GOOGLE IS ADVISING USERS to secure their Gmail accounts after a country-wide man-in-the-middle attack was recently detected in Iran.
A Dutch certificate authority called Diginotar was compromised and those responsible issued rogue certificates for several high-profile domains, including google.com.
At least one such certificate has been abused in Iran so far, but the person who took responsibility for the compromise threatened similar attacks in Europe, the US and Israel.
In a post on its security blog, Google instructs users about how to check their accounts for signs of hijacking and secure them from future attempts.
"While Google's internal systems were not compromised, we are directly contacting possibly affected users and providing similar information below because our top priority is to protect the privacy and security of our users," said Eric Grosse, VP of security engineering at Google.
Some of the company's recommendations are basic, like changing the account password, something which should be done on a regular basis. Iranian users will be forced to change their passwords as a security precaution after the recent attack.
Users should also make sure that their account recovery information, like secondary email address and phone number, is correct and up to date. This is important because in case of a compromise attackers might modify these details to gain a back door into the account.
Hackers are also known to set up rogue forwarding addresses in compromised Gmail accounts in order to receive copies of messages sent to users. It is, therefore, important to review all forwarding addresses and delegated accounts as well.
Furthermore, since Google allows users to authorize applications and websites to interact with their accounts, those permissions should also be reviewed when a compromise is suspected.
The company advises users to carefully read all errors issued by their browsers and not override them unless they clearly understand what they mean. Users should never click past SSL warnings when accessing Gmail.
There's one important recommendation that Google failed to mention in its blog post and that's the use of two-step verification. When this feature is enabled users have to provide a unique code in addition to their password every time when they log in from a new device. This code can be received via SMS or a phone call, or can generated by special mobile apps.
Users should also make sure that their web browsers and operating systems are up to date at all times because vendors are issuing updates to block rogue SSL certificates as soon as they are discovered. µ