|
My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Hello guys,
I am an owner of a gmail account right from it's launch, I have been using it daily since then, and never got hacked. My password is comprised of digits, capital letters, lower-case letter. 3 Days ago, I was forcefully signed out of my account, when I tried to log in, my password was rejected. I had to reset it using an alternate e-mail pre-configured. I always use SSL, and never access gmail when SSL is not available. (or if something is odd with the certificate). The purpose of this thread is to find out if anyone else suffered from this! Details :
Cheers, Eitam. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
A quick google search brings this:
http://www.google.com/support/forum/...e9b05271&hl=en and this http://www.guardian.co.uk/technology...-china-hacking |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
1/ SSL is always used by Google when authenticating, in other words, your password is never sent out in clear.
2/ The same is true for the N900's connection to Google. I remember, at the early days of GMail, it being such a pain in the *** because they required TLS and the lot. 3/ You probably used the same password somewhere else. 4/ Don't blame the N900. 5/ Stupid topic 6/ ??? 7/ Profit. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
If you payed attention to my choice of words, you would see that it's not ranting, and not complaining but an attempt to find a hacker that might by running a keylogger on your N900. As for you comment, Quote:
Quote:
Quote:
Quote:
I was raising a perfectly valid question, "Is someone taking advantage of the extras-devel repo, to run a tap on your keystrokes? If you look at my signature you will see that not only that I take advantage of the N900's HW and OS, I am also contributing back to the community, so what exactly have I done or said to deserve such a violent response from you? As for 5,6,7 they don't deserve a proper comment. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
Just to raise the fact that things can happen, and in an uncontrolled environment like the extras-devel repo, someone can take advantage of this open & vibrant community. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
@Eitama: maybe you should list the applications you installed, so that it's possible to find the culprit
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
But thats the idea. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Well, if you're running devel, it's your own sad fault.
I still remain very doubtful anyone is running a keylogger, especially someone from China, etc. Here's something. if you find a keylogger in any app in the repo, I'll give you $50. I'm pretty sure any other platform is way more likely to attract spyware and keyloggers. Deal? Also, please check my background (profile), I'm not your average user with regards to security. Even MITM won't break SSL or TLS, considering that they can't have the private key of a certificate issued for mail.google.com, or whatever the domain is. It's the whole point of SSL and TLS, is that the only way for an attacker to trump your browser without showing any warning sign would be to have compromised your client with a self-signed root cert. Don't sprout things which aren't true, please. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
and still it CAN happen, and there is no reason not to investigate, or check it. There is even less of a reason to bash me for raising it, if you don't like the idea, or thing it's impossible, you can express you opinion politely, or remain silent at your corner of the world. As for the application in extras-devel, it can alter an existing bookmark, to point to http://www . gmail . com, and insert a record in your hosts file. You will not get a warning for a compromised certificate cause there won't be ANY certificate. Just cause you have not thought of a way to achieve a fraud, doesn't mean it doesn't exist. I don't need to check your profile to know that you are not the only person in the world that knows something about something. Open your ears. you might learn something new one day. Now please go away. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
TLS clients will bork if they connect to a host that does not offer a certificate. Typing your username/password on a page that is not secure deserves you to get your account hacked.
Nuff said. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
And yes, I am human, I might have made a mistake and didn't notice that SSL was gone. I having a hard time using my humanity as an excuse for your rudeness. Quote:
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Do these steps from a machine you know (know, not believe) to be secure:
1. Change your gmail password. Do not tell it to anyone. Not even your spouse. 2. Change the address of you alternate email address to an address you know to be secure. 3. Go to gmail. At the bottom in fine print there should be something that explains the latest activity on the account. It should have a "Details" link. Click it. A popup window will appear. Click Disconnect all other sessions. After these steps: Monitor your gmail like a hawk for a month at least to ensure there's no funny activity. If you think your phone is compromised. Reflash everything down to emmc before you attempt login to gmail. I am more inclined to believe that your desktop/laptop is compromised - because the n900 is not a "famous" enough target to install keyloggers / rootkits. The ROI is in most cases not worth it. Some of these steps sound funny (paranoid) even when I read them, but for me they are important because my email account is effectively a gateway to almost everything else I have. I cannot afford to have it be compromised. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Well, after all these years, it looks like an online account of mine has been hacked: Youtube. I can no longer log in, and today Youtube asked me to verify I wanted the password changed.
Crap. Not sure how to fix this... |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
This thread has made me rotate my passwords on all of my online accounts.
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
To OP: I'd look back if I've used any computers in public places (likely targets), or anything running windows (likely targets). Targeting N900 users would mean targeting so small total amount of users it wouldn't make sense to most hackers. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
I used to rotate my password - non-dictionary, complex (uppercase, lowercase) with at least two special characters - once per 120 days. I just rotated and since last year have done so only once per 180 days. You guys just prompted it today for all but my throwaway accounts. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
just rotated mine. had something similar with the gmail thing happen the other day. i do usually check and see if the account is logged in somewhere else but recently had been using gmail mobile. in the middle of a gtalk chat, the account was temporarily suspended due to "suspicious" activity. had to change email passwords.....just changed EVERY password that i used.
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Interesting information guys!
Thanks for letting me know, I'll restart the brute force loop. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
I have almost typed my FB credentials to a phishing site once, after following a link from authentic looking email notification to authentic looking login page. The only thing that was wrong was the URL. Edit: needless to say, I've been more careful with clicking links in e-mails ever since. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
Which reminds me, if you see me suddenly posting odd stuff, please reset my password to "blubbers". :D Finally, I like/hate the idea of OpenID. If anyone can get into the loop at some point I'm doomed. Only thing I got through OpenID is very low level stuff, tier 4 and 5. At tier 3, only one person knows my password, and it's dictionary-proof. At 2, I have a single password nobody knows. At tier one, I use a long password combined with special chars when limited, and hardware-assisted login when not (I carry a card and a digital token at all times). |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
Also, you could use more advanced authentication methods with OpenID, e.g. some multi-factor authentication like those Verisign pseudo-RNG-dongles. I've been toying with the idea of writing my own OpenID provider that would require me to approve account access from my N900. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
Rather, the value is specifically computed every time you actually ask it to do so (VeriSign doesn't implement Time counters, but others do, which is far more secure). Try to imagine that you have a 3DES key, and every time you press the generation button, the Event Counter is incremented, and you generate a new 3DES key from the Event Counter and the previous 3DES key. With this key, you can generate an OTP, which is then sent to the server for authentication. They are really, far, far more than simple RNG's; so no need to try and simplify them in that way. Source: I work in the industry. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Recently I've tried multi calendar widget just to try what it is. Because i didn't like it. after a few minutes of testing I've decided to uninstall it. The process was going ok but suddenly I saw that it is downloading and installing something. Later I saw in the app manager an other widget- eve on-line. I don't like the de that something is installing to my phone without my permission. I'm starting to lose faith in those community applications. How can I know that it is not recording somewhere my bank account password?
