The next best method of a backdoor is for the attacker to have the ability to recover or reset your password. This is not the sneakiest of routes but it accomplishes the job well. Ensure an additional recovery email address was not added to your account.This will allow an attacker to get the password reset link straight to his email.

Go to settings->Accounts and Import->Google account settings->Change password recovery options->Email.

Make sure the SMS number has not been changed in Google account settings. Also, make sure your security question has not been changed to a question known by the attacker. Sneaky attackers  will leave your question the same but change the answer to one they know. Go ahead and change your question and answer. 

Watch out for rogue applications

 Gmail isn’t just an email program, its part of an entire Web based application ecosystem. Check your authorized applications to see if the attacker added their own malicious application to be allowed on your account. This is my personal favorite. Everyone today adds social applications and gives permission to their Facebook/Google accounts through third party applications. Most people don’t even look at what permissions the third party applications have. In Gmail applications can pretty much do everything an attacker would want to do. Even better, from the attacker’s stand point, is that no one even knows where how to revoke or check permissions on these applications once they’ve been approved, they’re forgotten. There are open source applications will grant full IMAP/SMTP access using OAUTH. (The Python scripts from the open source google-mail-xoauth-tools project are an example). Once the Gmail account is hijacked, an attacker can run this script and grant access to the application for full privileges. Even if you change your password multiple times, a rogue application can continue reading your email and accessing your personal data.

Think beyond e-mail 

Not only back doors allowing full access to read email should be considered. Attackers have several options to obtain your data in the world of open social collaboration that is easier then ever. If you have Google voice, go into voice settings and make sure voicemail and text messages are not being sent to additional email addresses.

If you have important Google documents in Google Docs, ensure the attacker has not enabled sharing. Google calendar is a very nice backdoor. I’m sure you don’t want someone unexpectedly dropping in and listening on your next board meeting. If so, there are a couple areas you need to check.

In the Calendar Settings, click on your calendars to display the detailed view and make sure you click “reset private URLs” in the private address section.  This will change the private address that can be used to retrieve your calendar feed. As an attacker I can easily just copy this URL and monitor your calendar. Next, click ‘Share this calendar’ tab and  make sure that no email addresses are added that you don’t recognize.

Caleb Sima is CEO of Armorize Technologies

Suggested articles

Discussion

  • Anonymous on

    Sima may be right about his advice on email protection, but he is dead wrong when he states, souding like a political moron, that China is ruled by "Communists".

    China is a hyper-capitalist country sold out to Western investers who helped the chinese economy bloat. True, China is ruled by a one party system, but that doesn't make it "Communist".

  • Anonymous on

    @Plague

    Way to completely miss his point.

  • Ryan on

    Hey boys and girls, let's try a little quiz:  What's the name of the party that rules China?  If you correctly guessed the "Chinese Communist Party", then congratulations, you are in full agreement with Sima's article!

  • Eckz Zawn on

    "Even better, from the attacker's stand point, is that no one even knows where how to revoke or check permissions on these applications once they've been approved, they're forgotten."

    ...point this out, but don't tell us how to check?

  • Anonymouse on

    "China is a hyper-capitalist country sold out to Western investers who helped the chinese economy bloat. True, China is ruled by a one party system, but that doesn't make it "Communist"

    ಠ_ಠ


  • Carl on

    You can look to see what applications and websites you have authorized by going to https://www.google.com/accounts and clicking on "Change authorized websites". From this screen, you can revoke access to any application or website that has access to your account.

  • Andrej on

    In Gmail at the bottom click on 'Details' and then search for 'Show an alert for unusual activity' in the window, and make sure it's ON.

    Don't know how Google informs you when this is turned off, but just to be on the safe side.

     

  • T-Bear on

    Anonymous wrote on Mon, 10/04/2010  at 11:47pm.

      > Sima may be right about his advice on email protection, but he is

      > dead wrong when he states, souding like a political moron, that China

      > is ruled by "Communists".

      > China is a hyper-capitalist country sold out to Western investers who

      > helped the chinese economy bloat. True, China is ruled by a one party

      > system, but that doesn't make it "Communist".

     

    The above post by "Anonymous" is instructive.  It illustrates how a fanatic's obsession  allows him to distort another's message by preventing him from grasping the meaning of the very words he reads.  

    Had "Anonymous"  been able to understand what he'd read, he'd have noticed that nowhere in the above article did Caleb Sima even mention the Chinese Communist Party.  That reference was added (properly, in context) by the editor in his introduction to the article.  That is, after all, the name of China's ruling party. {sigh}

    Under the circumstances, is it not unsurprising that Anonymous compounds his ignorance with his natural inclination to hurl epithets at any opponent whether real or mis-perceived.

    However,"Anonymous" might have better been served by looking for his "moron" in his own mirror.

    {T-Bear}

  • Anonymous on

    thx for the tips I hope my PC is safe now :)

  • Peter Couch on

    I got my accounts compromised for no reasons. I contacted the mail admins and now I have got all the accounts back. I had to follow the tips in this article and it really helped me a lot.

    http://www.hacked-email.com/what-happens-once-an-account-gets-compromised/

  • Anonymous on

    be sure you go and p0wn yer attackers too, since they may have all your other passwords as well. You'll need them back ;-)  Oh, and yeah, keep your password the same as your p0wned password on other forums too, just in case if bad communists want that data too. Good luck ;-)

  • Anonymous on

     

    I just got off the phone with Google… they refused to help, stating that I violated the terms of their agreement. 

     

    Wow!

     

    Guess anyone who uses gmail’s in for a big surprise WHEN THEY GET HACKED. AND YOU WILL GET HACKED and don’t expect google to help you. Frankly, I wish someone had posted this problem before I joined back when they first started. If I were you, I’d cancel my account right now. All my personal information was in there, thank god I made some tweaks to it before this. Is your personal info in your gmail account? Facebook, Linkedin, Tweeter are also going to cause you problems and you’ll get hacked…. I TRUSTED THESE FOLKS and I trusted these websites. Guess I’ll read the next Terms before signing on to anyone for free.

     

    this email's no longer mine, it's been hacked. richcarbajal@gmail.com along with facebook, tweeter, linkedin, and so on... NO thanks to GMAIL.

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.