I should have probably blogged about this earlier, but this has been a really busy week for me on my project. Shortly after my latest post on passwords, I had several talks with associates. Quite a few of them were ribbing about how I'm too security conscious. As if there is such a thing as too much security.
Then, right on que as if to prove my point, Sarah Palin's email account got "hacked". I say that in the loosest, pop-culture sense of the word, because it really isn't a hack. A hack is someone disassembling a backbone router's operating code and discovering a buffer overflow flaw that they can use to inject code that will take over the router. In this case, someone simply stole Palin's email credentials in a way that could have been accomplished by a savvy sixth grader. And that's the whole point - hacking into a computer to steal info is really, really hard provided the system is well-locked-down. That's why today's ID and data thieves don't hack code - they hack people. Social engineering is far easier to do. So much easier that even non-techie ID and data thieves can do it. That's what makes social engineering attacks so dangerous. Instead of keeping an eye on a handful of alpha nerds with NPD, you have to watch out for thousands and thousands of con artists.
In case you missed the affair in question, someone got into Palin's Yahoo! email account. Did they use some kind of crypto-defeating stealth code, or a supercomputer bot network to crack the password? Nope. They simply guessed the answer to her "forgot my password" question. And, they did it so easily because the answer to the question was available to the public! If the alleged accounts are to be believed, it was the location where she met her husband. Anyone with an internet search engine and connectivity could have gotten it.
So the point is that your password is a means of authentication. And so is the answer to the magic reset question! But if you're going to provide a backup or replacement authentication mechanism, it needs to be at *least* as secure as the primary one! In this case, your password is only as strong as the answer to the question. You wouldn't publicly post your password, so why publicily post the answer to the question?! Or perhaps more appropriately, why select a question-answer that is available in public?
I guess it all boils down to my assertion that the question-answer password reset mechanism is inherently bad. Good password mechanisms force people to select good passwords, but question-answer mechanisms seem to cater to a person's natural tendency to be lazy and choose the path of least resistance... which is something that most ID and data theives would love for you to. They are really only in business because they can depend on so many people behaving that way.
In short, shame on Sarah Palin for using a public email system for government business. Shame on Yahoo! for using this absurd mechanism for password resetting - or, on the other hand, if they feel they *have* to use such a system, then shame on them for allowing this sort of question. I would say shame on the idiot who broke into her account, but let's face it, people who do this on a regular basis really don't care.
Now as it turns out, there is a real possibility this person isn't a professional con or ID/data thief, but just someone who wanted to take a sneak peak at her emails to see if there was anything politically hot in it. That's not to excuse them in the slightest - they committed a *criminal* act. But the fact that an ordinary person who may not be a pro at breaking into systems can do this, should be a frightening enough reminder to take what I said previously seriously. Don't add yourself or your app to my wall of shame.
posted @ Friday, September 26, 2008 1:17 PM