My GMail account was compromised by an attacker in China, this documentation details how to investigate and secure after such a breach
- How did the breach occur?
- Re-Securing a Compromised GMail Account
- Preventing Further Breaches
- Final Note
- Technical Details
- Howto: View your account's access history in GMail
This morning, at around 05:30 UK Time an address in China accessed my main Gmail Account (via IMAP) and sent two e-mails to everyone in my contacts. Now there is no way that a dictionary based brute force would reveal my password, it's alphanumeric, unique to me and (more or less) impossible to guess, no matter how well you know me.
So this raises three questions;
- How was the (as yet) unknown spammer able to gain access to my GMail account?
- How can I re-secure my compromised GMail account?
- How can I prevent my account from being compromised again?
1. How did it happen?
So why was the attacker allowed access to my account? There's three possible reasons;
- There's a weakness in Google's IMAP system
- Another site has been compromised and the (plaintext) stored password has been used
- I've fallen for a Phishing scam
Note: Options 2 & 3 amount to the same thing: the attacker had my password. All that differs is the method used to obtain this valuable piece of information.
Option 3 is highly unlikely as I never, ever, click links in e-mails. I also don't provide my password to anyone unless I've verified that the site is genuine.
Option 1 is a possibility, although (one would hope) unlikely.
This leaves us with Option 2: In a recent whitepaper, I wrote about the hazards of storing Plaintext passwords, and I believe I've been shafted (in part) through the laziness or incompetence of a developer. Part of the blame, however, must fall upon my shoulders - I've been far too lax recently and used the same password on multiple sites.
Although I must shoulder part of the blame, it is time that the practice of storing passwords in plain text ended. Very few applications have a legitimate need to store credentials in this manner, and no website can objectively justify it.
With that in mind, lets name and shame a couple of sites who's operators should know better;
- The Techie news site - The Register - Stores commenter's passwords in Plaintext
- The PC Repair Service - PCHomeHelp - Stores 'helpers' passwords in Plaintext
Neither of these sites has any reason to store plaintext passwords, they do not require access to accounts on a third-party system, the user's password is used solely to verify themselves. These sites only need to store a salted hash!!!!
A quick search would reveal I'm not the only person to have had their account accessed without their knowledge, Google's forums are chock full of angry users; In many of these threads, users have asked Google to provide them with more information. So far, however, this information has not been forthcoming. A number of users have also admitted that they made the same security snafu I did - using the same password on other sites. Although, at time of writing, there's no news of a breach, I'll be watching the news carefully for services that I use. We also need to start a campaign to end the security nightmare of storing passwords in plaintext!
I'm the first to admit, I know better than to use one password across various services, but;
How can we, as developers, expect the average user to follow best practice when we do not? Encouraging users to use different passwords for each service is nothing short of hypocritical if we then store those passwords in Plaintext.
2. Re-securing a compromised GMail Account
So, we've looked into the possible sources of the breach. Now we need to lock the attacker out of the account. To do so, follow the steps below (Simply changing your password is Not enough);
- Log into your account
- Choose Settings -> Accounts and Import -> Google Account Settings -> Change Password (Set a new password)
- Choose Settings -> Accounts and Import -> Google Account Settings -> Change Password Recovery Options (verify 'secret question', 'SMS' and 'secondary e- mail address' are unchanged (We'd also recommend changing your 'secret question')
Check for attempted E-mail Theft
- Choose Settings -> Accounts and Import -> Send Mail As (make sure it is set to your e-mail address)
- Choose Settings -> Filters (Make sure there are no filters that forward or delete e-mail, except ones you have created (Check these to ensure they've not been altered)
- Choose Settings -> Forwarding and POP/IMAP -> Forwarding (Ensure is disabled or set to correct address)
- Settings -> Forwarding and POP/IMAP -> POP Download (Check is disabled, unless you use POP access (i.e. to access your mail in Outlook))
- Settings -> Forwarding and POP/IMAP -> IMAP Access (Check is disabled, unless you use IMAP access)
Check for hidden Spam:
- Choose Settings -> General -> Signature (Make sure nothing has been added to your signature block)
- Choose Settings -> General -> Vacation Responder/Out of Office (make sure this feature is disabled and empty)
Note: If you are unsure whether you need POP/IMAP (Steps 7&8), disable them both and then try accessing your mail in whatever manner you'd normally use. If you can't access your mail, try enabling POP and try again. If this still does not work, disable POP and enable IMAP, then try again ( Don't forget to change the stored password in your mail client (i.e Outlook) ).
