Thursday, September 18, 2008

How Sarah got her hack on

When McCain chose Palin as his running mate, the US Secret Service descended upon her home in Wasilla, Alaska. They set up a perimeter around her house with 24 hour surveillance. They set up alarm equipment. They might've installed bullet proof windows.

But they ignored her computer.

And she got hacked.

The news reports speak about shadowy cabals of hackers performing mysterious rites to break into her computer. It was much simpler than that. Her "secret question" in to reset a lost password was "Where did you meet your spouse?". The secret answer was an easily guessed "Wasilla high".

The "hacker" saw the e-mail address "gov.sarah@yahoo.com" appear in a Washington Post story about the Governor. He tried the password recovery tool and found the question. He googled for information about the answer. After a few tries like "high school" he finally got the right one, "Wasilla high".

This is an obvious flaw that most people have with their accounts. Look at your friends e-mails from services like Yahoo and Google. Go to the logon page, click on something about a "lost password", and check out their secret question. Chances are good that you can figure out the answer. Checking out their question isn't illegal, but successfully guessing the answer might be.

This was how Paris Hilton got her account hacked. Her secret question was "What's your favorite pet's name?". The answer, Tinkerbell, was prominently in the news, so pretty much everyone knew the secret answer.

After calling the Secret Service to get them protect the VP nominee, the first thing McCain should have done is call a cybersecurity consultancy (like Errata Security) to protect her computer and online accounts. Fixing the "secret question" would have been the first thing we did. This would be followed by changing all her passwords, especially fixing the fact that she probably uses the same password for all her accounts. Next, we would have fixed her home network, especially the insecure WiFi setup she probably has. We would have scanned her computer to see if she were already infected with malware/bots, and then reconfigured her (and her families) computers so that they couldn't accidentally be infected. We would have made sure that all appropriate data was encrypted, and that she could access her accounts in an encrypted fashion (to avoid pesky things such as Sidejacking). Depending on how paranoied the campaign wanted us to be, we probably would have just backed up everything and wiped all her computers and rebuilt them from the ground up to be secure.

We also would have educated her on cybersecurity. The reason that Gov. Palin was using Yahoo mail to begin is probably because she found it inconvenient using the VPN software to logon to her office e-mail. We see that a lot in business: people use private e-mail services like Yahoo and Gmail to carry out corporate activities because they are annoyed with how their own computer staff have things set up. Yet, your computer people set things up this way precisely because there are obvious things that hackers can do to break into your data, such as guessing a poorly chosen "secret" question.

It would be harsh to judge Gov. Palin as being stupid about cybersecurity. The risks she chose could be appropriate for a private citizen not in the spotlight. However, those risks changed the moment she became a VP candidate - her cybersecurity was not adequate to defend against the hightened hacking threat.

BTW, most of us at Errata Security are a bit to the right of the political spectrum. Go McCain/Palin!

PS: Yahoo Mail will give your secret question to anybody who asks for it. Gmail will only give out your secret question after 5 days of inactivity on the account. Yet again this shows why Gmail is more secure than Yahoo Mail.

8 comments:

Tyler said...

No, it is not that simple. It's not "give the right answer and you're in." To abuse the password recovery feature, the attacker also needs to access the password recovery link that's sent to the alternate email address associated with the account. That detail in this particular attack is still a mystery.

Robert Graham said...

If there is no alternate e-mail address associated with the account, the password recovery feature allows you in.

Andi Baritchi said...

Awe c'mon, you're not giving Yahoo enough credit. They at least ask for the victim's zip code! ;-)

Cheers,
Andi

PS great meeting y'all at DefCon.

Jim Manico said...

This article missed the key security vulnerability that lead to the Palin hack. The problem was not just the quality of questions for password reset. The problem was a combination of:

1) If an attacker answers the password reset question correctly, and the victim has no secondary email account attached to their yahoo account, the attacker is automatically authenticated to the victims account.
2) Palin did not have a secondary email address attached to her Yahoo account
3) Once the attacker answered Palin's foolishly simple forget-password security questions, they were immediately granted access to the account

No moose meat for you!

Marisa Fagan said...

Update:
"Palin Hacker's IP Address Linked to University of Tennessee Dorm Room"

http://www.crunchgear.com/2008/09/22/palin-e-mail-hacker-traced-to-university-of-tennessee-dorm/

"Palin Hacker" is a funny name because you'd think that it would be a hacker of the Lawful Good alignment. Must be a newb.

jbmoore said...

Don't you mean you were McCain/Palin supporters? Bush's missteps have just about sunk the GOP this election year. If the financial mess had waited 3-4 months, they'd have a chance, but after this Wall Street meltdown, chances are slim. The NYT has a blog entry about risk analysis management and how Goldman Sachs didn't mess with their models so they were warned when trouble was coming. The others essentially removed or alterred the software such that it wouldn't set off alarms - kind of like an IDS being tuned not to go off. All this mess proves is that poor management can do more damage than malicious external or internal threats, whether it be public or private sector.

http://bits.blogs.nytimes.com/2008/09/18/how-wall-streets-quants-lied-to-their-computers/?em

Robert Graham said...

Don't you mean you were McCain/Palin supporters?

McCain has been declared dead numerous times already during this campaign. In any case, his chances don't affect my desire that he wins.

Bush's missteps have just about sunk the GOP this election year.

You mean unpopularity, not missteps.

The NYT has a blog entry about risk analysis management and how Goldman Sachs didn't mess with their models so they were warned when trouble was coming. The others essentially removed or alterred the software such that it wouldn't set off alarms - kind of like an IDS being tuned not to go off.

The corollary is that most employees do not know how the computers work. Most traders do not understand how risk models work. Security engineers do not really know how IDS or firewall products work. When things go bad, it is usually obvious to those who DO know how these things work.

I remember when major worms like Slammer and Blaster hit. People asked "how could this happen, we had the latest firewalls??!!". I don't know how to answer that question because it's so obvious.

Pattrick said...

Hi!
What Jim Manico said in relation to the hacking of Palin mail is right. Surely, in order to save our email from being hacked, we need to set the security questions very carefully. Further, alternative Yahoo account can save us from this chaos.