Social engineering cracked Palin's e-mail account

Details describing how someone hacked into Sarah Palin's Yahoo Mail account emerged on Thursday, and it appears to have been done with little more than social engineering, the process of acquiring personal information through social manipulation.

Meanwhile, the Knoxville News Sentinel is reporting that a 20-year-old University of Tennessee student has been contacted in connection to the federal investigation of the break-in. Further details are not known.

Since Tuesday, anonymous posters using a forum on the 4Chan.org Web site have been circulating password-protected zip files containing the contents of the now-deleted e-mail account once belonging to the Republican vice presidential candidate. Various posts to the /b/ board have also provided insight into how the hack was carried out.

Like most Web account services, Yahoo Mail provides an option to reset or recover one's user name and password. What is unclear is how the account recovery was rerouted from the alternative e-mail address chosen by Palin to a secondary e-mail address.

When Yahoo Mail prompted for Palin's birthday, one poster said it took only 15 seconds on Wikipedia to answer that question. When it prompted for ZIP code, Wasilla, Ala., has only two ZIP Codes. As for Palin's personal security question "Where did you meet your spouse?" that did slow the process down. The poster claimed it took several tries but eventually hit upon the correct answer: Wasilla High.

Web mail accounts are not alone in using online security questions. In May Axiom, a Little Rock, Ark.-based data warehouse company, announced it was introducing a new biographical authentication service that asks online banking and e-commerce site users random questions based on their personal lives such as "How many fireplaces are in your current residence?" The answer can be obtained from any real estate Web site.

4Chan's "random" /b/ board is no stranger to controversy. In January, members waged an online media war against the Church of Scientology. Prior to that, the site popularized Lolcats, pictures of kittens with cute captions, and rickrolling, linking to videos of Rick Astley's 1987 song "Never Gonna Give You Up".

[aardvark69]

What's missing from the discussion is the contributory liability of the public official whose account is being hacked. The latest incident exposes the dual reason for laws requiring federal officials--such as the office of the executive, for example--to use only their government provided accounts for government business. Thanks to the sleaze that passes for the Republican Party these days, both federal and state officials treat such restrictions as "merely" rules that are only designed to impede their secrecy. Well, that's a part of the reason--public service should be transparent. But the other reason is the opposite--executive communications should be protected and Yahoo! accounts cannot do that. Does anyone recall what happened--quite justifiably--to John Deutsch when he used an unsecure computer and unsecured communication line to read his mail as the CIA director? There is a reason why these communications require additional security measures--and, for one, it is to assure that stuff like this does not happen. So, on one hand, these weasels don't want their mail public, contrary to law, but then they complain that the privileges that come with it disappear. Things that should not be public will not be released--that's why we have means for classifying and otherwise protecting information. But hiding information that should be available to the public because the perpetrators are ashamed of its contents (or, worse yet, are covering up illegal acts) should be--and often is--illegal. Two wrongs don't make a right and hacking the account does not solve the problem. But the account owner should be taken to task for the violations--for one, a court should sift through the hacked information and release the communications that should have been available under FOIA. It should not matter that the perpetrator is a sitting governor and a vice-presidential candidate--in fact, it makes the release of this information only more pertinent.

[daveandersen]

A couple of things to note here:
1) Republicans have not cornered the market on sleaze: please don't insult us by intimating that no Dem would ever be found using private email services to hide "sensitive" official communications
2) If Palin's Yahoo account had in fact been used for illegal or nefarious purposes, we would already be aware of that because press and/or Democrat reviewers would already be shouting about it. The fact that we've heard nothing is pretty good evidence that--at least within this account--nothing untoward was discovered.
3) Also not mentioned in this report is the fact that the college student is the son of a Democrat state representative in Tenn.

[gggg sssss]

cannot disagree. *** is a state governor doing using yahoo for official business? marketing sure, notices to fire staff - no. Arent we paying their IT group enough to figure out Exchange? Then again, maybe this was not REAL govt business, just an abccount she happened to have.

[kuei12]

Well spoken Aardvark

[HlLLARY CLITON]

typical liberal view,,,and typically stupid

[Rants&Raves]

Do you have any backing tor provide for your position ? Arguments, facts ? or do you just go around sending random insults without investing your own intelligence in the process ?

[TSkeptic]

@aardvark69,

What a great rant! It is a pity that the facts don't back your emotion - as nothing problematic has come out of her account! There is no scandal, and no cover up. Even the "hacker" has admitted that he couldn't find anything to hand on her.

Are elected officials entitled to some private communications or not? Or is it only you who gets to hide behind an alias?

[aardvark69]

Nice try. Elected officials are entitled to private communications--as long as these communications are not about official business or information that SHOULD be kept secret. Let's remember that we don't get automatic access to official communications--it's a result of FOIA process or something equivalent. Something that should be protected generally is. What these people want is to shield their communications from FOIA, i.e., from any scrutiny by the public, the media or the political opposition. This has nothing to do with privacy.

The claim that "nothing was found" is also rather dubious. Most of the downloaded information has not been released by the hackers. What we have is the evidence that the account has been hacked. The actual contents has been circulated in hacker circles. If they find something we may or may not hear about it. Not that it matters. My concern is not about the hidden wrongdoing, but the rather blatant disregard for the laws.

