Late Tuesday night or early Wednesday morning, the Yahoo email account of Alaska Governor and Republican vice-presidential candidate Sarah Palin was hacked.
Stolen private emails and photographs of her children were then posted to numerous websites. Also stolen was the cell phone number of Palin’s daughter Bristol. The bad guys even went so far as to call the number, record the voicemail message and send the recording to various websites. With as many people like me preaching email security, you would think that people would wise up; instead, incidents like this keep happening over and over, time and time again.
Initially, credit was taken by some goon who claimed to be a member of an underground hacker clan which goes by the clever name of “Anonymous.” Later, though, an anonymous member of Anonymous denied that his group was involved, and instead blamed some goofball named “/b/.” This fellow allegedly belongs to a group called 4chan, “a group that posts anonymously and creates Internet mayhem and mischief.”
And legitimate, white-hat hackers still moan about not being accepted by the general public. Maybe it’s the juvenile mentality that seems to dominate hacker culture, especially the nick-naming system, that throws people off.
So, /b/, allegedly just trying to be a good Internet prankster, hacked Sarah Palin’s email account. Now, he’s got the Secret Service on his tail. That’s very bad for /b/, because he broke the law in a highly visible way. Unlike the FBI, which is very slow and methodical in gathering evidence and developing cases, the Secret Service doesn’t mess around. They could care less about conviction rates based on solid evidence; their mission is to stop any perceived threat to someone under their watch. Those threats can be both physical threats and privacy threats, and the Secret Service is dedicated to stopping those threats as quickly as possible. You’re going down, /b/.
My prediction is that, in the next few days, we will see some hapless college student in handcuffs and pajamas being dragged from his parents’ basement, and the case will be closed. It could even happen before this article goes to press. The larger issue for me in this situation is how the bad guy succeeded. How do you hack the email account of a prominent politician?
You may recall my article of last February, describing how a local judge had accused Oklahoma City television station KWTV-9 of hiring hackers to steal her email. The Sarah Palin incident is different, in that the bad guy has published accounts of his exploits to the Internet. Whether or not those accounts can be believed is debatable. However, what is not debatable is that the attack methods that are described actually work; in fact, they work quite well.
Users of Yahoo, Gmail, Windows Live and other messaging services, beware; your account can be hacked using the “password reset” feature. This attack requires very little skill. In fact, the only skill required is the ability to gather information using Google.
If you’ve ever used an Internet messaging service, you may have noticed a link on the login page that says something like, “Forgotten your password? Click here.” This is a handy feature designed to bail out morons who can’t seem to keep track of their own passwords (sorry, Russ; no offense). Using this feature, you are asked a series of “security” questions for which you provided answers when you first established your account. When the questions are correctly answered, the password can be reset and changed.
According to the bad guy’s account, he tricked Yahoo into changing Sarah Palin’s password by gathering personal details about her from the Internet. These details included her birthday, zip code and where she first met her husband (Wasilla High School). He started plugging these details in as answers to Yahoo’s predetermined “security” questions list, and, voila, instant access. This is an easy, low-skill hack, and it works.
It should be noted that if Palin had provided an alternate, emergency-only email address to Yahoo, then the newly-reset password would have been sent to the alternate address, and the bad guy would have been foiled. However, if the bad guy knew Mrs. Palin’s Yahoo ID, he could end-run around the entire process and change the password, no matter what. If no alternate email address had been provided, then the hack would have been extra-easy to perform.
The technicality here is that too many people still wrongly use their real-world names as part of their email address and user ID when dealing with website-based messaging services. For example, in the case of Yahoo, if I had an email address which was davemoore@yahoo.com, it would be a bad idea for my user ID to also be my real name. That would make it too easy to guess my user ID and try to hack my account. And, if you understood any of what I just said, I would like to shake your hand.
My best advice is that, if you are going to use webmail services, you should do as I have for years: use fake names as often as possible. Never give real answers to pre-determined “security” questions; they are too easily guessed by friends/enemies, or harvested using Google. Use strong passwords. Change your passwords and security-question answers. Be suspicious of everything.