Palin's hacked Yahoo account

[freeztar]

Apparently someone hacked into Sara Palin's Yahoo account and read all her emails. You can read about it here:

Palin E-Mail Hacker Says It Was Easy | Threat Level from Wired.com

 

It was *very* simple for the intruder to *illegally* do this using information found on the web. With the popularity of social networking sites, this makes it easy for anyone to do it to virtually anyone else. (this idiot only used one proxy and his email has already been found :D)

 

Are you protected?

This thread is for discussing not only the problem and its variants, but also the solutions to keeping your email account safe from prying eyes.

[pgrmdave]

I've never tried to keep my account safe, and in fact my password is disturbingly easy to guess. However, I also make sure to never have anything stored in my e-mail that would bother me if somebody found it. The only problem I'd have is if somebody deleted a bunch of them without me reading them, and even then, it would have to be ones that I actually need (most e-mails don't matter that much).

[Mercedes Benzene]

Too bad for her....

It does seem like anyone can hack a net-based email account with a little research...

I use Verizon, which I do not believe offers the option to reset a password based on providing information. ::Safe for now::

 

PS: Does anyone know what the charges would be for this type of "hacking," or how serious the penalty would be?

[alexander]

It was *very* simple for the intruder to *illegally* do this using information found on the web. With the popularity of social networking sites, this makes it easy for anyone to do it to virtually anyone else. (this idiot only used one proxy and his email has already been found )

and i write about that all on my blog :)

and yeah, all of web-based email is volnurable, be it verizon or gmail, trust me...

[Boerseun]

Palin's Yahoo account... :)

 

Did the hacker find anything interesting there, hidden away between the tons of Viagra, free porn and penis extension spam?

[pgrmdave]

Nope, he was apparently very disappointed to find nothing incriminating.

[alexander]

i know i'd be dissapointed...

[CraigD]

In my experience, all security analysis, not just email, is best described non-technically via non-computer analogies. For example, my personal email is analogous to my home paper mailbox, which is literally a metal box on my porch into which a carrier puts incoming and takes outgoing envelopes. Incoming documents in my and in those of my paper mail’s recipients are authenticated by simple fields such as signatures and return addresses.

 

It’s trivially easy to “hack” my incoming paper mail – just walk up to the box and do what you will with the contents. An attacker prevent me from ever getting, or with a small amount of effort, you can read my paper mail, re-envelop it, and return it to my box without my detecting this.

 

I could easily improve my paper mail security, by installing a slot and lock type mail box. Yet, like nearly all my neighbors, I’ve not, because I’ve never experienced a significant breach of paper mail security, and because it would be less convenient for both me (and the carrier – I’m a considerate guy :)).

 

In my workplace, where (at least once upon a time) my paper mail might contain information that’s theft could result in (no exaggeration) billion dollar monetary losses, is handled with much greater care, the most secure being hand delivered by human couriers, the rest at least delivered by couriers to a box that’s behind a locked door. My home mail can have similar security, by the sender requesting that (and paying an additional charge for ) the envelope only be delivered if the carrier can get a signature from a human recepient.

 

The key to my paper mail security is using the correct mailbox for and delivery options for potentially damaging mail. This analogy extends almost perfectly to electronic mail. Like most heavy computer users, I have many email accounts, some of which, like Palin’s yahoo account, are trivial to hack, or for which I’ve even agreed to policy statements that say the host can read whenever and for whatever reason they want. Like my home paper mailbox, this low level of security means, practically, that I don’t care if everyone in the world reads my junk mail, or even cute pictures of my mom’s cats. Important stuff, like my employer’s future pricing data (in any insurance biz, knowing your competitors future pricing data gives you a tremendous competitive advantage), would be negligent of me to send or receive via public carrier paper mail of any sort (in principle, carriers like FEDX offer trusted carrier services equivalent to private couriers, but in practice, cannot be trusted with truly sensitive data). However, my insecure email accounts are very convenient for quickly sending email, and as “garbage drops” for expected email replies (I don’t routinely check them for incoming mail). To access my most secure email, I must make a VPN connection to a well-firewalled and physically secure server, which involves manually keying numbers from a SecurID hard token fob, which isn’t very convenient.

 

The issue with Palin’s yahoo account is not that she had it, or that someone (Yahoo user rubico10, allegedly 20-year-old student and son of a TN state legislator David Kernell) casually and unimpressively socially (key to his attack is reportedly researching and guessing the answer to the security question “where did you meet your husband/wife?”) hacked it, but that apparently Palin used the account as her primary state business account, requesting that it be used in preference to her presumably more secure ak.st.us account. For employees of many business or the US government, such use would be considered negligent, and grounds for discipline. Although rubico reported finding nothing incriminating, he did find government-related communication for Palin’s husband and from the state’s Lt. Governor, supporting statement by people with email histories with Palin that essentially all state business email was sent to her yahoo account.

 

Though normally an incident where a state employee’s negligence resulted in an un-harmful breach of security would not be newsworthy (other than as humor), I think Palin’s case is because of her nomination for US Vice President, because of its implication that she doesn’t routinely think of and/or act to prevent security breaches, a failing that suggests she would be a poor Executive of the US.

 

To address freeztar’s original question – how to keep your email safe from prying eyes – IMHO the answer is the same as how to keep anything private – think about what you’re doing when you communicate something you should not or would not feel comfortable posting publicly, act on your thoughts, and have adequate knowledge to think correctly. High-level, technically inexpert knowledge consistently applied is, IMHO, usually better than detailed technically expert knowledge inconsistently applied, and certainly better than not thinking at all.

 

Sources: Can a case be made against the Palin e-mail hacker? | Between the Lines | ZDNet.com; Report: Tenn. legislator confirms son is at center of Palin hack chatter.

 

An interesting development in this case is the possibility that, because of the US DOJ’s published interpretation of the pertinent law, its possible that no criminal charges will be filed concerning the breach in question. Again, non-computer analogy is useful to explain why: read email is analogous to a paper letter taken from an outdoor mailbox and dropped into a nearby waste basket. While taking the letter for the mailbox is a federal crime, taking it from the waste basket is not.

 

Source: DOJ View on Email Privacy May Hamper Prosecution of Palin Hackers | Electronic Frontier Foundation.

[Moontanman]

How difficult is an account like my AOL account to hack? Or how difficult is it to access my home computer? I have spyware and virus protection, I do have a yahoo account but I get nothing there but porn spam and offers to make my already too big penis even bigger. I figured that a Yahoo account would be relatively easy to look at by some one but I would like to think my AOL account is relatively safe. I've always figured that most hackers wouldn't really be interested in my home computer due to me simply being a very boring person with no money or other interesting things on my computer.

[freeztar]

Moon, I'd recommend getting a firewall as well. You can get free ones such as Komodo. Your AOL account is likely just as vulnerable as your Yahoo one. I think Dave has offered the best advice so far. Simply do not keep anything that you wouldn't want people to see in your email box. Important emails can be printed and deleted. It's certainly not as convenient or Earth-friendly, but it does seem to be the only surefire way to safeguard data in an email account.

 

Craig's advice is also good, basically, be sensible. The exploit that this hacker used on Palin was very amateur, yet very effective. Simple internet research was done to obtain enough information on Palin to get into the account. You can prevent this somewhat by being sensible. If your Yahoo acount is Exploitme and your MySpace account is Exploitme, you're opening yourself up to trouble. Someone could cruise your myspace page and get info such as birthday, pet names, friend names, etc. All this info can be used to exploit the "Forgot password?" link. :)

 

I don't have a myspace account or facebook account partially for this reason. ;)

[Moontanman]

Moon, I'd recommend getting a firewall as well. You can get free ones such as Komodo. Your AOL account is likely just as vulnerable as your Yahoo one. I think Dave has offered the best advice so far. Simply do not keep anything that you wouldn't want people to see in your email box. Important emails can be printed and deleted. It's certainly not as convenient or Earth-friendly, but it does seem to be the only surefire way to safeguard data in an email account.

