Sarah Palin email hacker drops anchor, arrr!

Avast, me hearties! It be Friday's IT Blogwatch, an' we be keelhaulin' Sarah Palin's hornswaggler, arrr! Not to mention September 19...

Gregg Keizer be reportin' fer duty, cap'n:

Pirate flag (public domain)
One or more hackers broke into Palin's account early Tuesday, then sent copies of several of its messages to news organizations and to WikiLeaks, a site known for publishing confidential and leaked documents ... the McCain-Palin campaign acknowledged the hack.
Although it's unclear how Palin's account was accessed, at least one person has stepped forward to claim the hack. In a message posted to's "Random" message board -- the site's most popular, which also goes by "/b/" -- but since deleted, someone identified only as "Rubico" claimed to have gotten Palin's password by using Yahoo's own password reset mechanism.

Some security experts found that hard to believe.

Does me deadlights deceive me? It's Sharon Machlis:

A student claiming to have broken into Gov. Sarah Palin's Yahoo e-mail account used a technique so simple, that it's likely to unleash a flurry of copycat attempts across the Internet.

With permission, of course, I tried the technique on ... another editor's account, once I knew the answer to her "secret question," I was able to reset the password and access her account.
If you set up your account years ago, without realizing that, say, the year you graduated from college could be easily found via a Google search, well, you might want to think carefully about what you're sending and receiving in that Yahoo account.

Who keelhauled JR Raphael?

A message posted on a forum called "4chan," where news of the hack first surfaced, says the secret wasn't cracking Palin's password; it was changing it. A user identifying himself as "Rubico" claims all he did was select the option to reset the password on Yahoo Mail's interface. The service, he recalls, asked only for her birth date, zip code, and where she met her husband (which was her own self-chosen security question). That information can all easily be found with some basic Internet searching -- a task the hacker says took him less than an hour to complete.
The forum posting, incidentally, has been connected to an e-mail address belonging to a college student from Tennessee. Some reports speculate that student may be the son of a Democratic state representative also from Tennessee, though that information has not been confirmed. The FBI and Secret Service are actively investigating.

Michelle Malkin readies the hempen halter:

A tech-savvy reader ... e-mailed me a detailed explanation of how it went down:
There are several misconceptions and errors in most accounts of this story ... the perpetrator(s) were not members of an infamous group of hackers. I don’t blame you for misunderstanding this, because in all the media coverage regarding the war with Scientology the media has completely failed to explain what Anonymous is.

Anonymous is not exactly a group. It is people using the umbrella of ... ... an image posting site based on a popular Japanese site ... for cover to be as offensive, funny, strange, or whatever as they want.
Sarah Palin’s email account was hacked by one person. Not a group. This person read her emails, then posted the username and password on [4chan].

Kim Zetter scrapes the barnacles off the tale:

[I] was unable to reach the student by phone because his number is unlisted. A person who identified himself as the student's father, when reached at home, said he could not talk about the matter and would have no comment. The father is a Democratic state representative in Tennessee. Threat Level is not identifying them by name because authorities have not identified any suspects in the case, and the link to the student so far is tenuous.

The father, in a second call ... late Thursday afternoon, said that neither he nor his son has been contacted by any law enforcement authorities.

Dean Takahashi heaves to:

The web is abuzz with how vice presidential candidate Sarah Palin’s email got hacked ... if you recall, security researcher Dan Kaminsky warned in August that the “forgot my password” feature of many web sites is insecure, particularly if you consider the ability to redirect emails in a system where servers with the DNS flaw exposed by Kaminsky haven’t been patched.

If authorities track down the perpetrator, the attacker could face jail time. Sophisticated or not, it’s still illegal to crack someone’s password for a private email account.

But Kurt Opsahl scuttles that plan:

based on the facts in newspaper reporting, a court would likely consider this a violation of the Stored Communications Act (SCA).

However, the Department of Justice may be hamstrung in any prosecution of this invasion of privacy by its restrictive view of "electronic storage." The SCA prohibits unauthorized "access to a wire or electronic communication while it is in electronic storage." The act defines "electronic storage" as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof," or in the alternative as "any storage of such communication by an electronic communication service for purposes of backup protection of such communication."

Dare Obasanjo drinks like a pirate, arrr:

The fundamental flaw of pretty much every password recovery feature I've found online is that what they consider "secret" information actually isn't ... Even the sites that try to be secure by asking more personal questions such as "the name of your childhood pet" or "where you met your spouse" fail because people often write about their childhood pets and tell stories about how they met on weddings sites all over the Web.

Web developers need start considering whether it isn't time to put password recovery features based on asking personal questions to pasture. I wonder how many more high profile account hijackings it will take before this becomes as abhorred a practice as emailing users their forgotten passwords (you know why this is wrong right?).

[Ye be fired -Ed.]


Bilge Pump:

In The Rigging:

RSS feed icon
Shiver me timbers! Subscribe to me RSS feed, ye scurvy dogs.

Richi "poop deck" Jennings is an independent buccaneer/corsair/squiffy, specializing in shanties, grog, an' the cat o' nine tails. A 22 year, cross-functional plank walker, he is also a jack o' swords at Ferris Research. You can splice his mainbrace on Twitter, pretend to be Richi's bucko on Facebook, or just use boring old flags:

Davy Jones' locker:

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon