Google’s security blog left a lot of questions unanswered when it announced that the company would begin alerting some of its users when their computers or accounts were being targeted by state-sponsored attackers.
Journalists and activists in China started seeing the alert as early as Thursday.
Eric Grosse, Google vice president of security engineering, wrote on Tuesday that the company would be taking steps to protect “a subset of users” who it believes may be targets of state-sponsored attacks.
When an account is at risk, a banner at the top of the page alerts the user. The warning doesn’t mean a user’s account has been hijacked, but that they should immediately change their password, enable two-step verification, and update their browser and all software.
Forbes' Andy Greenberg reports that a link on the alert banner directs users to a page that reads:
It’s likely that you received emails containing malicious attachments, links to malicious software downloads, or links to fake websites that are designed to steal your passwords or other personal information. For example, attackers have often been known to send PDF files, Office documents, or RAR files with malicious contents. We strongly recommend that you avoid clicking links or attachments in suspicious messages.
Google does little to explain what users will be alerted and how it's able to determine attacks by state actors (some users suspect Google is mainly referring to attacks from China).
“We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored,” Grosse wrote.
Arron Ferguson said he received a similar alert a few months ago. The alert said his account had open sessions in Eastern Europe. Ferguson lives in Canada.
"I just happened to log in to my gmail account and there was a notice like that one that said not only was someone from another IP, that was not known to Google, logged in, but the session was still open. I closed the session down and changed my password immediately," he said by phone on Friday.
Ferguson, a computer systems technology instructor at the British Columbia Institute of Technology, says more than alerting people who are being targeted, Google should be blocking the attacks. "It's nice to get notices like this, but with a company that large, I would expect more of a proactive approach," he said.
"What boggles my mind is that Google's 'crack security team' here had really nothing to offer other than close the sessions and change the password," he said in a comment posted on Google's announcement.
For now, users are left with a lot of questions. Will Google apply the same standard to domestic state-sponsored attacks? Is Google working to block the attacks? And who exactly will be notified, because surely it would be of interest to any user to know their account was under attack.
"I think they're tyring to play the politically correct game," Ferguson said of the vague statement. "Being that they're a corporation, they want to play in as many countries as they can so I don't think they're going to get any more particular than that...There's also the possibility that they have been instructed not to say," Ferguson said.