Google's Worst Security Idea Ever

Today, Google announced that it will notify a subset of its Gmail customers if they're the victim of a State-sponsored attack. The actual wording is "Warning. We believe that state-sponsored attackers may be attempting to compromise your account or computer." However as you read further down Google's blog posting, it seems like an actual attack isn't required to receive this warning. Google may send it to you if they believe that you "may" be targeted.
If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware ....
The warning then makes recommendations that you increase your security by selecting a strong password, using Google's two-step verification, updating your browser, etc.

There are so many things wrong with this new Google initiative that I hardly know where to begin.

First, it generates fear on the part of Google's customers because regardless of the fine print, such a warning will most likely send the recipient into panic mode when there's no reason to panic.

Second, it makes a claim which upon investigation is so vague that it's meaningless. You may be the victim of a state or someone working on a state's behalf? That's pretty much the case for all targeted attacks.

Third, if you are a target of interest for a foreign intelligence service (FIS), one of the first things you should do is STOP USING GMAIL or any popular cloud-based service that cannot guarantee you where in the world on its many data farms your data resides. If the Mossad, the FSB, the MSS, or the NSA is interested in you, they'll find a way to legally and covertly intercept your data without sending a spear phishing email to your Gmail account.

Spear phishing attacks are used by both financial cyber criminals as well as hacker crews who, having cracked a high value target's account, will sell that information to a FIS, a corporate competitor, or some other customer. Security advice for a high value target (which is what my firm specializes in) could range from moderately to highly restrictive depending on who you are but one thing's for sure. None of Google's recommendations will keep you safe if you're in that group.

On the other hand, if you aren't a HVT, read my article "Cyber Self Defense for Non Geeks" to understand what your best security options are. The bottom line as far as Google's advice is concerned is that it's FUD-inducing for the people who aren't targets and its insufficient for those who are. I have to wonder what Google was thinking when it created this awful program.


  1. I'm inclined to agree but with one stipulation. What if Google actually knows it's a state actor? Telling someone that they have been targeted by an (inept) state actor would be useful.

    However, regardless of who is attacking an account, I think the provider should make the user aware of the attack. Sure it would freak out the user but it's better to freak them out than to say nothing.

    To frame it differently: Say your landlord witnesses someone trying to break into your apartment, would you want them to keep quiet or call the cops? What if he recognized the perp, should he pass that information along?

    Personally I would want to know my account was being attacked.


Post a Comment