• Markus Jakobsson

  • by Markus Jakobsson
  • RSS

Recent blog posts

Sarah Palin goes the way of Paris Hilton

By Markus Jakobsson  45 comments

September 19, 2008, 12:15 PM Wednesday, it was reported that VP candidate Sarah Palin's Yahoo account was hacked by a perpetrator wishing to find incriminating information in her emails. It was not done using some strange computer security vulnerability. It was not done by guessing her password. It was done just in the same way as Paris Hilton's T-Mobile account was hacked some time ago: by guessing the answers to security questions. For Paris Hilton, it was the name of her dog. For Sarah Palin, it was her zip code, date of birth, and where she met her husband.

How hard is it to learn somebody's zip code? Not that hard. Try the whitepages. Date of birth? Easy for a public figure - try Google. This will take you less than a minute each. Now, we know that Sarah Palin and her husband were high school sweethearts. The answer to this question turned out to be "Wasilla High School". All in all, it took the Sarah Palin hacker less than 45 minutes to break into the account.

Whose fault was this?
Was it the fault of this unknown political hacktivist? In large part, yes. After all, it is a crime to try to break into somebody else's account.

Was it Sarah Palin's fault? Maybe she shares some of the blame. It wasn't too bright to pick these questions. One might hope for a little more caution from somebody who might one day be president. But average people shouldn't be expected to be security specialists to avoid being hacked.

Was it Yahoo's fault? Certainly they also share the blame. Their security questions were not very well chosen. But that doesn't make them unique: A recent Scientific American article describes how a Gmail account was hacked in a similar way.

How can email hacks be prevented?
Should we lie when asked security questions? Not a good idea. You need to remember the answer to the question. After all, you have supposedly already forgotten your password!

Should we write our own security questions? No, most people don't know what would be secure -- as demonstrated by Palin and Hilton, but scores of others,
too.

What is called for is better design of the questions by security professionals -- a subject I've covered in a recent Google Tech talk on Password Reset and this blog post: What is worse than reusing passwords?

