Thursday, September 18, 2008

What’s important, Palin’s Yahoo Mail account hacked

That’s right, Alaska Governor and republican Vice-presidential candidate Sarah Palin's quasi-personal Yahoo Mail ( account was hacked into by the infamous group called “Anonymous”. While there are conflicting news reports on the incident’s authenticity - emails, screen shots, and family photos have been posted to Wikileaks as proof. If we assume the incident is real, there are so many ways a free WebMail account could be compromised – some more likely than others:

1) Password guessing / brute force attacks
2) Password recovery system flaw or website vulnerability
3) Network sniffers
4) Phishing scams
5) Insider (rouge customer service representation or software backdoor)
6) Operating System Malware/Spyware
7) Stolen hardware
8) Lost backup tape (hah, as if free WebMail providers have backups!)
9) Use of a public computer

etc. maybe more I’m not thinking of.

For myself and the rest of the InfoSec industry the “how” is interesting, but its unimportant for everyday users like our friends, family, coworkers, politicians, etc. What they need to know is WebMail compromises could happen to anyone - even if they do everything “right” because security is largely out of their hands or impossible to behave perfectly all the time. Mistakes happen and the more high profile of a person you are the higher the likelihood you will be targeted.

Bottom line: DO NOT receive or store anything you don’t want read or made public on these “free” WebMail systems. They are NOT private. They are NOT secure. They are NOT safe. The same goes for Google Docs, social network private messages, online backup solutions, whatever. What they are is FREE and CONVEINIENT. The businesses that support them are not accountable for your privacy, security, or lack thereof. Read their EULA or ToS if you don’t want to take my word for it.


Anonymous said...

In my opinion, free webmail accounts are -more- likely to be secure than a town or even small state's mail server. In a free webmail account -you- are the insecure link, for all the reasons you mention. But Yahoo's and Google's servers are more likely to be secure than a town or state's.

If you want to break into a yahoo account, do you start by portscanning yahoo? Or do you see if the user logs into it from a library, or has a silly password hint.

That said, they aren't private in the true-est term, as you say, because the data is out of your control and accessible by their employees, and can be turned over as they see fit.

Anonymous said...

Wired has more details on the hack. As I guessed - they went in through the password hints.

Anonymous said...

What's surprising to me is not that it happened; it's why it hasn't happed before. I always go back to the old adage- where there’s Motive, Opportunity, and Means there tends to be crime. You covered the Means, we can all infer the opportunity (is there a bigger target than Yahoo?), but given the political climate there’s huge motive to go after all the politicians.
Probably just an issue with the vetting process, how much do you want to bet both dems and republicans are adding to their vetting checklists for unknown candidates a) check for webmail accounts b) have candidate delete account c) or teach candidate hard password.

Jeremiah Grossman said...

@Tom >In my opinion, free webmail accounts are -more- likely to be secure than a town or even small state's mail server.

Now that's chilling! ;) Indeed, you do have a point though.

@Dean, who's to say it hasn't happened before on who ever account it happened to be. Without some trickery involved, its tough to tell if your webmail account has been hacked in.

Dan Weber said...

I think the reason it hasn't happened before is that most hackers don't want to bring down the FBI on their heads.

You can probably hack Alan Shimel safely. But take on a governor and you'll find yourself sitting in a damp room with a light in your face.

Anonymous said...

I won't comment on the security posture of free webmail accounts or private mail servers. What I will say is that folks attacking political campaigns through technology is becoming very interested. Moreover, the further usage of technology in these campaigns to reach target audiences is creating a pretty big attack surface.

Personally, I was thinking about three or four other ways that this campaign could be affected by attacks on other web vectors.

Jeremiah Grossman said...

@Dan, rules of hacking:

Rule #1: Don't have something you don't own or have written authorization.

Rule #2: If you don't follow rule #1, DO NOT HACK THE GOV!

Anonymous said...

@Tom: I was thinking the same thing - I don't see any reason why a "free" mail account is any less secure than a "paid" mail account.

Each provider makes their own rules about strength of passwords, and how soon do they blacklist an IP address for invalid attempts.

It could be that a smaller, local provider would be more willing than hotmail, et al. to blacklist foreign IP addresses.

Anonymous said...

by the way, what is brute force attack??? is it real?

Jim Manico said...

The problem was, by far, not the quality of questions for password reset. The problem was a combination of:

1) If a user answers the password reset question correctly, and the user has no secondary email account attached to their yahoo account, the user is automatically authenticated
2) Palin did not have a secondary email address attached to her Yahoo account
3) Once the attacker answered Palin's foolishly simple forget-password security questions, they were immediately granted access to the account

No moose meat for you!

Jeremiah Grossman said...

Jim, no secondary email address is a common scenario on Yahoo mail. Since its one of the first free web mail systems back from the early web, this was/is the only email address people have. They just don't think to add in a secondary after initial registration.

Jim Manico said...

Jeremiah: Fair enough. I say boo to Yahoo. At the very least, the user should be given a warning during registration time. All ISP's offer free email that could be used for the secondary email. I'm sure you will agree that the combination of password-reset-auto-authentication and weak security questions is a recipe for disaster. I agree 100% with your opinion that free webmail is not safe. At the very least, stronger questions could have stopped this hack.

Joe said...

Unfortunately, most people don't have any other option. Your average user cannot configure a mail client, let alone configure their own mail server. ISP email accounts use webmail. Users need to be educated that password hint questions should never be answered properly. You must lie or put in random garbage.

Webmail providers need to remove these stupid questions.

Anonymous said...

Does Palin thing that hackers are people too ?