Palin Webmail hacker: No place to run or hide
- TAGS:david kernell, hacker, Sarah Palin
- IT TOPICS:Internet, Networking, Security
The net is closing tightly around the now infamous Palin Webmail hacker, who thought it would be a novel idea to tap into the vice presidential candidates e-mail and post a new password online. Now, the FBI has issued a warrant to search the apartment of David Kernell, the son of a Tennessee politician who just happens to be a Democrat, according to local reports. Most ISPs have willingly participated in the search for the hacker who posted the details about how he broke into Sarah Palin's private Yahoo account.
It's interesting to see how the FBI has worked on this case. First, they contacted Yahoo and obtained account records. They then worked with ISPs to obtain DNS information. And now, they are searching for more evidence. It's a good lesson for would-be hackers: just because it might be easy to hack into private and person e-mail account doesn't mean that it is legal or ethical to do so.
In the world of Web 2.0, there are a handful of common security precautions. Captcha's dissuade bots from running password generators. With Yahoo, secret questions - such as how you met your spouse -- are only a mild precaution. Palin is obviously a high profile figure, so obtaining information to answer the secret questions is relatively easy. Even if the answer is harder to obtain --such as "name of your first pet" -- it is still easy to find this information for famous politicians and celebrities by searching on Google.
I like how sites such as Twitterfeed require two-factor authentication - using a password and an image recognition system. Bank of America uses a similar approach. In some ways, Web 2.0 sites including Yahoo and Windows Live Hotmail are using a trust system where, because of the sheer number of accounts, they make it relatively easy to reset your password. There's very minimal phone support for login assistance, but that might change after this high profile break-in.
I'm not in favor of tougher secret questions (e.g., name the first movie you saw on a date and with whom) because I don't like to think that hard. I'd like to see more phone support for password resets, and more two-factor authentication where the user must prove their identity through secret questions and one other method, and then have this data sent to a secondary e-mail - a practice long in use by domain registration companies. I also like the Gmail practice of notifying you (at the lower part of the screen) who else is logged into your account.
I also think resets should be sent to an alternate e-mail. Yahoo figures you might not have a secondary e-mail, but in the age of ubiquitous Webmail accounts, who doesn't have more than one?
Related NEws & Blogs
- Federal grand jury meets on Palin hacking case
- Yahoo, Hotmail, Gmail all vulnerable to Palin-style password-reset hack
- FBI searches Tenn. student's apartment in Palin hacking case
- Web proxy firm working with FBI to trace Palin e-mail hacker
- IT Blogwatch: Sarah Palin e-mail hacker drops anchor, arrr!
- Security researchers ponder possible Palin hacks
- Update: Hackers claim to break into Palin's Yahoo Mail account
- Sharon Machlis: Yahoo users: Like Sarah Palin, you may be vulnerable to an e-mail hack
- Douglas Schweitzer: How safe is your e-mail correspondence?
- Global News Update: Thursday, September 18, 2008
Free Insider Guide