The cautionary message, which states “Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer,” may appear on the company’s search engine home page, in a users’ Gmail inbox, or on the Chrome browser page.The advisory echos a similar warning issued last June which provoked ire from some security experts who believed the warning was overly vague and would perhaps cause undue concern for the recipients.
“First, it generates fear on the part of Google’s customers because regardless of the fine print, such a warning will most likely send the recipient into panic mode when there’s no reason to panic. Second, it makes a claim which upon investigation is so vague that it’s meaningless. You may be the victim of a state or someone working on a state’s behalf? That’s pretty much the case for all targeted attacks,” wrote security consultant Jeffery Carr, founder and CEO of Taia Global.
Carr specifically noted that the most likely targets of spear phishing attacks, those who work in the intelligence sector, should not be using potentially insecure means of communications such as those offered by Google and other consumer email providers.
“If you are a target of interest for a foreign intelligence service (FIS), one of the first things you should do is STOP USING GMAIL or any popular cloud-based service that cannot guarantee you where in the world on its many data farms your data resides… None of Google’s recommendations will keep you safe if you’re in that group,” Carr continued.
Carr also accused Google of employing “FUD” – a term often used as a critique of unnecessarily alarmist-style messaging from vendors and service providers seeking to bolster sales.
“The bottom line as far as Google’s advice is concerned is that it’s FUD-inducing for the people who aren’t targets and its insufficient for those who are. I have to wonder what Google was thinking when it created this awful program.”
Security Bistro contacted Carr for his reaction to the latest state-sponsored attack advisory issued by Google, and his sentiments regarding the matter remain unchanged.
“It’s impossible for Google to determine that any given nation state is attacking any one of its customers, and for Google to make such a claim really doesn’t serve anyone’s best interests except possibly to give Google a false allure of having ‘insider’ knowledge that helps Google stand out from its competition,” Carr said.
When the first advisory was released, the company had also posted an article on their security blog which explained that the messages were only being displayed for a subset of Google product users who were at the greatest risk of being targeted.
“If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account,” Google’s VP of Security Engineering wrote.
His post also offered recipients of the warning some basic security tips such as selecting a strong password, enabling the optional two-step verification function, and making sure that their operating systems and applications were fully updated.