 

Craig's advice is also good, basically, be sensible. The exploit that this hacker used on Palin was very amateur, yet very effective. Simple internet research was done to obtain enough information on Palin to get into the account. You can prevent this somewhat by being sensible. If your Yahoo acount is Exploitme and your MySpace account is Exploitme, you're opening yourself up to trouble. Someone could cruise your myspace page and get info such as birthday, pet names, friend names, etc. All this info can be used to exploit the "Forgot password?" link. :)

 

I don't have a myspace account or facebook account partially for this reason. ;)

 

I use nonsensical answers to those questions in my accounts or questions only someone with very close intimate knowledge would have. I had a fire wall when I had broad band, I was under the impression dial up is too slow to have an effective fire wall.

[freeztar]

I had a fire wall when I had broad band, I was under the impression dial up is too slow to have an effective fire wall.

 

The firewall runs on your computer as a "middle man" for traffic coming into your computer from the web. As long as your computer is fast enough to run the firewall, then it should work just fine with dialup.

[CraigD]

How difficult is an account like my AOL account to hack?

It depends on what you mean by “hack”.

 

If you’re an sufficiently privileged AOL sys admin, it’s so easy it’s not worthy of the term hack, but is rather just normal use. Presumably you trust AOL to attempt to employ only trustworthy people in such jobs, who will not wantonly violate your privacy, or do anything malicious with any data they see while carrying out legitimate work – or at least keep the untrustworthy ones in such fear of dreadful repercussions that they behave exactly like trustworthy ones. :)

 

For it to be a true hack, you’ve got to be not normally allowed to see the data. The hack, then, is to figure out a way to see it, and better yet, alter it, anyway. There are many ways to do this, but, AFAIK, they can be categorized into 3 main kinds:

1. Impersonate you – that is, know your account ID (screenname) and password. Rubico used this approach, by exploiting yahoo’s “I want to change my password but forgot my old password” feature, which relies on answering several questions, including one meant to be very personal. Palin’s choice of personal question & answer – “where did you meet your spouse?/Wasilla high school” - was a poor choice, as Rubico claims he was able to guess it from wikipedia and googled information about Palin in about 45 minutes
2. Impersonate a sys admin. Similar to the above, but if AOL has its security act together (which a friend of mine at AOL assures me they do), much harder, beyond the abilities of the likes of Rubico
3. Exploit a “back door” left by the system’s OS or application developers, or created by an installed piece of malware (virus, etc). The “unknown unknowns” of computer security, and a security analyst’s worst nightmare, as without completely decompiling and reading the OS and possibly application code, she doesn’t know if the most subtle and powerful conceivable of these exist. Antimalware apps can reduce, but not completely eliminate this fear

Or how difficult is it to access my home computer?

Assuming it’s turned on and has some sort of network connection, gaining access to you home computer is similar to gaining access to one of AOL’s, except unless you or some horrid piece of malware set your computer up to share your files via such unwise methods as anonymous telnet, ftp or an app like pcAnywhere, there’s no “you” user account to impersonate.

I have spyware and virus protection

Depending on how good it is, that should protect you from various of the above.

I've always figured that most hackers wouldn't really be interested in my home computer due to me simply being a very boring person with no money or other interesting things on my computer.

In terms of hurt being done to you, a reasonable assumption, but in terms of hurt being done to others, not so much so. “Boring” machine have been famously used in discributed denial of service and more subtle attacks, in which case your computer’s role is typically termed a zombie. Again, however, good antimalware is a reasonable assurance of being used this way.

 

A key high level understanding about computer security is that analogies like “backdoors” are inexact. A computer is not exactly analogous to a house. To allow a legitimate or illegitimate user to use it, the computer must be executing a program to detect and react to a specific external request. Modern computers, however, typically have a lot of these. A more accurate analogy for a modern computer is a huge hot dog stand, with the owner’s (your) hotdogs, bun, fixings, and expensive personal wine collection is in an open kitchen inside, where you don’t even know how many people are working for you, and where all of your workers are completely reliable idiots. If you’ve trained them (configured your system) well, they won’t do anything but take money and give hotdogs, buns, and fixings (reply to legitimate requests, like you signing on, and your browser receiving this page from hypography). If not, they may hand over your 1959 Dom Pérignon for free (allow intrusion), or worse, hire new employees who’ll set up a criminal wine stealing headquarters there (install zombie viruses).

