Security

Hotmail users aren't the only ones who've been hit by a phishing scheme over the past week. Google told BBC News on Tuesday that Gmail users have also been affected by the hackers who posted passwords online.

The problem is far more widespread than was disclosed on Monday, possibly affecting Yahoo and AOL e-mail accounts as well, according to BBC News.

Google described the issue as an "industrywide phishing scheme." BBC News said it has seen two lists posted online with "more than 30,000 names and passwords" from Gmail, Yahoo, AOL, Microsoft's Windows Live Hotmail, and other service providers.

"We recently became aware of an industrywide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google representative told me in an e-mail.

The representative said that Google immediately "forced passwords resets on the affected accounts."

In an e-mail to CNET, a Google representative said that the company had to reset the passwords on fewer than 500 Gmail accounts so far. However, that figure could change.

Despite Google's and Microsoft's awareness of the problem, it doesn't seem that users are out of the woods just yet. Google's representative told CNET that it will continue to force password resets on any newly affected user accounts.

Like Microsoft, Google was quick to point out to the BBC that the phishing scheme was a "scam to get users to give away their personal information to hackers" and not an internal security issue. It didn't say how users fell victim to the scheme.

Google's admission that Gmail users were affected by the phishing scheme comes on the heels of Microsoft acknowledging that over 10,000 Live Hotmail accounts were compromised by the scam. The passwords apparently first hit the Internet on October 1.

Updated at 9:10 a.m. PDT to include Google's comments.

A sensitive e-mail mistakenly sent by a bank to a Gmail address that prompted a court to order Google to deactivate the account was not viewed by the recipient and has been deleted, the bank said on Tuesday.

The e-mail, sent by an employee of Jackson, Wyo.-based Rocky Mountain Bank on August 12, contained names, addresses, Social Security numbers, and loan information of more than 1,300 bank customers.

The bank sent another e-mail asking that the data be destroyed and went to court to get Google to intervene on its behalf. Last week, a judge in U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied. Google and the bank quickly resolved the matter and the court granted their motion to dismiss the case and allowed Google to reactivate the Gmail account.

"Rocky Mountain Bank, working with Google (through court order), confirmed on Thursday of last week that the e-mail containing client information was never opened and has now been permanently destroyed by Google's system," Tina Martinez, general counsel for Rocky Mountain Capital, wrote in an e-mail response to questions.

"As a result, no customer data of any sort has been viewed or used by any inappropriate user during this data lapse," Martinez wrote. "Rocky Mountain Bank acted to protect its customer's confidential information. That objective was accomplished. The matter is now closed and the TRO (temporary restraining order) entered on September 23, 2009 is now vacated."

Asked for comment, a Google spokesman said: "To protect the privacy of our users, we do not comment on their use of Google services."

The case poses some interesting questions. For instance, should the person who registered the e-mail address lose access to the account or have items deleted without his or her permission, particularly through no fault of their own?

And what recourse would the bank have if the data had been sent via regular mail to the wrong address? The U.S. Postal Office certainly doesn't have the ability to see the envelope sitting on the recipient's desk and vaporize it.

Update 4:35 p.m. PDT:The bank did not take any action against the worker who sent the e-mail, the bank's lawyer said.

A bank that accidentally sent sensitive customer information to a Gmail address and persuaded a judge to order Google to deactivate the account has resolved the issue with Google and the companies have filed a motion to dismiss the case.

Google spokesman Andrew Pederson declined to say exactly how the issue was resolved or to identify the owner of the Gmail account.

The problem began August 12 when a worker at Rocky Mountain Bank inadvertently sent an e-mail containing names, addresses, Social Security numbers, and loan information of more than 1,300 customers to a random Gmail address. When the worker realized the mistake, a subsequent e-mail was sent to the address asking that the recipient contact the bank and destroy the data, but the bank heard no word, according to a MediaPost report.

The bank asked Google for information on the owner of the Gmail address, but Google said the bank had to get a court order to get access to that information. Last week, a judge in the U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied, Pederson said.