[ferretboy88]

What about your rant about Charlie Rangle and his legal trouble in NY. I guess he is above the law. Of course all Democrats are out of bounds in the media. Bush owns all the voting machines so he will let McCain win. Knuckle heads.

[Rants&Raves]

This bugs me so much; the tendency of commentators here to insult people who think differently, to whitewash and label, out of bounds of what is even a tenable position. What is to be gained by the spreading of such anger and ignorance at differing thoughts ? What goes on in your minds, and how easy it may be to turn your world views away from reality and towards a black & white view, just scares me.

[Cynicus]

There is no "greater good" argument that can be applied to this childish exploit. It was simply foolish and reckless and hurts the party it was intended to help. Way to go, idiots.

[dlcizvklwktgu]

I'm a little confused by this story. At what point was social engineering ever used? It sounds like the person who figured out the security questions did so on his own. This isn't social engineering, since by definition that involves getting information by interacting with other people.

[rcrusoe]

You're not confused. This hack had absolutely nothing to do with social engineering.

[dlcizvklwktgu]

I'm a little confused by this story. At what point was social engineering ever used? It sounds like the person who figured out the security questions did so on his own. This isn't social engineering, since by definition that involves getting information by interacting with other people.

[mbenedict]

The attacker is rumored to be the son of a State Rep. Mike Kernell, D-TN.

Rush Limbaugh is going to have a field day about this.

[Perry_Clease]

It doesn't take much for Rush to have a field day.

[ddesy]

aardvark69 is right that two wrongs were committed. Those who say that Palin is in the clear using personal e-mail for government business are sadly mistaken and are clearly biased.

[rcrusoe]

It will be interesting to see how the law deals with the politically connected hacker. Especially since a Philadelphia TV news anchor is currently awaiting sentencing of up to 5 years in jail for doing exactly the same thing.

[O-Really]

Aardvark is right that public officials should not be breaking the rules in such a way, but he/she does not mention that the public official in question did no such thing! I suppose when you have an agenda to put forward you can't let facts stand in the way.

[aardvark69]

http://government.zdnet.com/?p=4013

[gggg sssss]

social engineering involves humans - like calling the receptionist and asking for the boss's password because there is a seurity problem. Or like the phishing scams.

This is just defeating yahoo's crappy security infrastructure.

not that gmail or hotmail are any better

[JBSimmons]

I am afraid this student is going to prison. He should have thought long and hard BEFORE pulling this off. It was done with INTENT. Not as a social experiment. Usually one gets locked out after 3 wrong tries and has to call customer service. Yes, this is a crappy security interface. All my computers lock out after 3 wrong attemps at the password. Some, you have to wait 5 minutes in addition to try again. Just a power recycle won't do because the event is stored in static RAM memory and is checked. Some newer machines, expecially the ones that store the boot password with the hard drive will clear the hard drive after x attemps in y power-ups in succession. Yahoo! should have locked out the account after the 3rd try. Are they that stupid? Many times I have been stopped in the middle of things, asked my ID and password on my Yahoo! account while logged in. Sounds like they didn't do that either. Something has changed over there. I haven't been on in months because I can't stand the advertising on a 56K link. It's more extensive than most and very annoying on Yahoo! I won't touch Gmail either. IMHO, Microsoft, with it's paid monthly account provides me with the highest level of security since it stores what it needs in encrypted format on my hard drive. Plus the encrypted account names and passwords of my other places I need to login to. It does it for me automagically now as I navigate the websites. Nice feature, but you have to do it from the exact machine the encrypted stuff is on. Otherwise you're stuck doing each website manually as you go. Cannot do an image backup and restore of it to another machine because it does check the CPU serial number in the process and uses that in addition to the encryption key. At least Microsoft does their homework despite "patch Tuesdays".

[kaibelf]

Call it what it is. A moronic kid handed the Republicans an electoral cruise missile. As much as people want to whine, Palin, and everyone else in the nation, have every right to have email outside of their work account for personal, lawful use. She wasn't conducting any state business, so there's nothing there to speak of.

At the end of the day, the guy's on the hook for breaking into someone else's email account, the same as anyone else would be, politician or not. The excuses are flimsy, but the Republicans now can reasonable assert that certain Obama supporters exercise absolutely no restraint in their quest to smear people. Couldn't they just break into her home and look through her underwear drawer? That would have been about as classy.

[David Arbogast]

aardvark69 - your comment is irrelevant, uninformed, and politically biased. In short, it is completely worthless and is a waste of time to read.

What this article is lacking, is a description of the crime committed by the hacker, and how they will be punished. There is zero "contributory liability" worth mentioning. The law was broken by a criminal. If your house was broken into tomorrow, I would not start a discussion about the blame you must accept. Grow up, and start to recognice that your over-zealous political bigotry is one of the biggest problems we have in this country today.

[Dylan_Wisor]

Oh please. There's no chance of this kid going to prison. Who seriously think a state lawmaker's son is going to jail over unauthorized access? Of a personal email account no less? (Belonging to a governor / vice-presidential candidate doesn't change that.)

I'm curious as to what Ms. Palin's password was before being changed. I'm sure it was nothing along the lines of BaTr89Ux. "kittens123" maybe?