Thursday, September 18, 2008

Palin: Email Hack Attack

By now you have no doubt been made aware that Gov. Sarah Palin's personal email account was account hacked. But what you may not have heard is how it was done. So here are the gory details of how exactly her email account was hacked:

  1. The perpetrator logged into the proxy server Ctunnel.com to cover his tracks.
  2. Then he went to yahoo.com clicked the "Forgot your password?" link
  3. Once Yahoo asked the security questions he then Googled the answers
That's all it took. The full story is posted over at Wired including the panic that the "hacker" went into after he realized how stupid his actions were (for doing it and for not covering his tracks better) It is however worth noting that someone from the message boards he posted to did go into the account reset the password and then emailed Palin's office about the "attack".
By now its patently obvious that anyone with enough will could have broken into Palin's email account at any time. Additionally since Yahoo doesn't actually encrypt your mail session only the login page (same goes for AOL, Hotmail, and Gmail*) her account could have hacked at anytime by anyone with the right skills.

The irony is that it was her attempt to get around public accountability that led to her emails, family photos, and daughters phone number being spread on the web. If she had done the right thing and not tried to escape being accounatble to her electorate and used the vastly more secure email system that being governor afforded her this would have never happened in this fashion. Ultimately by trying to eschew accountability she jeopardized information security. Take from that what you will.

Now as for securing your email account first beef up your password, then make the answers to your security questions harder there some good tips on doing both here. Then consider using a password manager to securely store your new and improved passwords that way all of your passwords are instantly available by using one master password. A list of the most popular password managers is available here.

*If you are a gmail user (like myself) you can 128 bit encrypt your entire mail session by logging into your account, clicking on settings (located in the top right hand corner), scroll down to the very bottom of the page and click the circle next to "always use https", then click save changes and your done.