A few weeks ago I was at Park Hayarkon Rosh Tzipor area running after a few kids of mine, and a few of their friends.
Suddenly I received an email to my cell phone - an unusual spam message from a usually solid email user. It looked like her Gmail account was compromised, and a short phone call indicated it indeed had been.
It turns out that not only she was compromised, but so were many Gmail users.
Hacking into Gmail account is, apparently, too easy.Not because Gmail isn't implementing security protocols correctly but because of other weaknesses and vulnerabilities, mostly in the area of human factors. We use google account credentials on a rather large number of services and tools - mail notifier, toolbar, smartphone, browser, pop3 client - to name a small number of the mail related applications, there are many such for the other services too. They all rely on the same Google Account credentials! It takes only one of those tools, applets, applications or extensions to be hacked, and your entire Google account - Gmail of course included - is hacked. Other obvious weaknesses of Gmail password are:- The password never expires.
The user can choose to change password, but this is not likely. We all have so many passwords all over the cyberspace,
we say grace we can log in to all that we need,
the last thing we want is to break it. changing the password,
will make us probably lose access. that's bad. Google wisely doesn't force users to change passwords regularly.
- Other services (not related to Google) with email address as user name, chances are the same password will be used. It is too easy for at least two other - Cross services connect to Gmail on our behalf Many Internet services suggest you to give your account details - including passwords - such that they can stick to your friends too. stick it hard and deep, that is.
Well, I think a user that gives his account credential, including passwords, to dubious services,
is too naive to use the Internet. Now, Since it is too easy to phish for Gmail accounts - Google has to make an effort to limit this,
so that it happens less, and that when it does happen, the impact will be minimal.The do perform many checks that the account usage is reasonable:- as far as concurrency (i.e. you can't be at London, and at Madrid at the same time).- machine - it doesn't make sense that your machine is used not only for your account, but also for additional 10,000 accounts
when such "positive" hacking indication happens, either you're thrown to a CAPTCHA page,
or you're even temporarily blocked. All this is rather "old news". But not long after my solid friend was ironically hacked,
Gmail introduced a new measure to reduce overall hacking impact.
They limited forwarding capabilities.
Until two months ago, you could simply forward mails to other mail addresses,either your entire mail stream, or as a filter action. This is a great feature of Gmail. Auto-forwarding for free is fabulous as most/all other free internet email services support that only for premium.Filter action mail forwarding is fantastic, allows you great flexibility.
Really powerful, a BIG BIG differentiator. The problem with auto forwarding, when related to accounts being hacked, is that it's kind of a back door. a bad guy hacks your account, put a number of filters to forward mail
elsewhere, and days later, so that no account usage irregularity can be detected, start acting on that filter,
pushing Viagra from your account like life s not hard enough as it is.as a reaction - Gmail decided to cripple one of the best feature they have - mail forwarding.
Google made a decision, to bite some of the usability, richness and flexibility of Gmail,
so that it is less prawn to be used for spamming.
What did they do?now, when you perform forwarding (either of all-mail or of filtered) you must select the address from a list.I don't know how big this list can be, I guess it's cannot be too big.
Moreover, in order to add a new address - there is a verification code that is being sent to that address, and you have to get that code, and punch it back in, to activate that address as eligible as a forward target. At first it sounds not that bad (at least it sounds not that bad to others. I was appalled).But, for experienced, Seasoned, Gmail users like we are, who actually use this feature - it's really bad.It makes the auto forward features to be limited to addresses you own, or "almost own" (How many addresses are such that we can tell the owner - hey, log in, read the mail and tell me the code. and do it now, because I am now editing the rule, and have to rush out to the FIFA Wolrd Cup game at the local pub. not many.) I can live happily with verification of all-mail forwarding target addresses, forwarding of my entire email stream reasonable should be done to another address I either own or "almost own".
But forwarding as a filter rule is dramatically different! Filters are created, and deleted quickly, upon need,
and having to wait for someone to read his mail and send you the code makes it really dogy, at best.sometime it even blocks you entirely a few examples - - we survived that, and now you want to send to them, but with an address modifier REMO_AWAY to let them have an easy filtering on that.(e.g. myboss+REMO_AWAY@gmail.com ). now, for the address with a modifier - you have to start all over the verification process. come on. This should be fixed regardless of the verification, if the address is with a trivial decorator and the real address (without the decorator) is already approved - the address should be allowed. - filter mail and forward to someone you can't really ask for the code.