3. Preventing a Re-Occurrence
So we've locked the attacker out of the system, and thoroughly checked our settings to ensure that no nasty surprises crop up at a later date. But, we need to take steps to prevent our account from being compromised again in the future.
As I've already said developer laziness is only part of the issue. Although storing passwords in plaintext is unforgiveably bad practice, had I not shared the password across accounts, the attacker would not have been able to access my e-mail.
Although Developers and SysAdmins often complain about users' apparant resillience against any form of education, from a users' point of view, it is equally difficult to ensure developers follow best practise. So although we'll always struggle to educate either group, you can change what you do.
So let's take a look at what users can do to bolster their security;
A secure password should;
- Contain both lowercase and uppercase characters
- Should be alphanumeric (letters and numbers)
- Where permitted, should contain 'special' characters (i.e. =,!,@ etc.)
Methods of password generation vary between user, however the most common is as follows;
- Think of a word or short sentence (example: myultrasecurepassword )
- Capitalise at least one letter (example: MyUltraSecurePassword )
- Convert it to 'leet' speak - Swap letters for equivalent number (example: MyU17r453cur3p455w0rd )
- Add a 'special' character (example: MyU17r453cur3p455w0rd? )
Best practice states that you should use a different secure password for each system/service that you use. Many users, however, struggle to remember such a large number of complex passwords and instead do one of the following
- Write the passwords down (or worse, store them in a text file on their computer)
- Use the same password for multiple services
There is, however, a third option - tiered passwords.
This works by allowing you to use the same password for multiple services, whilst minimising the damage a breach could cause. It does, however, require a bit of groundwork, and carries greater risk than utilising unique passwords.
Creating a Tiered Structure
Start by seperating the services/sites you use into several different groups (you may need to create additional groups, or even to use less);
- Social Networking
- Comment accounts (i.e. for commenting on news stories)
- System passwords
- Publishing passwords (i.e. Personal Blog or website(s))
- Shopping Accounts (i.e. E-Bay etc.)
Next, we need to classify the groups in terms of the risk they pose if compromised (1 is low risk);
- Comment Accounts
- Social Networking (Myspace/Facebook etc.)
- Shopping Accounts (if additional authentication needed for purchases)
- Publishing Passwords (risk of embarassment and/or loss of custom)
- System Passwords (many users store very personal information of their computer)
The higher risk a group, the more diverse the passwords used in that category need to be. So whilst you could share passwords between comment accounts (so long as you are OK with the risk of potential embarassment) and even between Social networking, you should maintain a unique password for every financial account you hold.
Financial accounts encompass any system/service that allows you to make a payment without entering additional details (such as a card number), so this could include;
- Internet Banking
- Amazon (stores your card details)
Mid-risk groups such as e-mail should contain some password diversity, this will help ensure that you do not lose control of all your e-mail accounts. When categorising e-mail addresses, consider whether other services (such as Internet Banking, Social Networking etc.) are configured to send password resets to that account. If the account is used for this, it should be categorised alongside the related account carrying the highest risk (e.g. if you can reset your internet banking password using e-mail account a, this account should be categorised as Financial, despite being e-mail).
Never share passwords between the categories, and regularly re-asses the risk.
If planned carefully, this method can reduce the number of passwords you need to remember, whilst not carrying as high a risk as sharing one password between all systems/services.
Identify the Source of the Breach
We've already established the various ways in which the attacker could have obtained our password, what we need to identify now is exactly how the breach occurred.
A good place to start is to examine your recent usage: Have you provided the compromised password to anything/anyone recently?
You may have provided your password to an application (On your phone/PDA/PC etc.), to a website (such as facebook), a shopping site. Create a list of any person, site or service that you have disclosed the compromised password to in the last month or so. Hopefully, the list will be quite short! Now you need to rely on those listed to be honest, contact them to see if they are aware of any recent security breach.
Don't make the mistake of assuming that it must relate to a recent disclosure of the password, it may be that a site/service that you have used for years suffered a security breach. You may have such a long list of sites/services/people to contact that it seems unlikely the true source will ever be found. However, you should still contact the operator of these sites/services so that they are made aware of the issue. They may never admit to a breach, but you raising their awareness will help protect both yourself and other users from future breaches (especially if you complain about your password being stored in plaintext).
For information on how to identify the IP address used to access your account, see the short HowTo at the bottom of this document.
Regardless of whether you identify the source or not, you need to conduct a personal audit of your security arrangements. Ensure you change the compromised password wherever it is used, otherwise the attacker may compromise that account as well.
Force yourself to institute and abide by password diversity controls, whether you opt to use the 'tiered' structure detailed above, or a unique secure password for each system/service.
So now we've completed the three steps that should always follow a security breach;
Vent your rage.Investigate the source and possible causes of the breach
- Re-Secure the compromised account
- Take steps to prevent the breach happening again
We've instituted better password policy to minimise sharing between accounts and we've made our password's stronger to help protect against brute-force attacks.
We all get complacent from time to time, it's human nature to be lazy when no threat is apparant. Keep in mind, however, that these attacks could occur against anyone. It may simply be an inconvenient embarrasment (such as e-mailing your entire contact list), or it could be very costly (losing control of your Internet Banking account). It is far better to take preventative steps than to rely on re-active policies.
It's far too easy to blame others, as the links to Google's forums show, the first reaction is to claim that Google are to blame. Perhaps their system has a hole? Perhaps the user/password database was leaked? These are both possible, but what does the user learn from it?
If you don't accept responsibility for your mistakes, you'll make those same mistakes again and again. Do the right thing, send your contact list an apologetic message stating that your account had been compromised, re-secure the account and take steps to protect yourself from any further breaches. Even if Google were at fault, our account could still be compromised at a later date due to password sharing. Regardless of who's at fault, use it as an excuse to sit down and review your password control.
It's becoming increasingly easy for users to find their accounts are compromised, as the number of Internet Users increases, so does the potential for 'cybercrime'. Take steps to protect yourself before the worst happens.
5. Final Note
I was lucky, the spammer simply sent the following message to my contacts (in 2 batches of half my contact list);
i am glad to tell you a good news ,and i find a good website ww.ebbisr.com
On this website ,you can find many new and original electronic products .Now they are holding sales promotion activity, all the product are solt at a discount. And i have bought sine products from this web, the quality is very good , the price is very cheap and competitive,the delivery is on time
Hope everything goes well.
However, it could easily have been far worse. As I've mentioned above, it's very easy to think "What would anyone want with my e-mail?" Here's a short list of the different uses the attacker could have had (scarily, it's far from exhaustive)
- Password Reset for more sensitive systems (PayPal for example)
- Distribution of illegal material (Child Porn, Copyrighted Music etc.)
- To aaply for credit in my name (Attacker would also require some additional information/documentation)
- Unsolicited Advertising/Spam (which is what happened in this instance)
- Harassment of an individual (including me)
- As a Command & Control centre for a botnet
- To set up automatic forwarding - potential to gain access to more sensitive data
The attacker accessed my GMail account using the Web Interface from IP address 18.104.22.168 at 05:34 on 5th of October 2010.
The first e-mail sent was sent to approximately half my contact list, each of which was detailed in the CC: field.
The second was sent to the remainder of my contact list with each recipient detailed in the same manner as the first.
Google's new 'abuse prevention' system detected that the account was being accessed from China, and alerted me to this when I logged into the Web Interface. It did not, however, prevent the mail from being sent (it's not been designed to), which rather negates the point in running an intrusion detection system.
Howto: View your account's access history in GMail
If you don't know how to view which computers have connected to your GMail account, follow these simple steps;
- Log into GMail's Web Interface (gmail.com)
- At the very bottom of the screen, below all your mail is a small link that says 'Details', click this
- Gmail will display which IP's have connected to your e-mail and how (Webbrowser/IMAP/POP etc.)
I'm very keen to hear from any users who have been similarly affected, or even believe they may have been. Please use the Contact Me page to tell me your story. I'm happy to offer help for those struggling to clear up the mess afterwards, or to give more detailed advice on the steps that you can take to protect yourself.
If you know any GMail users, please direct them to this page!