Crimeware

Security

Sarah Palin goes the way of Paris Hilton

46 comments | 44I like it!
Tags: email, Paris Hilton, password reset, political phishing, Sarah Palin

Recent Posts

September 19, 2008, 11:15 AM —

Wednesday, it was reported that VP candidate Sarah Palin's Yahoo account was hacked by a perpetrator wishing to find incriminating information in her emails. It was not done using some strange computer security vulnerability. It was not done by guessing her password. It was done just in the same way as Paris Hilton's T-Mobile account was hacked some time ago: by guessing the answers to security questions. For Paris Hilton, it was the name of her dog. For Sarah Palin, it was her zip code, date of birth, and where she met her husband.

How hard is it to learn somebody's zip code? Not that hard. Try the whitepages. Date of birth? Easy for a public figure - try Google. This will take you less than a minute each. Now, we know that Sarah Palin and her husband were high school sweethearts. The answer to this question turned out to be "Wasilla High School". All in all, it took the Sarah Palin hacker less than 45 minutes to break into the account.

Whose fault was this?
Was it the fault of this unknown political hacktivist? In large part, yes. After all, it is a crime to try to break into somebody else's account.

Was it Sarah Palin's fault? Maybe she shares some of the blame. It wasn't too bright to pick these questions. One might hope for a little more caution from somebody who might one day be president. But average people shouldn't be expected to be security specialists to avoid being hacked.

Was it Yahoo's fault? Certainly they also share the blame. Their security questions were not very well chosen. But that doesn't make them unique: A recent Scientific American article describes how a Gmail account was hacked in a similar way.

How can email hacks be prevented?
Should we lie when asked security questions? Not a good idea. You need to remember the answer to the question. After all, you have supposedly already forgotten your password!

Should we write our own security questions? No, most people don't know what would be secure -- as demonstrated by Palin and Hilton, but scores of others,
too.

What is called for is better design of the questions by security professionals -- a subject I've covered in a recent Google Tech talk on Password Reset and this blog post: What is worse than reusing passwords?

I like it!

Email
Print
Share
- Slashdot
- Digg
- Stumble
- Reddit
- Newsvine

46 comments Add a comment

No maybe about the hacker

No maybe about the hacker being at fault. Locks are to keep honest people honest. Any lock can be picked, that's why we have laws. He/She/They should pay the price. Are you confused about who's at fault in rape cases, or is it a matter of degree?

by W. O'Neill (not verified) on 9/19/08 at 11:47 am | reply

I'll blame the hacking on

I'll blame the hacking on the hacker, but Palin really shouldn't be using a personal account for government business either...is she going to do the same thing as VP? Not what I would call improving national security.

by Mike (not verified) on 9/19/08 at 11:58 am | reply

So I guess if I get shot

So I guess if I get shot while walking down the street, it's my fault for being in the way of the bullet. You're a fraud. You are a lefty to the core, why don't you just admit it.

by Anonymous (not verified) on 9/19/08 at 12:00 pm | reply

View all comments »

peer-to-peer

Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers

Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal

Tom Henderson
Top Ten General Operating Systems Rants

pasmith
PS3 motion controller delayed; goes up against Project Natal

sjvn
Neolithic Windows security hole alive and well in Windows 7

claird
Perl source code comparison makes for good reading

mikelgan
Cell phones don't create stress or interrupt much

Sandra Henry-Stocker
How to: The Unix Interview

Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann

Join the conversation here

The Daily Tip

Quick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

*E-mail address:

*Verify E-mail:

*Job Title:

*Industry:

*Company Size:

*Country

* State:

I would like to receive offers via email from ITworld partners.

By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.

view all newsletters »

	Friends With Benefits: A Social Media Marketing Handbook Tips, tricks, and real-world case studies to help you increase your online visibility.Enter now!
	Ubuntu Unleashed 2010 Edition Detailed information on installing, using, and administering Ubuntu. Enter now!
	VMware vSphere 4 Implementation Best practices for deploying the vSphere product in real-world enterprise environments.Enter now!