"After notifying the account owner, we complied with the court's order. However, after working with Rocky Mountain Bank and the court, we resolved the issue around the bank's error, and both sides have agreed to vacate the TRO and dismiss the case," he said.

"While we regret that the user has been locked out of their account through no fault of their own, we're not legally able to reactivate the account until the court approves our motion to dismiss the case and vacate the TRO," Pederson added. "We're hopeful that the court will act quickly, and as soon as the motion is approved, we'll reactivate the account."

Calls to Rocky Mountain Bank and the court clerk were not immediately returned on Monday.

Update, September 29, 9:35 a.m. PDT: Google spokesman Pederson said the court granted the motion to dismiss the case on Monday, allowing the company to re-activate the Gmail account.

Gmail Auto-unsubscribe gives you the option to have Google unsubscribe you from mailing lists.

(Credit: Google)

Ever sign up for a newsletter and then regret it later and feel too lazy to go back to the source and unsubscribe? Well, instead of just marking the messages as spam and hoping the problem goes away you, can use a new Gmail feature to solve the problem.

Google has added an auto-unsubscribe feature to Gmail that will unsubscribe you from mailing lists that you may have signed up for but then decide you don't want after all.

The feature was being tested on Wednesday for certain Gmail users and was launched on Thursday and will be rolled out to all users gradually, a Google spokesperson said.

Here's how it works, according to a post on the Gmail Help site:

...If the particular message is a misuse of a mailing list you like to receive, you can "Report spam" as usual. But if you never want to receive another message or newsletter from that list again, click "Unsubscribe" instead. We'll send a request to the sender that your email address be removed from the list..

It will not work for all mailing lists and it can take several days for the request to be processed, Google said.

Also, Gmail won't display "unsubscribe" for lists that are known to be spammers so that you don't get more spam from them by accidentally verifying that your address is legitimate.

(via LifeHacker)

Updated July 23 9:10 a.m. PDT with Google saying feature launched Thursday, screenshot.

Updated at 4:45 p.m. PST to clarify that Gmail data has always been encrypted by default when a user types in https:// and that last year they offered the ability to set https:// as the default.

More than three dozen security and privacy advocates and researchers are asking Google to offer better data protection for users of Gmail and other Google apps and Google said on Tuesday that it is considering doing that, if it doesn't slow down the apps too much.

You may not know this but you can set Gmail to encrypt your session data by default to protect it from being sniffed over the network. However, Google doesn't offer the ability to encrypt potentially sensitive data created in other Google apps like Docs or Calendar by default, which means the communications could be stolen or snooped on by someone using a packet sniffer on public Internet connections, such as open wireless networks, according to the letter addressed to Google Chief Executive Eric Schmidt and signed by a who's who of 38 experts in the security industry.

Granted, users of other free e-mail services, social networks, and many other sites are vulnerable to data theft and account hijacking, the letter notes. But Google is in a position to set a standard for others to follow, it says.

Google should enable HTTPS (Hypertext Transfer Protocol Secure), a technology used by banks and e-commerce sites, by default for Gmail, Docs and Calendar, or at least do more to educate users about the privacy risks and make it easy to turn on the HTTPS by default, the letter urges.

Not only do many people not understand the privacy risks in using unencrypted services, but they don't know that they have the HTTPS default option and finding the settings to change isn't that easy, the letter says. Users can access Gmail, Docs, Calendar and other apps via HTTPS by simply changing the "http://" in the URL address to "https://," but many don't know about that option, either.

"As a market leader in providing cloud services, Google has an opportunity to engage in genuine privacy and security leadership, and to set a standard for the industry," the letter says. "If Google believes that encryption and protection from hackers is a choice that should be left up to users, the company must do a better job of informing them of the risks so that they are equipped to make this choice."

Some of the security experts endorsing the document include Bruce Schneier, chief security technology officer of BT Group; Peter Neumann, principal scientist at SRI International; encryption pioneer Ron Rivest of MIT; Steve Bellovin of Columbia University; Eugene Spafford at Purdue University; and Defcon founder Jeff Moss, who recently joined the Homeland Security Advisory Council.

In response, Alma Whitten, a software engineer on Google's security and privacy teams, wrote in a blog post that Google has been "looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.

