Palin hack highlights important e-mail risks

by Steve Ragan - Sep 22 2008, 11:14

The recent release of private e-mails from VP nominee Sarah Palin serves as a live example to some of the risks involved when using e-mail accounts. Still, as demand for online services grows, e-mail offerings from Yahoo, Google, and Microsoft account for a huge share of online services used. After all, who doesn’t have a Gmail or Yahoo account these days?

So how can you protect yourself from ending up like Palin? To answer that question, you have to understand how accounts like Palin's and Paris Hilton's were cracked and the contents released. In both cases, the e-mail accounts were compromised because of a password reset feature.

Most e-mail accounts offer a service that, should you forget the password, can reset it or retrieve it for you. Since news of the attack on Palin’s account, several media organizations have tested the security of this password retrieval system. All of them point out that it has flaws, yet none appear ready to offer answers or fixes.

Flaw: There is a limited level of security in the password reset options offered by Google, Microsoft, and Yahoo. The attacker only needs to know the username on the account and the answers to some trivial confirmation questions.

Examples of this 'secret question' layer of defense consist of 'pet name' or 'high school name' as well as other seemingly obscure questions such as 'make and model of first car'. There is another horrid example, which is common place even to this day, and that is the use of a mother’s maiden name.

Fix: The fix for this flaw comes in two parts. The first is for developers, and the second would be for the end user.

First, developers need to do away with the common list of 'secret questions' and develop a system that makes the user pick their own question and answer. Banks do this already, but there needs to be an extra level where the site checks for common questions and some basic variants, and refuses them if the user picked them as the Q&A set. This will mean no more pet names, no questions related to your honeymoon or where it was spent, no maiden names, and no easily obtained personal information.

This developmental fix would remove the social engineering level of attack that was used on both Paris Hilton and Sarah Palin. In both examples common 'secret' questions were offered up during the password reset phase. With a little research or knowledge of the person in question, the answers were easily found. In the Hilton example, a few years back when her e-mail account was compromised, Hilton's dog Tinker Bell was the answer to the password reset question; a pet name that anyone who watches celebrity shows would have known without a second thought.

Second, for the end user, the fix will depend on the choices offered by the e-mail provider. If you can pick you own question and answer, then that is the best bet. Make the question and answer something that no one knows, and that would never appear on a personal blog, Facebook or MySpace profile, or outside a close circle of family and friends.

For example, the question could be the name of your personal doctor. This will stop many of the guessing attacks on the system, and offer a stronger level of protection. Moreover, the answer needs to be a full sentence, and use all of the available space offered by the form when signing up for the account.

Q: What is the name of your doctor?
A: Her name is actually the name of the city where she was born.

What if you cannot pick a personal question and have to select one of the offered questions and answers? The fix here is also a simple one, namely you should lie. Lie through your teeth, pick a question, make the answer the same as you would if you wrote the question yourself, and stick to this lie.

Make the answer the same no matter the pre-selected question. If the question is 'What is the name of your dog?', the answer could also be: 'Her name is the name of the city where she was born.' Likewise, the same answer could also be used for the question regarding your mother’s maiden name.

Will this give you the ultimate level of protection? No, it will not, but it is better than what you presently have available to you, and is also an improvement until developers come up with something better.

Another type of mitigation for this particular security risk is to leave nothing personal or sensitive in e-mail accounts. No banking or business details, and nothing you would be bothered by if someone else read.

While having your e-mail account hijacked would certainly be bad news, at least you won’t have to explain to your spouse or boss why you had sensitive information on your account.

Around the Web