GMail User Using 2FA Warned of Access From China

Published: 2011-04-11
Last Updated: 2011-04-11 01:51:45 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

A few months ago, after the infamous "Aurora" attack, it became known that GMail accounts are under active attack from entities in China. In response, Google added a warning banner to its GMail accounts notifying users if someone logged into the account from China recently.

We had one user reporting such an incident, and are wondering if others have seen this warning recently. This user did use Google's two factor authentication, which is of course in particular concerning.

What security precautions do you take if you use GMail? Do you archive/delete old email? Any scripts you use for it that you could share? Do you use Google's two factor authentication?

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: china gmail
10 comment(s)


I am a big boy. I can run my own mail server. I keep my mail off public servers for all the obvious reasons.
I assume the 2-factor is secure.
But, when setting up the 2-factor you get 1-time-passwords sent over HTTPS (Can be listened to through root cert issued to bigbrother government like Tunesia), as well as a phone number for SMS or voice fallback.
A government can use the phone number to have google issue a one-time code. They can redirect the call/SMS. They can even just guess the phone number.

On top of all this, to use GMail/Reader etc from stand-alone clients, the clients will get a 16-char password that can be used to access all resources via non-web protocols.

I use 2-factor. But on a webcafe machine, that is hostile, they can just alter my input to google such that it will remember my 2-factor validation for 30 days in a cookie. And they can access my mail for 30 days without 2-factor.

Google 2-factor is good, but far from perfect. You still need to be on a secure machine, with only well trusted root certs in the browser.

CNNIC is a default trusted root in Firefox. As a result, nothing can be considered to be secure going in/out of China, before this is changed.

The whole idea of having all those untrustworthy trusted roots in the browser is wrong.
It is easy enough using Options/Advanced/View Certificates to delete or distrust root certificates in Firefox Certificate Manager. Are there certificates other than CNNIC in Firefox default trusted roots that should be deleted or distrusted?
IMHO, Google 2FA, not a good idea, the added management and added vectors for exploitation is worrisome.

Many issues just thinking about these few new vectors and again just my opinion, but what can I say I am a worrier. : )
Or Google could just add an account option "This account will never be accessed from China" and reject all logins originating from those netblocks if that is enabled.

Granted, this is a low hurdle, but why not offer the option?
> Or Google could just add an account option
> "This account will never be accessed from China"
> and reject all logins originating from those netblocks
> if that is enabled.

I didn't know her name. The last thing I recall was seeing her standing over me, kicking me in the ribs, and smiling as I tried to get off the floor.

It was an evil type of smile.

The next thing I knew, I woke up in a strange hotel room. I hate it when this happens.

As I have done every day since I started this job, the first thing I did when I woke up was to check under the pillow, to make sure my handgun was there. I didn't expect it to be, but habits are habits.

I could see my clothes draped over the chair across the room. I got out of bed and got dressed. My wallet, phone, and keys were missing. Probably the same place as my sidearm.

Looking out the window, I recognized the view of Shanghai harbor. I'd done several jobs her back when I worked for The Company, before deciding that working for myself paid better.

I had no idea why I'd been left in a strange hotel room on the other side of the world, but I figured it wasn't a good idea to stick around. Without funds and without identification, going to the authorities was out of the question. Even if I did have my I.D., going to them for help would have been a bad idea anyway, considering what happened the last time I was in this city.

Though I didn't have my phone, I knew I could still contact some trusted buddies from the old days for help. I went down to the lobby. As expected, there were several internet kiosks available.

As I tried to log into my Gmail account, I got the following message:

"This Account Has Been Configured To Reject Logins From China."

Damn! Now what was I going to do?
Google displayed the same banner for me recently, except the source IP was registered to "Motorola Blur" in an address range located in Florida. Oddly, the access protocol used was not POP or IMAP or Browser but "Unknown". I did everything I could to re-secure the account, and two days later got the same report for the same IP.

I have to wonder how accurate those reports may be.
If you've intercepting malware on your PC, it could MITM your 2FA, and redirect access through a [China-based] proxy which holds the (authenticated) connection open for later use by unpleasants.

Obviously, it could as easily not redirect through China, but instead use the source PC as the outbound source, but that relies on the device being available when the attacker wants access. In practice this latter model is awkward, and it's simpler and more effective to have the malware not bother to intercept the 2FA but just intercept and re-use the connection (pre-encryption layer) to download/forward all email, and fetch from EvilEmpire emails to send, and/or other authenticated actions.

But like any attack vector, making it's exploit a bit harder makes it combinationally harder to get right reliably for large numbers of accounts. e.g. Antivirus is far from perfect, but it's enough of a hurdle to be worth applying, because _sometimes_ it gets you _some_ protection.

Yup, started using 2 factor authentication as soon as it was available.
Had 2 occasions where I received Google SMS verification code when I was not even online. Suffice to say, changed my password straightaway.

Diary Archives