"But we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects," she wrote. "Ideally we'd like this to be on by default for all connections, and we're investigating the trade-offs, since there are some downsides to HTTPS--in some cases it makes certain actions slower."

Google is planning to test the use of HTTPS with "small samples of different types of Gmail users" to see whether it affects the performance of their e-mail, the blog post says.

"Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users," the post says. "We're also considering how to make this work best for other apps including Google Docs and Google Calendar."

The letter addresses the performance trade-off argument, noting that Google seems to have solved the issue because it provides access to its advertising systems and several other services only via HTTPS sessions.

"Google's engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense--we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default," the letter says.

Reports that a purported Gmail vulnerability was being used by unauthorized third parties to hijack domains turned out to be nothing more than a phishing scam, Google announced Tuesday.

The alleged vulnerability reportedly allowed an attacker to set up filters on users' e-mail accounts without their knowledge, according to a proof of concept posted Sunday at the blog Geek Condition. In the post, Geek Condition's "Brandon" wrote that the vulnerability had caused some people to lose their domain names registered through GoDaddy.com.

However, after consulting with those who claimed to be affected by the so-called vulnerability, Google determined that they were victims of a phishing scam, Google information security engineer Chris Evans explained in a blog:

Attackers sent customized e-mails encouraging Web domain owners to visit fraudulent Web sites such as "google-hosts.com" that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired.

A Google representative contacted me early Monday to let me know the company was trying contact "Brandon" to get more information on his claim, but there was no word whether that blogger helped Google arrive at its conclusion. As of this writing, the blog has not been updated to mention Google's finding.

While this security breach was apparently unrelated to Gmail's operation, Google reminded users to enter Gmail sign-in credentials only at Web addresses starting with "https://www.google.com/accounts," and not to ignore warnings their browsers may raise regarding certificates.

Updated November 24 at 10:10 a.m. PST: Adds comment from Google representative.

A Gmail security vulnerability may allow an attacker to set up filters on users' e-mail accounts without their knowledge, according to a proof of concept posted Sunday at the blog Geek Condition.

In a post, Geek Condition's "Brandon" writes that the vulnerability has caused some people to lose their domain names registered through GoDaddy.com.

Without posting the full exploit, Brandon explains that it relies on obtaining the variables that represent the username and "at":

When you create a filter in your Gmail account, a request is sent to Google's servers to be processed. The request is made in the form of a url with many variables.

For security reasons, your browser doesn't display all the variables contained within the URL. Using Firefox and a plug-in called Live HTTP Headers, you can see exactly what variables are sent from your browser to Google's servers.

After that, an attacker just needs to identify the variable that is the equivalent of the username.

"Obtaining this variable is tricky but possible," he writes. "I'm not going to tell you how to do it; if you search hard enough online, you'll find out how."

The "at" variable can be obtained by visiting a malicious Web site, writes Brandon, who suggests that Google make the "at" variable expire after every request rather than after every session.

To avoid being a victim of the vulnerability, users should check their filters often, Brandon suggests. Firefox users can download an extension called NoScript that helps prevent these attacks, he said.

Of course, any Web site that uses cookies for authentication requests can be taken advantage of in the same way. To avoid becoming a victim to this type of exploit, Gmail users should log out of their accounts when they are not in use, and--of course--not visit Web sites they don't trust.

A Google representative said the company was trying to contact Brandon for specifics on his proof of concept.

"We're trying to reach the blogger making this claim for more details, but we haven't seen evidence that this would be specific to Gmail," the representative said. "We use standard industry methods for protecting cookies, similar to most Web services using HTTP. In fact, we offer additional protection by offering the option of a secure connection (HTTPS) throughout the session for free."

There was an interesting article recently in The New York Times about getting locked out of a Gmail account.

In August, blogger Alan Shimel of StillSecure wrote about his problems regaining access to a Yahoo e-mail account. Suffice it to say that if someone learns your Web mail password, it's a very difficult situation--one that may not end well.