[alexander]

How difficult is an account like my AOL account to hack?

how difficult is your password? just tell me if its over 10 characters long, and has at least one upper case, one lower case letters, one number and one special symbol?

 

And all bets are off if someone has access to your local network, or any network you connect to your account with.

 

Or how difficult is it to access my home computer?

once again it depends... Windows, Linux or OS X? router? firewall? software firewall? IDS? subnets? wifi? wpa or wep... etc

 

I figured that a Yahoo account would be relatively easy to look at by some one but I would like to think my AOL account is relatively safe.

How do you figure that? Yahoo invests more time and money into security then AOL...

 

I've always figured that most hackers wouldn't really be interested in my home computer due to me simply being a very boring person with no money or other interesting things on my computer.

Crackers hack for 3 reasons:

Because someone is paying them to

Because they are bored, and you pissed them off

Because they can

 

last 2 dont care whether you have interesting stuff or not, you just add to their botnet...

 

freezy, think simpler, think xss... moon can willingly provide his logon credentials, as can anyone really... and firewall wont help

 

I had a fire wall when I had broad band, I was under the impression dial up is too slow to have an effective fire wall.

tis your computer, not your connection. go download comodo firewall right now!

 

Depending on how good it is, that should protect you from various of the above.

Don't take him the right way either, various in no way means all... (nor did craig say that :confused: )

[Moontanman]

how difficult is your password? just tell me if its over 10 characters long, and has at least one upper case, one lower case letters, one number and one special symbol?

 

My password consists of 8 totally random symbols.

 

And all bets are off if someone has access to your local network, or any network you connect to your account with.

 

 

once again it depends... Windows, Linux or OS X? router? firewall? software firewall? IDS? subnets? wifi? wpa or wep... etc

 

Windows XP pirated version.

 

How do you figure that? Yahoo invests more time and money into security then AOL...

 

Yahoo always struck me as a lot looser than AOL, maybe it's because I have a buddy named yahoo who is a trip to say the least.

 

 

Crackers hack for 3 reasons:

Because someone is paying them to

Because they are bored, and you pissed them off

Because they can

last 2 dont care whether you have interesting stuff or not, you just add to their botnet...

 

Sad that a few bored assholes can cause so many problems, I do not leave my computer on unless I am using it. Would that make a difference?

 

 

freezy, think simpler, think xss... moon can willingly provide his logon credentials, as can anyone really... and firewall wont help

 

I don't fall for phishing.....

 

tis your computer, not your connection. go download comodo firewall right now!

 

I might do that.

[alexander]

symbols being letters? numbers? special characters (like +_)(&* ...etc?)

 

pirated means not updated, which means that you are probably already owned, just dont know about it, or you are not owned, but owning you is very simple.

 

Yahoo always struck me as a lot looser than AOL, maybe it's because I have a buddy named yahoo who is a trip to say the least.

And aol has tried putting spyware in a multitude of their products :)

 

Sad that a few bored assholes can cause so many problems

such is life...

 

I don't fall for phishing.....

aahahahahahahahahahahahahahahaahahahahaahhaahahahahahahahaahhaahahahahahahahaha

:)

hahahahahahahaahahhaahahahahahahahahahahahahahahahahahahahaha

hehe

you won't even know you did it ;) read a little about XSS ;) (i even had a blog post on it)

I might do that.

comodo is the best in windows world, right now.... just thought i'd tell you

[pgrmdave]

Alex, try to be a *little* less condescending next time. And pirated does not necessarily mean not updated - I'm using a pirated copy of XP, which I just upgraded to SP3. I've also not had any problems on one of my windows computers in a long time (anti-virus, firewall, router w/ very, very basic security on it, but I follow the same logic as when I don't lock my front door - I've got nothing much worth taking, so why put $10 of security into protecting $1 worth of goods?). And yes, some phishing scams are very advanced, but the majority of them are not. Despite what you may think, you're not the only person who knows about computers.