Friday, September 19, 2008

How Criminals Hacked

I decided to wait a day before posting about this to see if anything popped up that indicates the criminals that took over VP Candidate Sarah Palin's email address did anything special.

Nope. This was social engineering, plain and simple. According to the BBC, the hackers simply contacted Yahoo customer support and asked for the password to be changed.

When challenged by the security questions (What is your mother's maiden name? What is the name of your pet?), the criminals used "information from Wikipedia and other online databases helped to establish Mrs Palin's date of birth, zip code and other personal information."

As in:

"Okay Mr Bush, I can reset that password for you... but I need to ask you a couple of questions first... what is your mother's maiden name, and what is the name of your pet?"

The answers are, of course, "Pierce" and "Barney". Date of birth? July 6th, 1946. Zip code? The White House has its own: 20500.

Challenge-response has been an underlying security principle since the whispering of passwords upon approaching castle gates in pre-Roman times. But in an era where people can quickly and easily learn everything about you, easily-guessed questions are passe.

Over the past couple of years, many major sites have improved the strength of these challenge response mechanisms a little by allowing users to input their own questions.

But too many of these sites compromise this action by defaulting to common questions that are easily researched, such as "mother's maiden name", or guessed "city in which you were married".

Ultimately, where we are headed is towards trustworthy computing, powered by technologies like Authentium SafeCentral, which does a great job of protecting login credentials - and securely storing web site passwords.

Note: The criminals apparently left their fingerprints on the theft. One interesting conundrum will be whether on not C-Tunnel will be forced to turn over logs relating to their anonymizing of the session to the Secret Service.

My guess on that is "yes, they will".

1 comment:

Repack Rider said...

As far as I know, this is not an area investigated by the Secret Service. In fact, I haven't seen anyone cite any laws that were broken by the hacker, although using a private account for public business is certainly a violation on the part of Ms. Palin.

Even the federal government considers email subject to unannounced and unwarranted inspection. Why should a private citizen be prohibited from accessing someone else's email if the government is not?