Sarah Palin goes the way of Paris Hilton
Wednesday, it was reported that VP candidate Sarah Palin's Yahoo account was hacked by a perpetrator wishing to find incriminating information in her emails. It was not done using some strange computer security vulnerability. It was not done by guessing her password. It was done just in the same way as Paris Hilton's T-Mobile account was hacked some time ago: by guessing the answers to security questions. For Paris Hilton, it was the name of her dog. For Sarah Palin, it was her zip code, date of birth, and where she met her husband.
How hard is it to learn somebody's zip code? Not that hard. Try the whitepages. Date of birth? Easy for a public figure - try Google. This will take you less than a minute each. Now, we know that Sarah Palin and her husband were high school sweethearts. The answer to this question turned out to be "Wasilla High School". All in all, it took the Sarah Palin hacker less than 45 minutes to break into the account.
Whose fault was this?
Was it the fault of this unknown political hacktivist? In large part, yes. After all, it is a crime to try to break into somebody else's account.
Was it Sarah Palin's fault? Maybe she shares some of the blame. It wasn't too bright to pick these questions. One might hope for a little more caution from somebody who might one day be president. But average people shouldn't be expected to be security specialists to avoid being hacked.
Was it Yahoo's fault? Certainly they also share the blame. Their security questions were not very well chosen. But that doesn't make them unique: A recent Scientific American article describes how a Gmail account was hacked in a similar way.
How can email hacks be prevented?
Should we lie when asked security questions? Not a good idea. You need to remember the answer to the question. After all, you have supposedly already forgotten your password!
Should we write our own security questions? No, most people don't know what would be secure -- as demonstrated by Palin and Hilton, but scores of others,
too.
What is called for is better design of the questions by security professionals -- a subject I've covered in a recent Google Tech talk on Password Reset and this blog post: What is worse than reusing passwords?
Build your tech library with our book giveaways.
Hacking Exposed, Sixth Edition
By Stuart McClure, Joel Scambray, George Kurtz; Published by McGraw-Hill/Osborne
The original Hacking Exposed authors rejoin forces on this tenth anniversary edition to offer completely up-to-date coverage of today's most devastating hacks and how to prevent them. Using their proven methodology, the authors reveal how to locate and patch system vulnerabilities. The book includes new coverage of ISO images, wireless and RFID attacks, Web 2.0 vulnerabilities, anonymous hacking tools, Ubuntu, Windows Server 2008, mobile devices, and more. Enter now!
No maybe about the hacker
No maybe about the hacker being at fault. Locks are to keep honest people honest. Any lock can be picked, that's why we have laws. He/She/They should pay the price. Are you confused about who's at fault in rape cases, or is it a matter of degree?I'll blame the hacking on
I'll blame the hacking on the hacker, but Palin really shouldn't be using a personal account for government business either...is she going to do the same thing as VP? Not what I would call improving national security.So I guess if I get shot
So I guess if I get shot while walking down the street, it's my fault for being in the way of the bullet. You're a fraud. You are a lefty to the core, why don't you just admit it.