What Palin's Hacked E-Mail Reveals: System Insecurity

Alaska Governor and vice presidential candidate Sarah Palin received a harsh lesson in the relative security, or rather lack thereof, of commercial e-mail accounts Wednesday. The GOP hopeful for VP discovered her personal Yahoo (Nasdaq: YHOO) e-mail account, on which she allegedly conducted official state business as governor of Alaska, had been hacked by activists associated with the group Anonymous.

The break-in was reported by Wikileaks.org Tuesday after hackers gained access to Palin's gov.palin@yahoo.com account and provided contents from that account to the Web site. The information includes some family photos, a list of contacts and e-mails.

The e-mails included a draft to California governor Arnold Schwarzenegger, another concerning nominations to Alaska's state court of appeal and others dealing with the Alaska Department of Public Safety, according to Wikileaks.

Presidential candidate John McCain's campaign manager issued a statement Wednesday condemning the break-in, calling it a "shocking invasion" of Palin's privacy and a "violation of law."

Hacking into an e-mail account is a crime, and the Federal Bureau of Investigation is investigating the incident.

Password Protection

Palin's Yahoo e-mail accounts, gov.palin and gov.sarah, both had reportedly been canceled on Wednesday; however, the incident highlights the fact that Web-based e-mail accounts are only as secure as the passwords their owners create.

"If, for instance, a user chooses a weak password -- like a dictionary word or the name of their pet dog -- then it can be easily compromised," Graham Cluley, senior technology consultant at Sophos, told TechNewsWorld.

Using a single factor for authentication is a well-known weak spot, said Matt Shanahan, senior vice president of AdmitOne Security.

"Phishing, social engineering and password guessing have become commonplace for defeating the password alone. Regulations mandate deeper protections for consumers in financial services, but nothing exists for consumer e-mail accounts. In this case, obscurity may be the best defense," he told TechNewsWorld.

The most likely way for hackers to break in to a Web-based e-mail account is through passive social engineering, said Terrence Brewton, a Foster & Sullivan analyst.

"Basically, Yahoo and Hotmail accounts are notorious for being hackable. Most use very simple passwords. If a hacker wants to get into a particular account, they can do so passively or directly," he told TechNewsWorld.

A hacker can break in passively by simply doing a little background research on the person, looking up a child's birthday, an anniversary, or anything that could help them determine a possible password, Brewton noted.

"A lot of people use something they'll remember as a password. But those are often the easiest for hackers to figure out," he said.

The fact that many e-mail hosts offer users the ability to easily recover access if they forget a password only adds to the problem, Cluley noted.

"For instance, a Web e-mail service may ask you to confirm what the name of your favorite pet is or your mother's maiden name in order to gain access to an account that you are locked out of. Hackers can easily find out such information and use it to gain access to your personal e-mails, schedules and photographs and potentially commit identity theft," he explained.

Dot-Gov Security

On Sunday, The New York Times reported on Palin's usage of personal e-mail accounts to conduct official state business. At the time, the governor was criticized for allegedly attempting to circumvent Alaska state laws that make correspondence conducted via state e-mail accounts subject to possible subpoenas.

Clearly, however, personal e-mail accounts aren't 100 percent safe from scrutiny either. Government-provided e-mail systems are generally much harder to crack, according to Cluley.

"Government e-mail addresses would normally need a second level of authentication, making it much harder for hackers to gain access," he said.

Governments put certain controls in place that force users to chose stronger passwords and require a new password be entered after a certain number of log-ins, Brewton added.

In addition, most government and business accounts are protected by multiple layers of security including virtual private network and multifactor authentication, defenses that make it significantly harder to hijack an account, explained AdmitOne's Shanahan.

Personal E-Mail Security

No one deserves to have their e-mail account illegally broken into, said Cluley, and people who commit such crimes should be punished; however, this sort of invasion is undoubtedly taking place all the time.

Web-based e-mail users should take steps to protect themselves from prying eyes -- be they cybercriminals, hacktivists or ex-spouses -- by taking some common-sense safety measures.

Choose a sensible password, Cluley suggested. That means using a word not found in a dictionary and not using the name of your favorite football team or pet. "Ideally, it should contain alphanumeric characters -- not just letters."

Brewton recommends that passwords be at least 12 letters long. If users feel they must create passwords using common words, replace some of the letters with numbers or other characters, he added.

"Using the '@' sign, for example, instead of a standard letter will make it more difficult for someone to hack into an account," he explained, adding that users should never give out their password in response to an e-mailed request and they should always write down their passwords.

All Eggs in One Password

Other precautions include not using the same password repeatedly, said Cluley.

"Our research has found that 41 percent of people use the same password for everything they do online, making it easy for hackers to gain access to all your accounts," he pointed out.

In addition, when a Web site asks users to enter a secret question/answer combination used to recover a forgotten password, users should think carefully, he continued.

"If it asks for your mother's maiden name, don't enter your real mother's maiden name -- that's a matter of public record. Instead, make something up like 'Xena Warrior Princess' or 'Artoo Deetoo,' which people won't be able to guess," Cluley continued.

Of course, computer users need to make sure they are running antivirus software; have a firewall and are up-to-date on all the latest patches for their operating system. They also need to be careful when using WiFi.

"Hackers may be able to install a keylogger [that tracks every key stroke of a computer keyboard] on your computer, which can grab your password as you log in. If you are surfing the Web wirelessly via an unencrypted connection, hackers can view the information that is being sent between you and the Internet," he said.

E-mail services can also take a more active approach to protect user e-mail accounts, Shanahan pointed out.

"They can watch for malicious devices and block machines that try to do repeat attacks. They can add more risk-based assessments such as whether a device is more trusted or a geolocation is more trusted," he concluded.