It may be that you're not situation or a position to ask for the code. - filter mail to addresses with limitationsmailing lists, groups, gateways, RSS feed, SMS gateway -
the code is not sent from your mail, and may be blocked in the way, or truncated (e.g. if only the subject line gets through the gateway). I think Google over reacted. They should have put other means to limit the impact of the auto-fwd post hacking.For example, - limit the number of filters- limit filter creation rate e.g. - to 10 filters a day, detect filter-fwd attack- block the spam in the first place (the inbound spam that would be outbound forwarded from the hacked account). I hope Google will rethink it and will put the lovely flexibility back into Gmail filters.It's just too good a feature to cripple.
is too naive to use the Internet. Now, Since it is too easy to phish for Gmail accounts - Google has to make an effort to limit this,
so that it happens less, and that when it does happen, the impact will be minimal.The do perform many checks that the account usage is reasonable:- as far as concurrency (i.e. you can't be at London, and at Madrid at the same time).- machine - it doesn't make sense that your machine is used not only for your account, but also for additional 10,000 accounts
when such "positive" hacking indication happens, either you're thrown to a CAPTCHA page,
or you're even temporarily blocked. All this is rather "old news". But not long after my solid friend was ironically hacked,
Gmail introduced a new measure to reduce overall hacking impact.
They limited forwarding capabilities.
Until two months ago, you could simply forward mails to other mail addresses,either your entire mail stream, or as a filter action. This is a great feature of Gmail. Auto-forwarding for free is fabulous as most/all other free internet email services support that only for premium.Filter action mail forwarding is fantastic, allows you great flexibility.
Really powerful, a BIG BIG differentiator. The problem with auto forwarding, when related to accounts being hacked, is that it's kind of a back door. a bad guy hacks your account, put a number of filters to forward mail
elsewhere, and days later, so that no account usage irregularity can be detected, start acting on that filter,
pushing Viagra from your account like life s not hard enough as it is.as a reaction - Gmail decided to cripple one of the best feature they have - mail forwarding.
Google made a decision, to bite some of the usability, richness and flexibility of Gmail,
so that it is less prawn to be used for spamming.
What did they do?now, when you perform forwarding (either of all-mail or of filtered) you must select the address from a list.I don't know how big this list can be, I guess it's cannot be too big.
Moreover, in order to add a new address - there is a verification code that is being sent to that address, and you have to get that code, and punch it back in, to activate that address as eligible as a forward target. At first it sounds not that bad (at least it sounds not that bad to others. I was appalled).But, for experienced, Seasoned, Gmail users like we are, who actually use this feature - it's really bad.It makes the auto forward features to be limited to addresses you own, or "almost own" (How many addresses are such that we can tell the owner - hey, log in, read the mail and tell me the code. and do it now, because I am now editing the rule, and have to rush out to the FIFA Wolrd Cup game at the local pub. not many.) I can live happily with verification of all-mail forwarding target addresses, forwarding of my entire email stream reasonable should be done to another address I either own or "almost own".
But forwarding as a filter rule is dramatically different! Filters are created, and deleted quickly, upon need,
and having to wait for someone to read his mail and send you the code makes it really dogy, at best.sometime it even blocks you entirely a few examples - - we survived that, and now you want to send to them, but with an address modifier REMO_AWAY to let them have an easy filtering on that.(e.g. myboss+REMO_AWAY@gmail.com ). now, for the address with a modifier - you have to start all over the verification process. come on. This should be fixed regardless of the verification, if the address is with a trivial decorator and the real address (without the decorator) is already approved - the address should be allowed. - filter mail and forward to someone you can't really ask for the code.
It may be that you're not situation or a position to ask for the code. - filter mail to addresses with limitationsmailing lists, groups, gateways, RSS feed, SMS gateway -
the code is not sent from your mail, and may be blocked in the way, or truncated (e.g. if only the subject line gets through the gateway). I think Google over reacted. They should have put other means to limit the impact of the auto-fwd post hacking.For example, - limit the number of filters- limit filter creation rate e.g. - to 10 filters a day, detect filter-fwd attack- block the spam in the first place (the inbound spam that would be outbound forwarded from the hacked account). I hope Google will rethink it and will put the lovely flexibility back into Gmail filters.It's just too good a feature to cripple.
indeed google turn from power users and hackers, to grannies.
ReplyDelete