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
But, let me try to justify my choice of words: (a) To external observer, those numbers should look random, if it's being done properly. (b) But it's obvious that they cannot be real random, otherwise they couldn't contain information.Thus, pseudo-random. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
@Tomaszd and fw190:
Could you please clarify something for us. Which repository are these applications coming from? Can you specify versions? Thanks. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
Quote:
Ideally, I shouldn't keep my passwords online. But there's so many of them! Right now, I have 84 stored user/password combos, and those don't even include VPN, VNC, FTP and Tier 1 and 2. When forums will support OpenID across the board, we'll have a lot less of these. Most don't. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
The whole point of challenge/response is that you can use any challenge. Obviously, competitors to the company I used to work for may have implemented new algorithms, but there is no security value in having time-bound Challenge/Responses. One way of testing this is to use your token, and hence get a challenge. Then wait 10 minutes, and replay the challenge again. It should output the same[1] response. [1]: CR also suffers from key decay. What I mean by this is that because it is impossible to know what challenges have been provided to the device, it is also impossible to compute further values of the response (hence the futility of time-based CR). If you want, I can go into much further detail of the algorithms. Three months have passed, so I'm legally allowed to disclose stuff now. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
* Login: I input user name (set) and a password. The password is given by a token, after entering PIN. However, if I generate a password, wait for 60 seconds, then enter the password, it will not work. If I don't use it enough, it desyncs, and I need to call them to allow me one time-ignorant login. Once that happens, it works again. I have no other explanation than the fact that the token has an internal clock it uses. * Transaction: Site gives me a random number (challenge). I press the signature button on the device, input the number, then it gives me a similar number. I enter that into the site and the transaction goes through. If I delay, it does not go through, and it re-issues me a different challenge. It could be timed, it could be clock based, I can't tell because in order to sign you have to log in, so time is sync. Quote:
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
This stuff is roughly the same as what is being used by all Chip & Pin Credit Cards. In order to secure this stuff, most banks will invest in HSMs (Hardware Security Modules). These are devices that between 7k GBP (PCI version) and 35k GBP (standalone ethernet version). A handful of companies are sharing the big business that this represents: SafeNet and nCipher (until they were bought by Thales) being the main ones. SafeNet is notable because their hardware is quite a bit cheaper than Thales', and they provide quite a few avant-garde features (such as USB smart card readers that establish direct connections to the HSMs). SafeNet also owns most of the US DoD market. nCipher (now Thales) owns a good chunk of the European banking market. They are also implemented in a few big corporate environments (think biggest UK telco company, or biggest Ukrainian telco company, etc). Their hardware is quite a bit more expensive, but their support systems are definitely worth it. If you have problems and a valid support contract, you can be sure they will move continents to fix things for you. A networked HSM looks like a blade server. You just put it in your rack, plug in the power and ethernet, and you're done (I'll skip the part where you have to create security worlds, which are the partitions in which the keys will be stored). They store specific keys in hardware, encrypt the files with those keys. The files contain your keys (the keys your applications will use). The primary advantages of HSMs are the security and speed they offer. If you try to open an HSM, it will basically "self destruct", and destroy the keys it contains. In terms of speed, HSMs can offer between 500 and 6000 1024bit RSA key generations per second. If you need 4096bit keys, speeds go between 60 and 500. In comparison, the fastest smart cards can only generate a 4096bit transaction in about 3-5 seconds. This means that in concurrent access, the slowest HSM could still handle 180 clients per second. Now, imagine you have this big box that can generate and validate gazillions of transactions every second (and this is just if you have one box. More often than not you will see between 2 and 6 HSMs deployed). What do you do with it? Well, first, your server generates a key. This will be the "master" key. All the clients (tokens) that will be associated with this server will have their keys deduced from this key. Well, actually, this isn't true; you have a bunch of keys, but I can't go in those details right now (need to wait for some of my notebooks, which are still being shipped from Australia). Understand that you at least have two master keys, one for the synch part (OTPs, One-Time Passwords), and the async part (CRs; Challenge/Response). Your server implements a few features. The more elaborate servers (such as my previous company, ActivIdentity's 4TRESS AS, acquired from ASPACE, and deployed at most UK banks) provide full customer help-desk features, allowing to authenticate the user through password, seeded password, memorable data, seeded memorable data, OTP, CR, oAuth, session transfer, etc, etc, etc. But for our use-case, let's imagine that the server only implements OTP and CR authentications. The CR should also provide the option to have user-provided challenges, or server-enforced challenges (I will go further into this at [1]). Now, let's talk about the clients (this can be hardware, or software). There are a number of companies that offer what is called "soft-tokens" in the industry. The offer the same features as hardware tokens, but obviously aren't as secure. Just search "RSA" on your iPhone's app store, all the major security companies have them. The client has a number of keys, too. One for async, and one for sync authentication. There are two major ways of doing authentication. OTP (sync) and CR (async), but they differ vastly in terms of algorithm. If you were to look at the sequential output of the auth sync, you could sum it up as (where f is function, and s is seed): f(s), f(f(s)), f(f(f(s))), ... What this means, is that the next iteration of the output is based on the previous output. This also means that the output is predictable, if you were to know the key, and the seed. The seed itself is composed of a number of things, but most commonly there are four things that are used (in order of most-seen): 1/ sync key (usually 3DES) 2/ time counter (32bit based), see [2] for more information. 