For one thing, the Web mail provider may not know enough about you to determine the true account owner. Worse still, anyone using a free Web mail account from Google (Gmail), Yahoo, or Microsoft (Hotmail) can't expect to talk to a human being to resolve a problem with their account. Talking to person at Google requires a subscription to Google Apps Premier Edition for $50 a year. Microsoft and Yahoo similarly offer telephone support only to "premium" customers.

If you care about a Web mail account, then some homework may be in order.

Alternate e-mail address

One thing Web mail users should have associated with their account is an alternate e-mail address. This is typically optional, but it can be critical, should you get locked out. I think you're safer not using an address from the same provider as your alternate. That is, don't provide a Gmail e-mail address as the alternate for a Gmail account. Too many eggs in one basket.

If you're like me, with no recollection or notes about the alternate e-mail address associated with your Web mail account, here's how to check (after first logging in to your account):

Gmail: Click on the "Settings" link in the top right corner, then go to the "Accounts" tab and click on the link in the "Google Account settings" section.

Classic Hotmail: Click on "Options" in the top right corner, then View and Edit your personal information. Your alternate e-mail address is displayed along with a link to change it.

Classic Yahoo: Click on "Options" in the top right corner, then "Mail Options", then (on the left) click on "Account Information" and re-enter your password. Yahoo will then display "Alternate Email 1" and "Alternate Email 2." Yahoo supports two alternate e-mail addresses, a great safety net, since our e-mail providers change over time.

Secure connections

Gmail, Hotmail, and Yahoo Mail all offer secure connections when you initially log on and enter your password. Hotmail and Yahoo then switch back to unsecured, HTTP, connections. Gmail offers an option to always use a secure HTTPS connection, even when reading and writing e-mail. Highly recommended.

To enable this feature, Gmail users should click on "Settings" in the top-right corner, then on the default "General" tab, scroll to the bottom of the page, and turn on the radio button to "Always use https."

Truthiness

Web mail may be one of those places where little white lies are acceptable. The governor of Alaska, who recently had her Yahoo e-mail exposed to the world, set herself up for failure by truthfully answering some questions.

Every Web mail system asks for personal information as a means of identification, should you lose your password. The problem is that this personal information can also be used by a bad guy to learn your password.

Yahoo and Hotmail limit their secret questions to a handful of preselected questions. The straw that broke the camel's back for the governor of Alaska was the question of where she met her spouse. Being a public figure, it didn't take much guessing for someone to correctly answer this question and fool Yahoo into thinking that person was the governor. There were some other canned questions too, but they were also easy to answer using public information.

Public figure or not, there is no reason to answer Web mail security questions truthfully. After all, who are you really lying to? A potential bad guy trying to learn your password.

So, when asked the name of your favorite teacher, feel free to respond "xyz" or with any random word or sentence that no one will guess. Then, of course, write it down in a safe place. The price for making up random answers is the burden of recovery. This is the eternal relationship between security and convenience. More security always entails less convenience.

Gmail is the most flexible of the major providers. It lets you choose your own secret question, thus giving you a fighting chance of picking a question to which no one else knows the answer. Still, if you have a safe place for storing passwords, a totally random answer can't be guessed.

To review your security question in Gmail, click on the "Settings" link in the top-right corner, then go to the "Accounts" tab, and click on the "Google Account settings" link in the section of the same name. Finally, click on "Change security question." You will have to re-enter your Gmail password.

Users of the classic Hotmail system can review their security question by clicking on "options" in the top-right corner, then clicking on "View and edit your personal information."

Yahoo e-mail users may be in for a surprise. Simply knowing your password is not sufficient to view, let alone change, your security question. As described in How do I update my secret question? Yahoo requires you to "verify the Answer to your current Secret Question in order to update it." I'm screwed.

Does someone already know your password?

If someone learned your Web mail password, would you know? It's one thing to have your e-mail read, but it's another to have it read over and over, day after day, by someone who knows your password and is smart enough not to tip their hat by changing it.

Potentially, there is much that Web mail providers can do to let account owners know that someone else is logging into their account when they're asleep. As far as I can tell, Hotmail and Yahoo mail do absolutely nothing in this regard. Gmail, however, offers an audit trail, if you know where to look.

