Palin’s Emails, A Tale in Three Parts

Lets set the politics aside for a moment and just treat the whole episode as a security matter. Which by the way seems to be buried by the general press though the security blogs are having a field day.

The Event

A hacker accessed the email thru essentially the front door. That is he^ used Yahoo’s ‘forgot my account/password’ feature to gain access. To up his chances of success some background references were utilized, name, places, jobs, children names etc. Using that information they narrowed the field greatly and did hit on the right password. Essentially a variant of the social engineering hack.

The hacker attempted to disguise their identity using a anonymizing service. Tor is an example of such a tool. Their error which they admit in publishing it was they only went thru one level of veiling their identity. For the computer forensic guys at the FBI that’s a quick break in the days activities. However breaking in was not sufficient. This individual then posted the contents of some of those emails online and gave copies to Gawker Media as well.

The Consequences

The ‘Person of Interest’ as the Feds like to call suspects these days has been identified. The variety of laws that maybe applied to this individual are:

Alaska; SECTION 11.46.200. Theft of services. — Class A misdemeanor
Tennessee; Ironically TN does not appear to have a computer crime law on the books.
Federal; USC 18, Sec 1030, Unauthorized access. — Felony

Sec 1030 known as the CFAA is an umbrella federal code that typically encompasses all computer related crimes. It performs in a sense the same thing that the INA does for Federal Rules of Immigration. The hacker, if prosecuted will probably be brought up on of trafficking in passwords on a stolen account. A novel approach for the DOJ might also be to invoke the national security provisions of the CFAA as the governor is also the CIC of the Alaskan National Guard. But it is a slender reed and intent would have to be proven.

Guess the best I can say is an old line from Hawaii-50 — Book’em Dano.

The Conclusion

From a security angle Palin goofed. As a matter of general principle one should never use family names as part of a password. With the Internet it is way too easy to get the list of names of the members of the immediate family. I don’t fault her for it, 80% of Americans are using easy to remember passwords that typically are made of a family name and some component of an address, social security number, etc. They aren’t guarding atomic bomb plans so they go for ease of use. But regardless Palin WAS the victim.

The hacker goofed too. He should have covered his tracks better. Even more important he should have just left well enough alone. A line in the closing moments of War Games is appropriate — “A strange game. The only winning move is not to play. How about a nice game of chess?”

So what to do? Well realize that any system tied to the internet is vulnerable. No matter how tight you make the security. But we all can make it considerably harder on the hacker. Think about this. I have watched security logs on many computers under attack. What is most interesting is that in about 3/4 of cases the attacker is running a script whose design is to use [common name]+[number] parings. Only rarely do I see the anagram of that. So ‘1234Smith’ is more secure than ‘Smith1234′ in any simple brute force attack. Problem is there are some security apis that don’t accept leading numbers in a password! Irony, irony.

The solution of course is to not use dictionary names at all. Do use long passwords, more is better in this case. An excellent practice is to use a password generator in combination with a password wallet. A good password generator is here. It is provided by GRC, Steve Gibson’s company. Thanks for the tool Steve! Every time you hit the page a new set of passwords is offered. They are a random hash of varying types. You can use the entire string or part of the string as a password. You’re choice. Highly unlikely that a password hack program would guess the sequence.

[I should note that these passwords would not be safe from a password cracking program where the hacker has physical access to the disk. But that is a whole another kettle of fish beyond the scope of this discussion.]

I hear ya, “I can’t remember that long string!”. I agree, I couldn’t either. That’s where a password wallet comes in. You use a tool to keep the passwords for you. In Linux most distros come loaded with a wallet installed, pwmanager, kwallet, etc. For windows tools like Key Wallet and KeePass are available. These tools remember the string for you.

Using these two simple tools would eliminate 80% of most keyword password attacks on internet accounts. If they had been this simple breach would have been avoided.

^A person has been identified as the perp. However there have been no charges filed so we prefer to not spread rumors. Its innocent till proven otherwise.