First published: 30th September 2008
Allan Dyer
Reports indicate that U.S.A. Vice-Presidential Candidate Sarah Palin's webmail account was broken into by means of Yahoo's password recovery facility. A person using the handle, "rubico" claims to have researched the answers to the security questions in 45 minutes on the internet. The required information was:
- Birthday
- Zip code
- “Where did you meet your spouse?”
The contents of Sarah's email may or may not be interesting or important to Americans considering their country's future, but the first lesson for everyone is the weakness of self-service password reset procedures. The supposedly "secret" information in this case are things that can be easily revealed for anyone with on online presence, or friends with an online presence. Even if you have a cast-iron rule to not reveal your birthday, a friend might blog about enjoying your party last week, or give clues to any other personal question. As I pointed out in the May issue of this newsletter, 'Personally, any information about me that is memorable and I would be willing to tell to a website is probably not a secret, and if it is not memorable, I won't remember it either, making it useless as a "security question".'
The second lesson is that webmail services like Yahoo have very little obligation to protect your information. Yahoo is not going to shut down and improve its security because of this incident, there are, undoubtedly, many other similar incidents occurring daily that do not hit the headlines because they do not involve a famous person. If you do not chose "security questions" that are difficult to guess or research, then, from Yahoo's point of view, that is your fault.
The third lesson is for the attackers: if you break into the account of someone famous, be prepared for some serious trouble. The FBI wants to talk to "rubico", and they have the resources to trace the source. A quick confession might be forthcoming, Democratic state Representative Mike Kernell, from Tennessee, told a reporter with the Tennessean that his 20-year-old son, David, is the individual involved.
Email is not secure. Webmail is even less secure. Use with caution.
Updated: 23rd September 2008
FBI Gatecrashes Student Party
FBI officers searched the flst of David Kernell, a suspect in the Sarah Palin webmail hack case, in the early hours of Sunday morning, interrupting a student party. Kernell was not present, but his three flatmates were served with court summons. Guests who did not live in the flat were asked to wait outside while officers photographed the flat. Strangely, there was no mention of computer equipment being seized. The raid follows an earlier FBI visit on Friday afternoon.