RSSWhat does the Sarah Palin e-mail hack say about Yahoo?
By Scott M. Fulton, III | Published September 18, 2008, 12:56 PM
There's an underlying issue in the debate raging about the reported hack into the Yahoo e-mail account of VP nominee Sarah Palin, and it actually has very little to do with the governor: Is there an e-mail vulnerability we should know about?
Though a Fox News report from commentator Sean Hannity yesterday credited anonymous individuals who regularly post to a massive random image posting site called 4chan, with the revelation of screen shots of Alaska Governor Sarah Palin's private e-mails -- including some that may play a role in an ongoing investigation -- the existence of the account's location may actually have been first publicly disclosed by, of all places, the Washington Post. A September 10 article by reporter Karl Vick reported that Palin had apparently been using one or two Yahoo e-mail accounts to conduct state business, with concern being cast upon the relative security of any private transactions that took place there.
But in reporting this, Vick actually posted the e-mail address in question. Though he did not post the accompanying password, it isn't too farfetched to presume that someone may immediately have attempted logging in as the Governor, using some permutation of "hockeymom" or "lipstickpig."
Another very real possibility is that the type of person whose online exploits would eventually lead to the posting of Palin's e-mail screenshots on 4chan, wouldn't have been reading the Washington Post anyway. In which case, a more crafty malicious user may have actually gained access to a list of active accounts, finding at least two that were obvious giveaways as to the Governor's identity. BetaNews has contacted Yahoo today about whether it has investigated this possibility, and we've been told to expect a response later today.
A simpler, though still feasible, method may involve a little bit of engineering, though still targeted at Gov. Palin's address directly. Back in 2004, security engineers uncovered an exploit of Yahoo's e-mail servers that enabled an individual to bypass the service's filters, and send a message filled with an enormous amount of junk content, followed by script code. The junk content would flood the system, triggering an overflow; but then the script code would be executed, delivering full information about the recipient's account back to the sender.
Yahoo reported having addressed and fixed that overflow bug that year, though with many other software and services vendors historically, we've seen instances where malicious users have been able to simply tweak the means of attack, try again, and be successful.
Another strange but real possibility is that the Governor, or whoever manages her account, may have fallen victim to a phishing scheme. One successful social engineering attack in 2005 involving Yahoo mail, gave recipients a message pretending to come from Yahoo's own offices, pretending to give the recipient the means to retrieve someone else's lost e-mail password using her own. The message gave explicit instructions as to how to format the password retrieval message; someone following those instructions to the letter would have been formatting data in the precise method required for the malicious user's script to absorb the requester's own password, and enter it into a database.
Evidence of having fallen prey to such a scheme may lie in the Governor's own messages, which have now to some extent been made public.
In the wake of Fox News' accreditation of the hack to someone on 4chan, a new wave of attention has been cast upon what BetaNews discovered to be a completely tasteless and obscene cesspool of material, very little of which concerned anything the least bit intellectual in nature. Though some are now crediting anonymous 4chan users with having the sensibility to have removed the e-mail account's screenshots from public view, the truth is, in our own tests (which, quite frankly, make me want to take a long bath in bleach), we found no evidence that the location from which the posts were originally made (which we did find) was being maintained by anyone who could have performed the actual hack. In other words, we think the screenshots were obtained second-hand, if not third or fourth.
In the end, the disclosure of what one sender of e-mail confirmed to major press sources as legitimate e-mails from the Alaska governor's office, may turn out to be a hack conceived not so much out of deceit as much as by default.
What does the Sarah Palin e-mail hack say about Palin?
Score: 0
|...
This week, someone was able to hack into Sarah Palin’s Yahoo! e-mail account, because she hadn’t taken the proper security measures.
So it’s official — no one in the Palin family uses protection.
...
Score: 0
|Or maybe she's just an idiot and used a birth date or the name of one of her kids. I read somewhere once that 80% of people use dates and names as passwords because it's easier to remember.
Score: 0
|Single factor authentication, be it weak or strong, can be broken.
No news here.
What will be interesting is how those who violate such services will be held accountable.
Score: 0
|Um... Nothing?
From what I can tell she used a basic password that one could guess after about five minutes.
Don't know why it relates to Yahoo at all.
Score: 0
|I'm game for a guess. pw: mooseshooter
Score: 0
|"The fact that Sarah Palin was using a Yahoo! account is almost neglectable in light of the fact that Anonymous members were illegally cracking the email account and deliberately spread private and government information on the internet, on top of all endangering the safety of Palin's family."
This only maks John McCain look even wiser; because doesn't like computers and doesn't have an e-mail account to be hacked by the enemy. So much for that stupid commercial.
"I think online mail is getting to be to used. I mean accountants, lawyers, and doctors are using it for their personal email address."
What IDIOTS. Some of those morons openly discuss the cases of their clients on a cheap analog cordless phone. A college degree doesn't prove that somebody has a functioning brain.
" Hope he thinks 18 months to 10 years is a small price to pay in an attempt make sure Obama wins."
You are forgetting that a sitting president can pardon a felon the same day that he committed his crimes. He won't do a day in jail if Obama wins.
"From what I heard the only thing they found that was damaging was pictures of her kids and her daughters and husbands cell phone numbers."
And making crank phone calls to the daughter's home is against the law. It is a federal offense if the caller doesn't also live in Alaska.
"All they did was use Yahoo's password recovery feature combined with Palin using a challenge question that could be figured out easily."
No computer savvy person uses their real first and last names in an e-mail address. That's why she was so easy to find in the Yahoo system. I have always used screen names (remember the CB radio slang handles) that tell everybody nothing about me?
Score: 0
|UPDATE:
It appears to be the son of a TN democrat representative. LOL
Score: 0
|Sounds crazy, but it seems to be that Yahoo should have become aware of Palin's new VP candidate status and been keen to these coming attacks. The liberal blogs have somehow gone absolutely hate-shat crazy over this woman, who, like Hillary when she gained more votes than obama, is a threat because she's more popular than obama in every poll now.
In other words, this was inevitable for those people. And because Palin herself is not supporting obama, she's a racist, right? At least according to obama supporters.
Score: 0
|Hey! bulllipstickpit not lipstickpig! Obvious Barack supporter!
Score: 0
|The lone gunman "hoax" that is coming up now is nothing more than a red herring.
Score: 0
|The fact that Sarah Palin was using a Yahoo! account is almost neglectable in light of the fact that Anonymous members were illegally cracking the email account and deliberately spread private and government information on the internet, on top of all endangering the safety of Palin's family. No "public interest" exists for this, and their doing was just plain illegal. Anonymous is known for illegal and harassing actions for a long time.
Article:
http://www.nolanchart.com/article4803.html
Fox11 News on Anonymous:
http://www.youtube.com/watch?v=DNO6G4ApJQY
Anonymous response:
http://www.youtube.com/watch?v=RFjU8bZR19A
Another Fox11 report:
http://www.youtube.com/watch?v=fYH-5ke_bOU
Anonymous documentary:
http://www.youtube.com/watch?v=cbwNyKXux70
http://www.anonymous-exposed.org
Score: 0
|It would be of no interest at any other time than when national security is a risk.
Both are responsible, both should find some consequences.
Score: 0
|spread private and government information on the internet
Government information?
Really?
Where did you see that?
...or are you just making an assumption?
Score: 0
|It was done with password recovery, check it out here: http://www.appscout.com/...ah_palin_what_we_ca.php
Score: 0
|I think the real issue with this is the fact that Palin is by law required to use Government email to conduct any form of state business.
Score: 0
|don't be dishonest. There was zero policy coorespondance in regards to her govt work. Try to keep your eye on the ball pal. A persons private email was illegally accessed for the purpose of ruining them. To use this as some sort of political gain is beyond the pale.
Score: 0
|Hope he thinks 18 months to 10 years is a small price to pay in an attempt make sure Obama wins.
At least fed prisons are nicer.....
Obama supporters need to take ethics classes,real ones not the situatinal kind.
Score: 0
|Granted it's illegal.
I would like the law to take a harder line on individuals who make it easy and tempting for the criminals to try, though.
Score: 0
|If this happened to Obama - Sharpton and Jesse would be on the streets with torches in their hands.
Score: 0
|I don't think we can qualify this as a hack. All they did was use Yahoo's password recovery feature combined with Palin using a challenge question that could be figured out easily.
Score: 0
|^This^ is exactly what I think happened.
It's the usual case of password recovery question easiness.
Score: 0
|My question is why is she using Yahoo mail instead of a more secure POP mail. Shes a government official. I wouldn't use Yahoo, MSN, Gmail or any mail of that kind for any sensitive, official mail. I use it to write friends, to sign up for thing I know I'm going to get junk mail from...etc.
I think online mail is getting to be to used. I mean accountants, lawyers, and doctors are using it for their personal email address. I always told clients of mine that it doesn't look professional to use Yahoo or Hotmail as your business email and now we have government officials using them to send possibly sensitive information? What does that say about her and the people she works for?
Score: 0
|It wasn't office mail. It was her personal account. She may have emailed colleges from it but I bet many people have written email from there personal account to there boss or someone else at work. From what I heard the only thing they found that was damaging was pictures of her kids and her daughters and husbands cell phone numbers.
Score: 0
|I have learned in all my Years doing IT / PC support that most people at some point and time have given an ID / Password to someone close to them.
I doubt that her eMail got "Hacked" but that someone close to her was either pushed to give up the information or simply wants to see Sarah fall flat and was hoping a "Juicy Message" in her Personal eMail would have nailed her.
Score: 0
|FUX News is a joke.
Score: 0
|Care to offer any proof about that. It's the number 1 rated cable news channel in America. They beat all the others ones combined at times.
Score: 0
|Who told you that? What times is that, when everyone is asleep?
Fux News is to legitimate news like professional wrestling is to sport. Entertainment only.
Score: 0
|So sayeth the mouth with legs who offers absolutely no factual support other than his own personal bias.
At least he is consistent throughout his posts!
Score: 0
|What planet have you been living under for the passed zillion years? At least I'm not some libertopian nut job.....
Look at what your libertopian way of thinking has done to America to put in the it is in now. No wonder when a Libertopian wants to run for office they go through the republican party since they think very similarly. Reaganomics 101 doesn't work for the majority of the people. It was designed to help the very rich only.... McCain will continue on from Bush with the very same failed policies.
I feel sorry for you and your delusional economic beliefs. Remember Reagan was senile at the time he made up his policies and it shows.
Score: 0
|And Clintons believe of everyone should own a home turned out real well, look at the result. Fannie Mae CEO saying that the democraps are their best friend look at where that got us. Hate it as you will but the rich are the ones that make the world go around. Last time I looked no homeless guy was a CEO or owner of a company. Then there is the democrats that have conceded to more oil drillin but set the limits areas that don't have much oil. Yup they are great.
Score: 0
|Yes, for real news we must turn to CNN and MSNBC, the only source of hard news. We'd all be stupid and vote for the wrong people if it weren't for Wool Blitzer, Chris Matthews, Keith Oldman and Rachael Madcow.
Score: 0
|Using free email.. IE gmail, yahoo, hotmail etc.. just a bad idea for anything you might want to keep private. or even the online apps like google apps. (when google indexed all the speadsheets.. people couldn't access them on read part of them..) Nothing is Free and google has a reason to "give" you something..
Also I have to believe that yahoo like google is a media company (not really a internet company anymore).. and 95% of the media reports and employee's really really want Obama to win. So this could even be an inside deal.
Score: 0
|The bigger question is what does it say about email in general. What has been known for years: unprotected email is not a safe way to transmit and store communications. This is nothing new, but free web services are even worse.
Score: 0
|quick! everyone send bestiality porn to it LOL
Score: 0
|Here's some *real* news about this:
According to Britain's Register,the original screenshots posted to 4chan show the specific proxy URLused to connect to the hacked account, which would allow the proprietorof the proxy service, Ctunnel, to recover the real (or at least the previous) IP address from which the attack was launched.
Taken from ArsTechnica.
(The author apparently has a somewhat broken spacebar...)
Score: 0
|Hahahaha. They posted it to 4chan.
Nicely leaked there.
They'll be found out in a couple of days. No one in their right mind would leak there.
Score: 0
|I'm in the process of moveing my E-mail account, out of yahoo as a matter of fact.I'm done with there mail.There are better ones out there, and safer.
Score: 0
|Do tell...
Score: 0
|it isn't too farfetched to presume
Another very real possibility
A simpler, though still feasible
Another strange but real possibility
...
Really?
Really?? The entire article is nothing but an attempt to start *more* rumors? (We're not reporting them anymore...we're *making* them?)
using some permutation of "hockeymom" or "lipstickpig."
OK...*that* was funny. Even funnier if that turns out to be what happened.
Score: 0
|It's a damage assessment, Tool. If you were working in a campaign, it's the kind of assessment that would be made over a roundtable. What are the possibilities? What are the likelihoods?
There are no rumors here. The questions we're asking concern, how does the revelation of this hack apply to us, the people who use public e-mail?
-SF3
Score: 0
|There are no rumors here
*laughing*
Yeah...and the cake is a lie.
...and there is no spoon.
You should really put that at the top of the site somewhere, because when you say it...it's true, right?
Score: 0
|Another possibility is that it could have been a Yahoo! employee with administrative access.
It will be interesting to see how this plays out, though I'm sure many of the details will not be released (rightly so) for security and/or legal reasons.
Score: 0
|the hacker should've done it as a blank post, or maybe even green... remember kids ... sage goes in all fields
Score: 0
|I have to agree with PC_TOOL on this one. The first time I heard about this was over a week ago. No offense BetaNews, but you're stretching too much to open this topic back up for discussion. "What does the Sarah Palin e-mail hack say about Yahoo?"
What about, Gmail, or Windows Live, or 95% of the other web services out there. Every one of these online mail services uses the security question. Give me a break.
Score: 0
|Well yeah but most of the other Mail services I've used send the password to the alternative email address you registered with them... Yahoo just says ok, you can answer the question or some account details(it seems to vary) and then gives you the ability to change your password on the next screen.. anybody who can guess the question answer can change the password..GMail sends the email for password reset and says in 5 days you can try reset your password again and if the account has been idle it will allow you to reset with the security question answer...better system
Score: 0
|