6

A user on Twitter posted a screenshot in which Google warns him as he may be targeted by state sponsored attackers. What kind of attacks can be detected by Google and how?

Ivan Todorov
  • 193
  • 1
  • 3
  • Hm, if the person connects with a north Korean IP address, that warning might be warranted, right? – Marcus Müller Apr 06 '18 at 18:06
  • In other words: i don't think there's an attack detection going on here, or if it is, it's probably very basic; more of matching knowledge about the user's location with a list of countries that intervene with internet access. Maybe a discrete list of e.g. known malicious tor exit nodes. – Marcus Müller Apr 06 '18 at 18:08
  • @MarcusMüller I strongly disagree, less than 0.1% of Google users receive these warnings, Google has been sending them out to Sensitive targets since 2012. – Nomad Apr 06 '18 at 18:15
  • 1
    @Nomad that's knowledge I didn't have! – Marcus Müller Apr 06 '18 at 18:17
  • 1
    Here's some more if you're interested: https://security.googleblog.com/2016/03/more-encryption-more-notifications-more.html ! – Nomad Apr 06 '18 at 18:18
  • 1
    Add a few descriptive words and I think you have an answer @Nomad – Neil Smithline Apr 06 '18 at 19:19
  • 1
    I didn't see it that way @NeilSmithline, thanks for the tip-off :-) – Nomad Apr 06 '18 at 19:30
  • 1
    I think this question cannot possibly receive a complete answer, because if there was a complete answer it would be trivial to bypass the protections. – Riking Apr 06 '18 at 20:35
  • @Riking Not necessarily. A good detection mechanism would not rely on the secrecy of its implementation for security. – forest Apr 07 '18 at 01:47
  • @forest I'm sure part of the detection is human review; and this is inherently an arms-race style battle, so secret information does actually confer an advantage. Notifications are bucketed to avoid letting the attackers detect detection by attacking a patsy account they control. – Riking Apr 10 '18 at 04:09

1 Answers1

4

Google states on their security blog that:

These warnings are rare—fewer than 0.1% of users ever receive them—but they are critically important. The users that receive these warnings are often activists, journalists, and policy-makers taking bold stands around the world.

And:

We can't reveal the tip-off because these attackers will adapt, but this happens to less then 0.1% of all Gmail users.

So I think we can only speculate about how they do it, but you shouldn't forget that google has a lot of information on a lot of people, and enough serverpower to make feasible predictions.

Source: https://security.googleblog.com/2016/03/more-encryption-more-notifications-more.html

Nomad
  • 2,359
  • 2
  • 11
  • 23
  • Oh that's fascinating, I had no idea they did that! For a company that was part of PRISM, that's pretty impressive. – forest Apr 07 '18 at 01:46
  • It is still unclear how involved Google was in PRISM, most of what we know is based off a few demo slides if I recall correctly. Also, Google can choose which state actors they consider dangerous.But that's a different discussion! – Nomad Apr 07 '18 at 03:05
  • I believe they were fully compliant with PRISM, in addition to more covert interception ("SSL added and removed here"). – forest Apr 07 '18 at 03:08
  • That I didn't know. Any source? And well, just because they warn for some state actors, doesn't mean they warn for all. I suppose using gmail as a Russian activist would be safer than as an American in that case... – Nomad Apr 09 '18 at 00:25