Palin Hacker Exposes Security Flaw in Security Questions
A number of sources over the past day or so have been filled with the story of Sarah Palin's email account being broken into by Anonymous. While there is certainly a lot to be said about this in the political arena, I find that I can't help but notice another really big story here that isn't getting a lot of press. It's a story which goes well beyond a single politician and has the ability to touch all of us individually, personally, in ways that mean more to any one of us than an additional bit of fire in an already hot political furnace. The story is those security questions which are so ubiquitous for recovering forgotten passwords, which we should all now be very aware pose real security threats.
According to this report on Michelle Malkin's blog, the attack agains Sarah Palin basically took place by using her security questions against her. Now, I take no position on whether or not this is how the attack actually took place or on anything else her blog has to say. The bottom line is that it doesn't matter. The procedure, whether it was used against Palin or not, does describe an actual attack that can be used against Yahoo users. I know because I set up a test account and tried it. With all that out of the way, here, finally, is the description:
after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.
I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
Thus, our attacker was able to break into Palin's account using nothng but the password recovery feature and a little bit of research. And again, just to reiterate, even if you don't believe this is what happened to Palin, this procedure actually does work.
The good news for most of us is that we're not Sarah Palin, so the details of our lives aren't plastered all over a Wikipedia article. Regardless, the kinds of security questions usually asked are not all that hard to get answers to even for the average person. Some of the answers, like birthdays and your mother's maiden name, are all part of the public record and you can get those things for anyone without much hassle. For those more "personal" details like where you met your spouse, most of us wouldn't think twice about answering the question in casual conversation. In all, finding answers to these questions might be slightly out of range of a faceless hacker from Anonymous, but it should be well within the grasp of a less than ethical coworker with an axe to grind or a spouse who suspects some infidelity.
So how do we protect ourselves from the glaring security hole posed by Yahoo and other sites which use a similar type of pasword recovery scheme? The best thing to do is take Bruce Schneier's advice and fill the security answer box with as much randomness as possible. Thinking pehaps a bit more practically, our security answer should be something at least as strong as our password, with the security question acting as a prompt to help us remember the thought process we used in order to create the answer. At the barest of minimums, your security answer should be something you would never say if you were answering the question in conversation.
In the longer term, I feel it falls to the web development community to find a better way to recover forgotten passwords. Many sites these days actually do improve the model by refusing to give login credentials through the web browser at all, instead forcing users to check a pre-arranged email address (usually the one entered by the user during account registration) in order to retrieve their password. While these systems also suffer from weaknesses, they present a much tighter security situation than the wish-it-was two-factor approach used by Yahoo and the like.
And so, I hope that when the dust settles and the political circus moves on to the next town, everyone will stop to take a serious look at the very real security weaknesses exposed by the release of Sarah Palin's email. After all, while it may not make national news if an average person gets hacked this way, I can almost guarantee that that average individual will care a lot more about their personal information getting spread around the office (or divorce court) than they do about anything Palin had to write.
According to this report on Michelle Malkin's blog, the attack agains Sarah Palin basically took place by using her security questions against her. Now, I take no position on whether or not this is how the attack actually took place or on anything else her blog has to say. The bottom line is that it doesn't matter. The procedure, whether it was used against Palin or not, does describe an actual attack that can be used against Yahoo users. I know because I set up a test account and tried it. With all that out of the way, here, finally, is the description:
after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.
I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
Thus, our attacker was able to break into Palin's account using nothng but the password recovery feature and a little bit of research. And again, just to reiterate, even if you don't believe this is what happened to Palin, this procedure actually does work.
The good news for most of us is that we're not Sarah Palin, so the details of our lives aren't plastered all over a Wikipedia article. Regardless, the kinds of security questions usually asked are not all that hard to get answers to even for the average person. Some of the answers, like birthdays and your mother's maiden name, are all part of the public record and you can get those things for anyone without much hassle. For those more "personal" details like where you met your spouse, most of us wouldn't think twice about answering the question in casual conversation. In all, finding answers to these questions might be slightly out of range of a faceless hacker from Anonymous, but it should be well within the grasp of a less than ethical coworker with an axe to grind or a spouse who suspects some infidelity.
So how do we protect ourselves from the glaring security hole posed by Yahoo and other sites which use a similar type of pasword recovery scheme? The best thing to do is take Bruce Schneier's advice and fill the security answer box with as much randomness as possible. Thinking pehaps a bit more practically, our security answer should be something at least as strong as our password, with the security question acting as a prompt to help us remember the thought process we used in order to create the answer. At the barest of minimums, your security answer should be something you would never say if you were answering the question in conversation.
In the longer term, I feel it falls to the web development community to find a better way to recover forgotten passwords. Many sites these days actually do improve the model by refusing to give login credentials through the web browser at all, instead forcing users to check a pre-arranged email address (usually the one entered by the user during account registration) in order to retrieve their password. While these systems also suffer from weaknesses, they present a much tighter security situation than the wish-it-was two-factor approach used by Yahoo and the like.
And so, I hope that when the dust settles and the political circus moves on to the next town, everyone will stop to take a serious look at the very real security weaknesses exposed by the release of Sarah Palin's email. After all, while it may not make national news if an average person gets hacked this way, I can almost guarantee that that average individual will care a lot more about their personal information getting spread around the office (or divorce court) than they do about anything Palin had to write.