The net is buzzing about Republican Vice President candiate Sarah Palin’s email account being hacked, and if you somehow missed it, this Wired blog post is a good starting point.
I won’t engage in spreading rumours about who might have done it. The bottom line is that he or she, at best, did something dumb. While there still appears to be a cool factor surrounding the commission of high tech crimes, the result is really no different than breaking into somone’s home, office, or car. And doing it to a VP candidate is just pain dumb. Given the high profile of this case, the authorities will make an example of whomever is responsible, resulting in a disproportinate sentence. It’s too bad that the perpetrator thought about the FBI after the fact, instead of before.
But this story is about much more than that. It’s about weak authentication, poorly designed password recovery, poor business practices and a negligent Governor.
Security professionals have been telling people for decades that passwords are a bad idea and that they suffer from numerous weaknesses. People choose passwords that are easily guessed, they are all too often rapidly obtained through technical and social attacks, and many password systems have serious, fundamental technical flaws. But we continue to use passwords because they’re easy and cheap.
We can choose complex passphrases that are hard to crack, but doing so also makes them harder to remember, especially for those of us with dozens of them. So, to help users, companies like Yahoo provide automated reset mechanisms. The problem is that these are, for the most part, weaker than the password itself, as was clearly demonstrated in Palin’s case. Many of these systems are fundamentally flawed and fail to take target familiarity into account.
As threat levels and asset values increase, so does the need for stronger security controls. Those in the spotlight are explosed to a larger threat, and information such as their email has a higher perceived value to potential attackers. However, because it is generally easier to obtain person information about such people, password reset mechanisms that rely upon personal information provide a lower level of security. In other words, they protect people like Palin less than they protect you and me. They fall clearly into the “really bad idea” category, and surely the security people at Yahoo know it. These flawed password reset systems make it significantly easier to reset and obtain the password of someone you know than a random stranger. And let’s face it, an email account belonging to your boss, ex, or another kid as school is far more interesting than a strangers. Shame on Yahoo (and others who do the same dumb things) for implementing such a poor security system.
Perhaps Yahoo and hundeds of others will wake up, smell the coffee and fix their reset mechanisms. But until they do, there is a solution for users: When providing “answers” to password reset questions, don’t “answer” the question they ask. For example, you might be asked the first school you attended or your first pet’s name. Be funny, be silly, be random. Make something up, and write it down if you have to. If Palin had simply answered that she met her husband “UnderThePinkOakTree”, her Yahoo account wouldn’t be in the news.
Of course Governor Palin shouldn’t have been using a free Yahoo email account to conduct government business in the first place. Not only is it a well-known way to dodge information retention and access legislation, but free email accounts, as this incident demonstrates, simply don’t provide the level of security required for government business or political campaigns. Palin and her handlers should have known better. In fact, according to news reports, she has previously been criticized for conducting state business via her personal email account, so I think it’s safe to say that not only should she have known better, but she in fact did know better and continued to do so.
So where does this leave us? A dumb criminal, a negligent Yahoo, and a VP candidate that doesn’t learn from her own mistakes, none of which bode well for the American voter.
