Learning From Sarah Palin’s Yahoo Mail Compromise

The password reset functionality of any online service is a major source of risk. They are especially problematic when they use only a “secret question” concerning personal information only and don’t tie back to another email account or a text message. Another account or cell phone number is something “out of band” from a direct transaction with the online service. It becomes 2-factor authentication.

When an alternate email account or cell phone number is not tied to an account, online services often use personal information, supposedly only known by the account holder, to verify identity and reset a password. The risk here is the personal information is often known to other individuals and if the account holder is a public figure then the information may be easily researched. Birthdays, names of pets, locations of homes, schools, and events can often be discovered online or guessed.

Paris Hilton’s T-Mobile account, and thus all her Sidekick cell phone contents which were mirrored online, was compromised when someone “guessed” the answer to her secret question. The secret questions was, “What is your pet’s name.” The answer of course was, “Tinkerbell”. Something easily researched. Many people would not have their pets name online but friends, family memebers, or perhaps an ex would know the answer. Using a pet’s name is a very bad security practice.

Now we have Sarah Palin, another public figure, having her online account compromised because someone used the password reset functionality and guessed the answer to Sarah Palin’s secret question. This is how the attacker says he found out her personal information and guessed the answer to her secret question. He detials this on 4chan.org

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

Best practices for setting up the password reset functionality of any online service:

    1. Tie an account to another email account or cell phone number if that is an option. This will cause the service to send an out of band message and in essence make the password reset a 2-factor authentication.
    2. Do not use any personal information that can be guessed as the answers to secret questions. Treat these answers like passwords. Don’t use dictionary words. Add some numbers or symbols to the answer. For example is Sarah Palin had used “Wasilla high 1964″ or “!Wasilla high!” it is far less likely it would be guessed. Pick a scheme to modify your secret answers so they aren’t guessable.
    3. Try resetting your password. See if there are downgrade attacks which make it easier to reset the password. Yahoo for instance will allow you to specify that you don’t have access to the email address tied to your account and thus not send a password reset email. Since an attacker can do this the safety of using another account is eliminated thus making the answers to the secret question all that more important.

 

Update 9/18/2008 2:44pm EST:

Google has a much more secure password reset function. The following is from the Google password reset page:

To initiate the password reset process, please follow the instructions sent to your secondary email address.

If you don’t have a secondary email address, or if you no longer have access to that account, please try the ‘Forgot your password?’ link again after five days. At that point, you’ll be able to reset your password by answering the security question you provided when you created your account.

To prevent someone from trying to break into an account you’re actively using, the security question is only used for account recovery after an account has been idle for five days. The Gmail team cannot waive the five day requirement or access your password under any circumstances.

If you’re unable to answer your security question or access your secondary email account, we regret that the Gmail team cannot provide further assistance. If you’re concerned about the security of your account, please visit our Security Center.

This makes it quite difficult to change the password if you are not the account owner even if you know the answer to the secret question. Nice going Google!

Veracode Security Solutions
Veracode Security Threat Guides

Chris Eng | September 18, 2008 10:17 am

Regarding #2, another technique is to simply use fake answers, because it may be difficult to remember all those extra exclamation points.

For example, my credit card issuer doesn’t actually verify that my mother’s maiden name is what I say it is. They just enter it into the system. It’s nothing more than an extra password, with a contextual clue to help you remember it. If I tell Citibank my mother’s maiden name is Aitel, then for all intents and purposes, it is. Now, even if somebody digs up my personal information somewhere, they’re still out of luck.

Another tip is to select a customized secret question if given the option, and make it something completely nonsensical — nothing factual. For example, “What is the square root of my filing cabinet?” With the answer being “I like rabbits.” Don’t worry about re-using the answer repeatedly across different online services, the point is that nobody can look it up.

Peggy McGilligan | September 18, 2008 6:46 pm

While there’s no law per se against a private citizen gathering evidence, people do things everyday for which they might be held to account. Not that Governor Palin is among them. I’d expect to find nothing incriminating. Citizens do have rights though, the right to be secure in their papers among them. Due to the electronic medium, the Sarah Palin case should be groundbreaking. Here’s something for the less technologically inclined: whenever one’s cell phone is switched on, not necessarily making a call, just turned on, that even if it’s not a GPS enabled device, it emits a signal that anyone who knows your SIM card number may track with an array of inexpensive software. GOOGLE GPS tracking devices. The phone’s speaker can also be remotely activated for use as a listening device. Perhaps you’re wondering, as did I, how certain individuals seem to know your whereabouts, or manage to show up when and where they do. High tech and tech devices lend the good, the bad & the ugly a level of sophistication hitherto unimagined. Cell phone option: remove battery when not in use: http://theseedsof9-11.com

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post