Security Focus

What Was Your First Pet's Name? Lessons Learned About E-Mail Security

Last month a hacker gained access to Vice Presidential candidate Sarah Palin's personal e-mail account, gov.palin@yahoo.com. (Earlier Palin had refused to release the e-mail under a public records request.) Initial reports credited the attack to an anti-Scientology group, but, as the story evolved, that was debunked, and things now point to an individual acting alone. A detailed description of the complex claims and counter-claims can be found in Michelle Malkin's blog.

The FBI and Secret Service were quick to take action, seeking copies of the documents from the Associated Press (which refused) rather than Googling for the multiple sites that had them online. (I downloaded my copies from Wikileaks.) A Federal grand jury has indicted a Tennessee student for "intentionally accessing without authorization" Governor Palin's e-mail account.

The person claiming to be the hacker didn't use sophisticated techniques; he just made use of the password reset feature. Something any regular e-mail user could do. He claims he went to Palin's account, said that he had forgotten the password, and invoked the password reset feature. The only information he needed was her birthdate, zip code, and answer to the security question, where she met her spouse--which she had answered in front of several million people at the Republican convention.

That's how easy it was. No rocket science here. I remember being asked in the 1980s, when e-mail was just becoming widespread, "How do you know someone else isn't reading my mail." My answer was, "You don't." My advice then was simple: "Don't put anything in e-mail that you wouldn't want to be made public."

The Rest of the Story
The whole episode has a number of interesting side stories. One is that shortly after the hack, Bill O'Reilly on Fox News characterized the sites that posted some of the contents as "despicable, slimy, scummy Web sites" and asked "why can't they go there tonight to the guy's house who runs it, put him in cuffs and take him down and book him?" In retaliation another group hacked O'Rielly's Web site and obtained a list of subscribers and their passwords and released 20 of them to Wikileaks.org, a site for whistleblowers and hackers to leak documents.

Another side story is what the hacker found, or perhaps more importantly, what he didn't find. After sending excerpts from Palin's e-mail account to sites such as Wikileaks, the individual who claims the hack said that he deleted the contents from his own computer because of legal concerns. He has also posted "I read though the e-mails... ALL OF THEM... before I posted, and what I concluded was anticlimactic, there was nothing there, nothing incriminating, nothing that would derail her campaign as I had hoped, all I saw was personal stuff, some clerical stuff from when she was governor.... And pictures of her family." Since Palin's Yahoo e-mail account has been taken down, there is no way to verify the accuracy of his claim.

Lessons Learned
The vulnerability that enabled the Palin e-mail hack isn't likely to go away because e-mail providers have to balance user security with procedures for allowing a user to access their account when they have forgotten their password. The most common technique is to maintain a database of personal information such as name, gender, date of birth, country, and zip code, along with the answer to a "secret question." Unfortunately, the user is typically asked to choose from a short list of generic secret questions. The classic was, "What was your mother's maiden name." In the last few years the questions have gotten a bit more sophisticated, e.g. "where did you meet your spouse."

Since the Palin hack Yohoo has upgraded its secret questions to:

  • What is the name of your favorite musician?
  • What was the last name of your favorite teacher?
  • What was the last name of you best childhood friend?
  • What is the name of the hospital where you were born?
  • What is your main frequent flyer number?
  • What is the name of the street on which you grew up?
  • What is the name of your favorite book?
  • Who is your favorite author?
  • Where did you spend your childhood summers?

AOL, Hotmail, and Gmail ask similar security questions. So how easy would it be to answer questions like that for a relative stranger? Herbert Thompson, a software security expert, described how he did it in his article “How I Stole Someone's Identity” in Scientific American. (He first got permission from the person he hacked.) The short answer is that it may take some time, but isn't that hard.

What To Do: 3 Simple Rules
The irony is that there are three simple rules that can keep you or your users (or Governor Palin, for that matter) out of trouble:

  1. Don't use a personal e-mail account for business e-mail.
  2. Don't use a business e-mail account for personal e-mail.
  3. Don't put anything in e-mail that would exceed your embarrassment threshold if made public.

At this point I can hear "yes, but," and my response is just follow the rules. Yes, you may not be subject to mandatory record keeping, but why not be on the safe side and keep all your business dealings on your business account? Besides, it's neater. Yes, your employer may say it is okay to use your business account for limited personal use, but remember that she controls the server. Do you really want her to know about Aunt Polly's diabetes? Finally, some will argue that, if you encrypt everything, there isn't a problem--if you are willing to put up with the hassle of getting your golf partners to run encryption software to cater to your whim.

What To Do if You Can't Follow the 3 Simple Rules
If you are bound and determined to break the rules (and I confess to breaking them occasionally), you should take the following steps to avoid the "Palin Hack."

  1. If your e-mail provider allows you reset your "secret question" and replace it with one of your own choosing (Gmail, for example), make sure you choose one that is easy to remember but that someone else is unlikely to figure out.
  2. If your e-mail provider allows you reset your "secret question" but does not allow you to create your own secret question (Hotmail), consider giving a false or misleading answer. (That means lie.)
  3. If you aren't allowed to change your secret question (Yahoo), then consider changing personal information, such as gender or ZIP code. (Another lie.)

The problem with the last two strategies is that it is hard to remember a lie. It's helpful to devise a scheme that will allow you to consistently remember how you lied. For example, change the first letter in the correct answer to the next letter in the alphabet. Question: "What color are your eyes?" Answer: "Clue."

But I still like my 1980s answer best---see Simple Rule No. 3.

comments powered by Disqus