When Gmail users first log in, they should scroll down to the bottom of the initial page and look for a message such as:

Last account activity: 22 hours ago at IP 66.88.111.222. Details
or
Last account activity: 22 minutes ago on this computer. Details

If you didn't last log in to your Gmail account when the message indicates, then someone knows your password.

Internet Protocol addresses can be linked to both an Internet service provider and a country, for sure, and maybe even to a city within the country. For more on this, see my earlier posting "What does your IP address say about you?"

Clicking on the "Details" link offers a longer history of Gmail account activity and an indication of whether the account is currently logged on at another computer. Letting one person log in to a Gmail account simultaneously from two different computers strikes me as a design mistake. But given that design, Gmail users can log off other computers that are currently logged into the same account. Needless to say, this, too, can alert you that someone knows your password.

Information about the most recent Gmail account activity is presented on the bottom of every Gmail Web page. For more, see Last account activity in the Gmail Help.

Test password recovery

Anyone involved in backing up computer files knows the importance of testing the recovery process, and the same applies with Web mail. The best way to ensure that you can recover or reset your password is to try it.

Yahoo password recovery (thanks to the governor of Alaska, it's now the infamous Yahoo password recovery) starts out by asking for your birthday, country of residence, and postal code. Without this gatekeeper information, knowing the secret question is useless. Even something as simple as your postal code needs to be saved rather than remembered because, as Yahoo points out, it may be from your home, your office, or a prior residence or prior work location.

Hotmail password recovery starts with the option to either "Use my location information and secret answer to verify my identity" or to "Send password reset instructions to me in e-mail." If you go the first route and answer the questions correctly, you get to choose a new password.

The location information is the same as Yahoo's--country, state, and ZIP code. If you go the second route, an e-mail message is sent to the alternate e-mail account with two links, one for confirming the request and resetting the password and another for doing nothing.

Gmail error handling isn't limited to just password recovery; they deal with a whole host of problems accessing your account, including:
I forgot my password
I forgot my username
My account has been compromised
My password doesn't seem to be working
Loading issues
Another error or problem

If you forget a Gmail password, you're taken here where, as with the other two systems, you enter the user ID and get in through a Captcha. At this point, there are no options. Google sends an e-mail to the alternate e-mail address. It doesn't display the entire alternate e-mail address (Hotmail, in contrast, does); just the domain name.

I tested this using a Yahoo.com e-mail address as the alternate to a Gmail account. Word to the wise: don't do this. The message from Gmail was treated as spam by Yahoo. The message includes a link that, when clicked, takes you to a Web page where you can enter a new password.

If you no longer have access to the alternate e-mail address, Google advises you to "...try the 'Forgot your password?' link again after five days. At that point, you'll be able to reset your password by answering the security question you provided when you created your account."

Web mail accounts may start out as toys or curiosities, but for many people, they end up being important. A little homework now may save a ton of grief later.

See a summary of all my Defensive Computing postings.

Update 12:35 p.m. PDT: I clarified this post to reflect the fact that this involves encryption only between a user's browser and Gmail's servers.

Gmail now can be set to encrypt communications between a browser and Google's servers by default, an option that makes the e-mail service harder to snoop on but also potentially slower.

Users already could encrypt communications with Gmail servers (by going to https://mail.google.com), but on Thursday, the company added an option to use that encrypted connection automatically.

Gmail now can be set to encrypt communications with its users by default.

(Credit: Google)

"Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the Internet as efficiently as unencrypted data," Gmail engineer Ariel Rideout said in a blog post Thursday. "That's why we leave the choice up to you."

The encryption comes through use of HTTPS, a secure version of the HTTP protocol that governs how Web browsers fetch information from servers. It's not simple to snoop on somebody else's network traffic, but it can be done when the communications aren't encrypted.

HTTPS encrypts communications only between the browser and Gmail's servers. It's not like PGP (nee Pretty Good Privacy) or GPG (GNU Privacy Guard) software that encrypts e-mail all the way from source to destination.

The Gmail login process is always encrypted.

(Via Google Blogoscoped.)