3/ event counter 4/ PIN So what is this "output" made of? What is an OTP? Well, the length can vary, obviously. But generally, it's between 8 and 10 digits (to accommodate for the size of the screen). If you generated a bunch of OTPs, you could probably notice that one of the digits increments quite regularly. Maybe even two, but in a different order. If your device uses an event counter, then the last digit of the counter value (say the value in the device is 3829) would be the second digit of your OTP. The first digit of the OTP would be the last digit of the clock counter value. This is so that the server can compute a handful of "most likely" OTPs, in order to counteract the clock drift and people playing with their device. Remember, everytime you generate an OTP, the event counter is incremented. If you generate an OTP 20 times, but never send it to the server, the server doesn't know where you are. This is just to prevent a too high load on the server, and limit the number of computations necessary. Now, what are the last 6 or 8 digits of the OTP made of? Well, that's the actual OTP. It's the actual "random number" that allows the server to authenticate you. I don't remember exactly which method is used to generate this number, but it could be any hashing method of any secret you want. Let's say for fun that we use md5 (yes yes, I know how insecure it is, bla bla bla, just an example), of a concatenated string of the secret, the auth key, the total value of the event counter, and the total value of clock counter. Convert it to decimal, and divide by 2 until you get 8 digits. So in order to get an OTP, you would have (in PHP, because I can't be bothered, it's nearly midnight. Also please note I'm just writing this as I go along, so there will most probably be typos): Code:
<?phpThere is a very important bit about the above algorithm, the fact that a new key is being deduced after every generation. What this means is that even though 3DES could be broken in just a few hours (last I heard, 3DES could be broken in about 8 hours), this really doesn't matter. The key is archaic as soon as it has been generated, so what's the point of trying to crack it? Now, when it comes to CRs, it really is roughly the same stuff. The only difference is that the key never gets updated, and you don't use neither an event counter, nor clock counter. Again, as I said previously, this doesn't prevent the server from enforcing time-based challenges, which can decay very rapidly (a few minutes). However, from a device perspective, it doesn't change anything. [1]: There are two likely scenarios, where you want to authenticate a user, or when you want the user to authenticate the website/prevent MITM attacks. Say you want to ensure the user has the token, you ask him to give you the response to "7762". This is when the server enforces the challenge, because you need to be sure there is no CR replay. When you want the client to authenticate a transaction, you ask them "please give us the challenge to the 3 last digits of the target bank account, and the 4 last digits of the transaction amount". [2]: I only have intimate knowledge with one specific vendor, so I don't know how it goes with others, but the implementation I have seen was a 32 bit clock that incremented every half second. We would mask the 8 least significant bits of that clock so that the Clock Counter would only increment every 1m 32s (or was it 2m 32s? Can't remember). Sorry I had to skip over some details, but the girlfriend needs the computer off. Hope this helps, |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
FYI, got my youtube account back. It's a slight ordeal finding the right recourse... and from the looks of Google forum comments it's been a HUGE problem the past year or so.
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
Regards, Chris. |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
do you have ssh server installed? e: btw thanks for the reminder to change passwords once in a while |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
I assume you are asking about the SSH Server on my N900, The answer is Yes, I do, and the password for both root and user are none default, both include letters digits lowercase capitalcase. + Phone is mostly not connected to internet, When it is, it's either at home wifi, where I have a router blocking port 22, or 3g where I get a private (sadly) ip address... and not a public one. (again sadly...) |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
Code:
cat /dev/input/keypad |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
Quote:
As an old cartoon character would put it, cool, but useless. Quote:
I went from shut-down-everything to letting my HTPC on, overnight, 1.4 meters away from her head. That is, assuming you don't defrag or check the CD. Man those optical drives are loud. Oh, and, it also allows for some sweet performance boost. My mouse of a PC boasts a 4 GHz quad and dual video card. Everything is cooled by 2 120mm fans, on low (800-1200 RPM, heat sensitive). |
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
|
Re: My gmail account has been hacked - I am pretty sure it's related to the N900 somehow
Quote:
|
| All times are GMT. The time now is 23:35. |
vBulletin® Version 3.8.8