If you needed any more reminders about why it isn't a good idea to use external mail services to conduct critical business, the recent break-in to US Republican vice-presidential candidate Sarah Palin's gov.palin@yahoo.com inbox should be it. Following the disclosure of the inboxes the compromised address and another address, gov.sarah@yahoo.com, have been suspended.Rico says he's sure his passwords will hold up to all but the most determined hackers; death threats will have to do as deterrence for the rest...
US politicians have been stung by a range of inappropriate email usage incidents, including the use of non-government email accounts to conduct official business. From the images presented as proof of email compromise, it seems that Sarah Palin was also doing this.
Various information security mailing lists have from time to time been filled with claims of inbox compromise, usually for free webmail services, and it is always one part voyeurism and one part the fear that you could be next.
Some companies have decided that the economy of scale offered by services like Gmail are worth it to have their email needs handled through them rather than maintaining their own in-house systems and servers. The risk, as has been proven time and time again, is now that it only takes a simple password recovery to have your email exposed to all.
Password recovery procedures are an area where the balance between security and usability is so blurred that most times the security aspect is non-existent, despite appearances. The leading theories about how the breach to Sarah Palin's account came about were that it was through the password recovery options associated with the Yahoo webmail interface.
Even if a user has selected non-standard secret questions, or has linked other email accounts, this sort of information isn't going to take a determined hacker very long to dig up, especially if the target is already someone in the public eye. Even if the target is not a public identity, the rise of social networking sites and personal blogs means that it shouldn't take too long to dig up enough information about someone to have a better than average chance at correctly guessing the answers to most secret question choices.
If you are busy using external webmail or email hosting providers, perhaps you should take another look at just how hard it is to gain anonymous access to that information and ensure that you have properly assessed the risk/benefit tradeoffs associated with using the services.
21 September 2008
Yahoo yoo-hoo boo-boo
PC World has a story by Carl Jongsma of Computerworld Australia about the hack of Sarah Palin's email:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment