Technology

On the Latest Google Chinese-Hacking News

By James Fallows

Thanks to many people who have written in asking whether today's Google announcement of a new China-based wave of attacks on Gmail accounts is related to the takeover of my wife's Gmail account just after we spent two months in China this spring. As the official Google announcement says:

>>[W]e recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.

The goal of this effort seems to have been to monitor the contents of these users' emails, with the perpetrators apparently using stolen passwords to change peoples' forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)<<

The short answer is: I can't yet know for sure, but I *think* that what happened to my wife was a case of "regular," small-stakes criminal hacking, to trick people to send in money, rather than anything more exotic or political. But I will say more about the whole situation of online email security, including the political and international aspects, in an upcoming article. On the other hand, some traits of what happened to my wife's account are similar to what the latest Gmail announcement warns about. For instance, redirecting all incoming mainly to a similar-looking but different account controlled by the hacker. And, hey, it's China!

Here is what I can be sure of: in case you haven't done so before, and in case your eyeballs skidded past my previous two zillion entreaties on this topic, if you use Gmail please install Google's relatively new, free "two-factor" authentication service. It reduces practically to zero the chance that anyone could control your account remotely, which in turn vastly increases your protection against attacks like these. Here are Google's official instructions, plus an earlier nag by me, Google has been fairly careful to "blame the hacker," rather than blaming the victims, in these episodes. But the truth is you'll blame yourself if you don't apply the two-step process and some day later get hacked.

Three other quick tips, before a fuller treatment later on:

- Diversity. It sounds so school-marmish, but it really matters not to use the same password everywhere. Reason: if one of your passwords gets hacked, as for instance one of mine was, along with those of 1.25 million other people, in last year's Gawker episode, you could have trouble for that one account. But if you use that same one for banking, email, your credit cards, etc -- then, sigh...   
    On the other hand, you go crazy if you have to remember dozens of passwords. For "life is complicated enough" reasons, I use the same few passwords for a bunch of nickel-and-dime accounts where I don't really care if they're hacked -- for instance, free registration at some news site. But how do you manage a large variety of passwords for more important sites? This leads us to:

- Password manager programs. I still use and like LastPass, even after the hacking attack it withstood last month. Details later, but "withstood" is the important term. There are a variety of these programs, of which RoboForm is also very well known. See, for instance, this LifeHacker review for more. The point is, there are cheap and easy ways to automate the process of juggling a diverse range of passwords.

- "Strong" passwords. The debate kicked off at the Danish Baekdal site back in 2007, about an easy way to construct good passwords, is worth following. The most surprising part of his argument is that a multi-word pass phrase, like "be my guest," could be both easy for you to remember and hard for anyone else to crack. As the original entry put it,

...it is 10 times more secure to use "this is fun" as your password, than "J4fS<2".

Not everyone agreed, and you can follow some of the back and forth here. I end up using "this is fun"-style pass phrases for some sites, obscure letter-character combos for others, and LastPass as repository for most. Mainly the discussion will make you think about password-ology in general, which in itself is an important step.