[SecurityRatty] tag: sarah

Sarah Palin and Security Questions

Thu, 09 Oct 2008 04:09:10 +0000

I've always looked at security questions used to automate user password recovery with quite a bit of skepticism. What's the point of requiring strong passwords if you allow anyone to reset the password on an account by answering a (potentially inane) question? And just how many good security questions are there, and how many web sites will ask similar questions, allowing the owner of one web site to reset a user's password at another site that uses the same question? I'm pretty sure that the typical user will tend to select the same security question if it's available at multiple sites. In many web sites I've seen, the security question is clearly the weak link in the chain.

Apparently a fellow recently was indicted on charges of hacking into the Republican vice presidential nominee's Yahoo email account, by simply doing some research on the Internet to find her birthday, zip code, and the answer to her security question, "Where did you meet your spouse?" All told the attack reportedly took under an hour to complete.

Given the level of interest in Palin and other public figures, and the large amount of information about them available to the public, it makes sense that they will be some of the easiest targets for attacks like this.

Palin Hacker Allegedly Involved in Another Computer Intrusion

Thu, 09 Oct 2008 00:28:00 +0000

A 20-year-old Tennessee student who was indicted this week for gaining unauthorized access to Alaska Gov. Sarah Palin's Yahoo account, was involved in another computer intrusion years ago while in high school, a former teacher says. David Kernell and a fellow classmate guessed the password to a system storing lesson plans and got detention for it, the teacher says.

Tenn. student indicted for hacking Palin's e-mail

Wed, 08 Oct 2008 00:00:00 +0000

The Tennessee college student who came under suspicion as the hacker who broke into the e-mail account of vice presidential candidate Sarah Palin has been indicted by a federal grand jury.

US man indicted for hacking Palin's e-mail account

Tue, 07 Oct 2008 20:00:00 +0000

A 20-year-old Tennessee man has been indicted for hacking into an e-mail account of U.S. vice presidential candidate Sarah Palin, according to court records.

Summarizing Zero Day's Posts for September

Tue, 07 Oct 2008 06:54:00 +0000

As usual, here's September's summary of all of my posts at Zero Day. You may also want to catch up and go through August's and July's summaries, next to adding my personal RSS feed or Zero Day's main feed to your RSS reader.

Notable article for September - Spamming vendor launches managed spamming service.

01. DoS vulnerability hits Google's Chrome, crashes with all tabs
02. Malware and spam attacks exploiting Picasa and ImageShack
03. Spamming vendor launches managed spamming service
04. Facebook introducing new security warning feature
05. Google downplays Chrome's carpet-bombing flaw
06. Targeted malware attack against U.S schools intercepted
07. The most "dangerous" celebrities to search for in 2008
08. Norwegian BitTorrent tracker under DDoS attack
09. Attacker: Hacking Sarah Palin's email was easy
10. Bill O'Reilly's web site hacked, attackers release personal details of users
11. India's government: At last, we've cracked Blackberry's encryption
12. Memory exhaustion DoS vulnerability hits Google's Chrome
13. 44% of second hand mobile devices still contain sensitive data
14. Spammers attacking Microsoft's CAPTCHA -- again

Palin and politics: lots to talk about

Thu, 02 Oct 2008 20:00:00 +0000

Gibbs discusses reader feedback to last week's column about the break-in of Republican vice-presidential candidate Sarah Palin's e-mail account and the heady intersection of IT and politics.

Web mail rivals at risk of password-reset hacks

Mon, 29 Sep 2008 00:00:00 +0000

Yahoo Mail isn't the only Web-based e-mail service that hackers could dupe into giving up passwords, the tactic that apparently was used to break into Alaska Gov. Sarah Palin's Yahoo account this month.

Sarah Palin's E-Mail

Wed, 24 Sep 2008 12:01:58 +0000

People have been asking me to comment about Sarah Palin's Yahoo e-mail account being hacked. I've already written about the security problems with "secret questions" back in 2005:

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.
The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

In the News: Hacking Sarah's Email, TSA-Approved Laptop Bags

Wed, 24 Sep 2008 11:47:43 +0000

Hacking Palin's EmailIt's no secret in the IT community that hacking into someone's email account is a fairly trivial task, but now that VP-candidate Sarah Palin's account has been cra...

Palin hacking probe: What's next?

Tue, 23 Sep 2008 20:00:00 +0000

The intensity of the probe into the hacking of Sarah Palin's e-mail has subsided but big questions remain.