Security researchers ponder possible Palin hacks
There are lots of ways someone could hack her Yahoo e-mail, say experts
Computerworld - Security experts speculating today on how Alaska Gov. Sarah Palin's Yahoo e-mail account had been hacked put forward several theories, with some skeptical of claims that the access was gained by a simple password reset.
A Yahoo spokeswoman would not comment on the Palin hack or answer questions about the service's password reset feature. "In general, Yahoo doesn't comment on security policies," said Kelley Benander.
One or more hackers broke into Palin's account early Tuesday, then sent copies of several of its messages to news organizations and to WikiLeaks, a site known for publishing confidential and leaked documents. Among the leaked messages was one between Palin, the Republican nominee for vice president, and Alaska's current Lt. Gov., Sean Parnell, who is running for the state's lone congressional seat, and another with a former private investigator that Palin appointed to the Governor's Advisory Board on Alcoholism and Drug Abuse in October 2007.
Yesterday, the McCain-Palin campaign acknowledged the hack. "This is a shocking invasion of the Governor's privacy and a violation of law," the campaign said in a statement. "The matter has been turned over to the appropriate authorities."
Although it's unclear how Palin's account was accessed, at least one person has stepped forward to claim the hack. In a message posted to 4chan.org's "Random" message board -- the site's most popular, which also goes by "/b/" -- but since deleted, someone identified only as "Rubico" claimed to have gotten Palin's password by using Yahoo's own password reset mechanism.
Some security experts found that hard to believe.
"The whole password reset sounds dubious," said Paul Ferguson, a network architect at antivirus vendor Trend Micro Inc. "Yahoo sends a password reset to a secondary e-mail account, so it sounds far-fetched to me that it would be that easy."
Yahoo users who ask the service to remind them of their password are asked for just a few personal details -- such as birth date, country of residence and postal code -- but assuming those are entered correctly, the password is e-mailed to an alternate account, which has had to be entered previously. Computerworld's tests today, which involved several accounts and used various combinations of password reset queries, always resulted in the Yahoo password or username being sent to an alternate address. However, if a user says his or her alternate e-mail address is unavailable, the password can be reset.
Other researchers, however, thought that the password reset method might make sense. "It's plausible," acknowledged Adam O'Donnell, director of emerging technologies at message security vendor Cloudmark Inc. "That's a pretty accurate description on how to break into a system," he added, referring to Rubico's description of the attack.
"It's either a password reset or a brute force attack," O'Donnell continued. A brute force attack is one where the hacker simply tries the most likely passwords.
Palin e-mail hack
- Report: Tenn. legislator confirms son is at center of Palin hack chatter
- Web proxy firm working with FBI to trace Palin e-mail hacker
- IT Blogwatch: Sarah Palin e-mail hacker drops anchor, arrr!
- Security researchers ponder possible Palin hacks
- Update: Hackers claim to break into Palin's Yahoo Mail account
- Sharon Machlis: Yahoo users: Like Sarah Palin, you may be vulnerable to an e-mail hack
- Douglas Schweitzer: How safe is your e-mail correspondence?
- Global News Update: Thursday, September 18, 2008
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts