Tenn. student indicted for hacking Palin's e-mail
David Kernell, the focus of intense Web sleuthing, faces 5 years in prison if convicted
Computerworld - David Kernell, the Tennessee college student who came under suspicion as the hacker who broke into the e-mail account of U.S. vice presidential candidate Sarah Palin, has been indicted by a federal grand jury, the U.S. Department of Justice announced today.
Kernell, 20, was indicted Tuesday on one count of accessing a computer without authorization by a grand jury in Knoxville, Tenn., and has turned himself in to the FBI, a DOJ spokeswoman said this morning. He will be arraigned later today and is currently in processing.
If convicted, Kernell faces up to five years in prison and a fine of $250,000.
Kernell, a student at the University of Tennessee at Knoxville, was the focus early on in the investigation of the hacking of Palin's Yahoo Mail account. Although initially a loose group of activists was blamed for the break-in -- which resulted in the public posting of several messages from her account -- Internet sleuths quickly assembled clues left online by a hacker identified as "rubico," who admitted to the break-in.
On Sept. 17, rubico posted a message to a popular message board claiming to have gained access to Palin's e-mail by using Yahoo's password reset feature. Others then quickly linked the rubico handle to the e-mail address "email@example.com," which was in turn linked to Kernell through Internet searches that uncovered connections between him, the username and the e-mail address on such sites as YouTube.
Within days, Gabriel Ramuglia, the webmaster of Ctunnel, a proxy service used by rubico, had traced the hacker's IP address to an Illinois company that provides Internet service to the Knoxville apartment complex where Kernell lives. The FBI searched Kernell's apartment on Sept. 21.
Claims made in the three-page indictment were in line with other details of the case. According to the grand jury, Kernell hacked into the Alaska governor's "firstname.lastname@example.org" account on or about Sept. 16 by using the Webmail service's password reset mechanism.
"Specifically, he reset the password to 'popcorn' by researching and correctly answering a series of personal security questions," the indictment read.
Rubico had bragged that it took just 45 minutes to do the online research needed to reset Palin's password, while others had remarked on the use of the "popcorn" password and its obvious link to Kernell's last name.
The three largest Web mail services, Google Inc.'s Gmail, Microsoft Corp.'s Windows Live Hotmail and Yahoo Inc.'s Mail, all rely on automated password-reset mechanisms that can be abused by anyone who knows the username associated with an account and an answer to a single security question.
The indictment alleges that Kernell took screenshots of several of Palin's messages, which he then posted on the 4chan.org site, which hosts the message board where rubico talked about the hack. Those screenshots were later published on the Wikileaks.org Web site. The indictment did not say how the images got from 4chan to Wikileaks.
"Defendant Kernell posted the reset password, thus providing the means of access to the e-mail account for others," the indicted stated, and noted that at least one other person used the reset password to access Palin's account.
Kernell also tried to hide his track by deleting and concealing files on his notebook computer, the indictment said.
Kernell is the son of Mike Kernell, a longtime Democratic state representative from Memphis.
Palin e-mail hack
- Kernell pleads innocent to Palin hack charge
- IT Blogwatch: Sarah Palin's alleged email hacker pleads, "Not guilty"
- Accused Palin hacker has a history of intrusion
- Scott McPherson: Throw the book at Palin's email hacker
- Tenn. student indicted for hacking Palin's e-mail
- Yahoo, Hotmail, Gmail all vulnerable to Palin-style password-reset hack
- FBI searches Tenn. student's apartment in Palin hacking case
- IT Blogwatch: Sarah Palin e-mail hacker drops anchor, arrr!
- Security researchers ponder possible Palin hacks
- Sharon Machlis: Yahoo users: Like Sarah Palin, you may be vulnerable to an e-mail hack
Read more about Networking in Computerworld's Networking Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts