Page 2 of 2

A quick scan of the that board shows that it is hardly a pro-site for the Democratic candidate for President, Barack Obama; /b/tards, as board regulars call themselves, can be viciously racist. With all the media attention on them, the /b/tards are putting their best foot forward by posting grotesque pictures of accident victims, suicides, and scatological porn.

After posting the information to 4chan, a white hat hacker stepped in by changing the password and sending an e-mail alert to one of Palin's aides. Rubico then displayed outrage that someone would protect Palin.

"Then the white knight f------ came along, and did it in for everyone, I trusted /b/ with that email password, I had gotten done what I could do well, then passed the torch, all to be let down by the douchebaggery, good job /b/, this is why we cant have nice things," he complained on /b/.

While no new suspect has been named by the Secret Service, FBI, Yahoo or CTunnel, A Tennessee state representative told The Tennessean his son was under investigation. Mike Kernell, a Democrat, told the newspaper his 20 year-old-son David was being investigated in the hack, but declined to elaborate further.

No skill required

The Palin hack wasn't the work of breaking weak encryption or finding a backdoor into Yahoo Mail. Rubico simply used the password reset option by using her birth date, ZIP code and answering a personal question: where she met her spouse. Rubico figured that out by a simple Google search.

He may not have been bright enough to cover his tracks but Rubico was able to get into a Yahoo Mail account, notes Avivah Litan, research analyst with Gartner for security issues. "That just proves how few skills you have to have to break into someone's account," she told InternetNews.com.

LATEST NEWS

Cisco, Red Hat in the Cloud: Friends or Enemies?
Small Businesses Betting on IT Investments
EMC Ups Bid for Data Domain; FTC Clears Merger
Oops! UK Spy Chief Unmasked on Facebook
China Locks Down Web After Riot

"We've been talking about how the knowledge-based authorization is becoming ineffective because those high security questions are basically based on public information," Litan added. "So this is a shining example of that fact. I don't know what more people need to stop using questions and answers. These are questions that can be answered by anyone with access to your Facebook account or can Google you."

Passwords are pretty easy to reset. The account holder's mother's maiden name is a very frequent security answer, for example. People who are lazy with their passwords might use the name of their spouse or children, which can be found by an Internet search, especially a public figure like Palin.

Ken Pappas, security strategist with Top Layer Security, said many service providers have shucked off the responsibility of adequate security. "These companies don't believe it's their problem, they believe it's your problem and they aren't gonna spend the money to fix it. It might take an incident like this to force change," he said, and added the Palin incident "might be it."

Litan said Gartner recommends a three-pronged approach, with at least one prong being outside of the personal computer. Litan said she had just returned from Brazil, which is embracing online banking in a major way, and it uses SecureID tokens. These tokens are created in the bank and use an algorithm to generate a random string every 60 seconds.

Only the user's token and the bank's servers know the algorithm used to generate the number. When the bank customer logs in to the bank, they are asked for their token number, which is constantly changing.

Pappas believes there needs to be an online effort similar to the Payment Card Industry (PCI) to create compliance testing. "It wasn't like the credit card companies wrote PCI," he explained. "It came from a movement in the industry, the consortium was formed, companies got together, started making up a good compliance policy, got it ratified and bang, PCI compliance was blessed. We may need a movement like that to occur."

Litan thinks the industry can only get away with these minimal password security methods for another two years, if that. "People are starting to get spooked. If they hear about e-mail accounts being taken over, they won't trust the system. So it will become a competitive edge."

Go to page: Prev  1  2