Hacker claims break-in of Mitt Romney's Hotmail account
Unlikely it's full of secrets, says expert
Computerworld - A hacker yesterday claimed to have broken into a personal email account linked to GOP presidential candidate Mitt Romney by answering "secret" password-reset questions.
Gawker first reported the break-in after the anonymous intruder made the claim via -- ironically -- email. The hacker also said the password used for email@example.com was the same that secured a Dropbox account associated with Romney.
However, the hacker had not provided evidence of the hack, such as screenshots of the account's inbox or messages, and Gawker, fearing legal repercussions, did not access either the Hotmail or Dropbox accounts with the password provided by the intruder.
The incident is reminiscent of one in 2008 when a Tennessee college student broke into the Yahoo Mail account of then-Gov. Sarah Palin, the Republican nominee for vice president during that year's campaign.
As with the Romney hack, the one on Palin's account was successful because the snooper was able to correctly answer the security questions that preceded a password reset.
In 2010, 20-year-old David Kernell was sentenced to a year in prison for the Palin breach.
"'Secret' questions have been fraught with problems for a while now," said Charles McColgan, chief technology officer at TeleSign, a company that markets anti-fraud solutions to organizations and enterprises. "As the Palin case showed, the answers are often very easily discoverable types of things. Secret questions are just not that secret."
Before he was arrested, Kernell had boasted online that it took him less than an hour of research to find the answers Palin's account required before resetting its password.
According to wire service reports, Romney's campaign did not confirm that the Hotmail account was actually the candidate's, but did say that it had alerted law enforcement officials, which were "investigating this crime," hinting that the account was, in fact, Romney's or run on his behalf.
One expert doubted it was Romney's personal account.
"I think this was a throw-away account, or at best, one run by a staffer," said Phil Lieberman, CEO of Lieberman Software, an identity and password management developer. "I wouldn't be surprised if he doesn't have a number of accounts, but where he came from, the equity capital business, I'd be shocked if his confidential information wasn't done through a full email service, not a free consumer-grade account like this. With his experience in fiduciary and confidentiality responsibility, security has got to be baked into his DNA."
McColgan disagreed. "People break the rules all the time," he noted, referring to practices that users engage in even though they know it's not what they should do.
In fact, the Associated Press reported earlier this year that Romney did use a Hotmail account, specifically firstname.lastname@example.org, and he and his aides relied on other private email addresses, while he was governor of Massachusetts. Although not illegal, the practice was contrary to his administration's own policy and warnings to state agencies.
The AP, and later the Wall Street Journal, obtained documents that showed the email@example.com address after filing records requests with Massachusetts state officials.
Hotmail -- and other free email services such as Yahoo Mail and Google's Gmail -- offer additional protection against this kind of hacking, primarily through a two-step authentication that sends a second password for an account to a pre-defined phone number. The security feature doesn't seem to have been in place for the firstname.lastname@example.org account, assuming the intruder's claims are accurate.
That didn't surprise McColgan.
"More would use the phone verification step if companies like Google and Microsoft pushed it more," McColgan said. "Users will do what [Google, Microsoft and Yahoo] drive them to do, as long as it's very easy to use."
There's evidence of that, said McColgan, who noted that the Q&A "secret questions" concept superseded the earlier practice of asking users to provide an alternative email address for verification purposes.
Lieberman expected that the Romney hacker would be quickly found out, as was Kernell.
"These services collect an amazing amount of information, they know the exact IP address of each log-on," said Lieberman. "They know who did this, and the consequences are guaranteed."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cybercrime and Hacking White Papers | Webcasts