45 comments

Anonymous 2 years ago
jobs for 14 year olds jobs for 14 year olds jobs for 14 year olds jobs for 14 year olds jobs for 14 year olds jobs for 14 year olds jobs for 14 year oldsjobs for 14 year oldsjobs for 14 year oldsSaraideas's BlogSara ideas saraideassaraideassaraideassaraideassaraideassaraideassaraideasSara's Blogsara's SiteSaraideassaraideas
Flag comment  |  Permalink Reply
Anonymous 2 years ago
One of the first things that I learned when I got my new computer was that if you own a PC then you better have a good antispyware scanner to help get rid of those pesky bugs you pick when surfing the net. Otherwise, your computer won’t keep running like new for very long. It will begin to slow down and eventually get so sluggish you won’t even be able to use it. I tried a variety of different scans before I ran across Search-and-destroy Antispyware at http://www.Search-and-destroy.com. So far I have been very happy with the antispyware solution from Search-and-destroy and very glad that I gave it a try.
Flag comment  |  Permalink Reply
Crystal
Crystal 2 years ago
Palin has promoted oil and natural gas resource exploration in Alaska, including in the Arctic National Wildlife Refuge. On global warming, Palin, has said that "a changing environment will affect Alaska more than any other state, because of our location. Podcast media is the way of the future. Some people wonder what a podcast is. Podcast is uploading new media files that are set to broadcast by those people who have subscribed to your profile. You can generate revenue pretty easily with a podcast that people are interested in. Some podcasts are so hot that people get short term loans to sign up for them. If you have valuable information, it's easy to generate money; you don't want to give out a free podcast for what people should pay you for. If you post them often, and they're good enough, people could be getting installment loans for your next podcasting.
Flag comment  |  Permalink Reply
Anonymous 3 years ago
Not about hacking, but while we're on the subject of Paris Hilton, someone just emailed me this:http://givemeamillionparishilton.com/Pretty funny. Pass it on!
Flag comment  |  Permalink Reply
Anonymous 3 years ago
It would appear that like John McCain Sarah Palin has very little Internet knowledge. Create a safe password and security question answers. Misspell words and or use upper and lower case letters. Properly dispose any paper documents with personal or government information. As a Governor Palin should be aware of how to responsibly handle both private and public information.
Flag comment  |  Permalink Reply
Anonymous 2 years ago in reply to Anonymous
When you start dog training
Flag comment  |  Permalink Reply
Anonymous 3 years ago
Does Markus Jakobsson have any basis for asserting that the hacker was "wishing to find incriminating information in her emails"? This was a product of 4chan's /b/ community, and they are just as interested (if not more) in stirring up chaos, as they are in actually exposing anything.So, why has this (literally) anonymous person been transformed into some "unknown political hacktivist"?
Flag comment  |  Permalink Reply
Anonymous 3 years ago
No, it's totally Palin's fault here. As a major public figure she needs to be more cautious about everything, from the way she looks to the way she conducts her business. Based on what I've been reading about this whole issue, and about Palin in general, she conducts her business in a very poor manner that isn't suitable for the office of VP, let alone for president (god forbid!).In an age where identity theft and cybercrime is on the rise we need leaders who at least can protect their e-mail accounts. Heck, we need leaders who are savvy enough to use the Internet at the very least. How are we, the 'regular' people, to feel safe in our own homes and with our own personal information when the people at the highest levels of our government can't even protect theirs?
Flag comment  |  Permalink Reply
Anonymous 3 years ago in reply to Anonymous
Oooohhh, sounds like a Palin hater. Would you feel the same if Obama got his hacked into? Or are we just jealous??? What do you recommend that she should have done to protect herself more from these low life criminals? Shouldn't that be the websites control? I hope they catch them and put them away, then you can waste your time consoling and supporting them in jail.
Flag comment  |  Permalink Reply
Anonymous 3 years ago
Surely,the 'hacker' is responsible for his actions,however if she's to be a VP,don't expect anybody to go easy on her.I don't think America deserves such a reckless veep!
Flag comment  |  Permalink Reply
Anonymous 3 years ago
The first sentence referring to “Wannabe” express your articles remaining content. Also a comparison between Palin and Paris Hilton what does that have to do with security? The next time a writer from IT world offers their opinion I hope politics isn’t involved. Please don’t print Wannabe advice and stick to the facts.
Flag comment  |  Permalink Reply
ITworld staff
ITworld staff 3 years ago in reply to Anonymous
Thanks for the comment DD. The post has been edited and "wannabe" removed. But please don't let that oversight detract from Markus' point that the Sarah Palin email hack used the same technique as the Paris Hilton T-mobile hack. I invite you to re-read this post and some of his earlier posts about password reset. It is not trivial.
Flag comment  |  Permalink Reply
Anonymous 3 years ago
Why does no one tries this angle or even speculates that she might even want this account to be Hacked while she knows that there was not very much in these emails to incriminate her. She is a Sly Fox from Alaska that has two yahoo accounts. Maybe there are more accounts we do not know. She could use the government email servers but she did not and Why?
Flag comment  |  Permalink Reply
Anonymous 3 years ago
As much as we'd all like to blame the hacker, the reality is that our data is at stake, and like physical security, the idea is to be harder to get in than the next guy. Here's how I accomplish that task:1) never use a real password for bogus accounts. Who cares if your Washington Post account is compromised -- it doesn't matter. Use bugmenot.com to share passwords for these annoyances. Also keeps people from potentially learning the passwords you use for your real account.2) Security questions: do what the article says we shouldn't: use a bogus answer like Abraham Lincoln as your birthday. Spectacularly effective, but hard to remember. My strategy: use the same bogus answer (perhaps "qwertyuiop[]") and always choose the first question in the dropdown.3) use a password generator/manager like keypass to generate and remember strong passwords for all your real accounts, and use absurdly difficult unlock questions (the abraham lincoln example above, but use randomly generated trash instead) for things like bank accounts etc.4) Use pseudonyms for secure accounts, not your real name, not your email address, but something different. Some people like to use the name of a character from their favorite book, for example. Who would "guess" that my bank username is "gandalf"?5) Use email encryption for sensitive emails. It's totally surprising to me that, despite good security for emails being quite standardized as s/mime, that practically nobody uses that technology to secure sensitive information.6) Stay under the radar. Celebrities will always be attacked with a direct concerted effort. The rest of us are merely passively attacked -- if our accounts survive the first attack, the bad guy will just visit our proverbial next door neighbor.
Flag comment  |  Permalink Reply
Anonymous 3 years ago
I dig how all these mouth breathing rednecks quickly blame everything on "the left" and "the librul media!!!!!1" These are the same fuks who quickly blame hurricane survivors for their own plight (why didn't they leave when they had the chance?? Always waiting for their nanny-state to come save them! Let 'em suffer now! Next time, be prepared). Well, dumbfuks, time for the "self-reliant" crowd to own up to their own failures. Creationist Barbie was too stupid to not use a freaking webmail account for government e-mails? Then deal with the fallout.
Flag comment  |  Permalink Reply
Anonymous 3 years ago
Perhaps people wouldn't have a dubious attitude about hacking Yahoo! accounts if our leaders weren't so ethically challenged.
Flag comment  |  Permalink Reply
Anonymous 3 years ago
AGREE WITH LAST ANONYMOUS POST! AAAAH SHUTUP!!!!
Flag comment  |  Permalink Reply

Add a comment

Post a comment using one of these accounts
Or join now
At least 6 characters

Note: Comment will appear soon after you have activated your account.
Obscene/spam comments will be removed and accounts suspended.
The information you submit is subject to our Privacy Policy and Terms of Service.

ITworld LIVE

SecurityWhite Papers & Webcasts

White Paper

Overcome Top 7 Admin Challenges of Active Directory

As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable, enforceable processes that reduces administrative overhead and enables robust, customizable reporting and auditing capabilities. Brought to you by NetIQ.

White Paper

Insiders Can Ruin Your Company. Take Action.

Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper from NetIQ, discusses key technology solutions that help to prevent and detect insider threats.

White Paper

Top Solutions and Tools to Prevent Devastating Malware

Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts. This white paper has been brought to you by NetIQ, the leader in solving complex IT challenges.

White Paper

Streamline Compliance and Increase ROI

Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will help your business gain the maximum return on investment possible while aligning your compliance programs.

White Paper

X-Ray of the PCI Process-4 Proactive Steps

This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into creating a compliant and secure IT environment. Follow these four proactive steps now before your next audit. Brought to you by NetIQ.

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join Now

New questions

Friday fun: What's your guilty pleasure?
0 answers
What are the chances that the cloud will kill off the PC?
0 answers
How to print from a mobile device
2 answers
How to get started developing Android applications
2 answers
How to market a mobile app
2 answers
View more questions

Ask a question

Join Now or Sign In to ask a question.
Ask a Question