The hacker or hackers who broke into Alaska Governor Sarah Palin’s e-mail account didn’t need much technical skill. The proof is in the screen shots taken by the cracker, who left all the evidence computer forensics experts will need to find him.
In his screenshots, posted to the underground Web site 4chan, a user named “Rubico” showed his entire browser window, including the address bar, as part of his deed. It showed to everyone that he used CTunnel, a Web service that acts as a proxy, blocking users’ TCP/IP addresses when they visit a Web site.
It also showed a hash string that identified who the user is.
CTunnel.com’s owner, Gabriel Ramuglia, told Wired’s Threat
Level blog that the FBI has contacted him to obtain his logs, which he would comply in delivering.
Rubico posted on 4chan that the e-mails had “nothing incriminating, nothing that would derail her campaign as I had hoped. All I saw was personal stuff, some clerical stuff from when she was governor.. And pictures of her family.”
Then, as if realizing his error, such as using only one proxy server to hide his identity, he wrote:
“yes I was behind a proxy, only one, if this s— ever got to the FBI I was f——, I panicked, i still wanted the stuff out there but I didn’t know how to rapids— [A derogatory reference to Rapidshare, an anonymous file sharing service where people can dump a large file, get a link to it and share it with others to download] all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state.”
“/b/” is the Random board on 4chan, an image sharing board inspired by a similar Japanese board. It only has about 10GB of online data because it cycles through data so fast, but generates gigabytes of daily traffic. The /b/ board can get as many as 200,000 posts per day, according Time magazine.
The Wall Street Journal recently profiled
its founder, a 20-year-old New Yorker named Christopher Poole, and his dilemma in trying to make a business out of a site with enviable traffic but occasional stomach churning content and abysmal user behavior.
There are dozens of channels, almost all dedicated to sharing images.
4chan has been the Internet’s meme factory, spawning such gags as LOLcats,
Caturday and the O RLY owl, among many others. Some boards are benign, like /wg/, the general wallpaper section, where people trade wallpapers for their computer desktops. Then there’s /b/, the closest thing the Internet has to the Mos Eisley Cantina from “Star Wars.”
Page 2: A wretched hive of scum and villainy.
Page 2 of 2
A quick scan of the that board shows that it is hardly a pro-site for the Democratic candidate for President, Barack Obama; /b/tards, as board regulars call themselves, can be viciously racist. With all the media attention on them, the /b/tards are putting their best foot forward by posting grotesque pictures of accident victims, suicides, and scatological porn.
After posting the information to 4chan, a white hat hacker stepped in by changing the password and sending an e-mail alert to one of Palin’s aides.
Rubico then displayed outrage that someone would protect Palin.
“Then the white knight f—— came along, and did it in for everyone, I trusted /b/ with that email password, I had gotten done what I could do well, then passed the torch, all to be let down by the douchebaggery, good job /b/, this is why we cant have nice things,” he complained on /b/.
While no new suspect has been named by the Secret Service, FBI, Yahoo or CTunnel, A Tennessee state representative told The
Tennessean his son was under investigation. Mike Kernell, a Democrat, told the newspaper his 20 year-old-son David was being investigated in the hack, but declined to elaborate further.
No skill required
The Palin hack wasn’t the work of breaking weak encryption or finding a backdoor into Yahoo Mail. Rubico simply used the password reset option by using her birth date, ZIP code and answering a personal question: where she met her spouse. Rubico figured that out by a simple Google search.
He may not have been bright enough to cover his tracks but Rubico was able to get into a Yahoo Mail account, notes Avivah Litan, research analyst with Gartner for security issues. “That just proves how few skills you have to have to break into someone’s account,” she told InternetNews.com.
“We’ve been talking about how the knowledge-based authorization is becoming ineffective because those high security questions are basically based on public information,” Litan added. “So this is a shining example of that fact. I don’t know what more people need to stop using questions and answers. These are questions that can be answered by anyone with access to your Facebook account or can Google you.”
Passwords are pretty easy to reset. The account holder’s mother’s maiden name is a very frequent security answer, for example. People who are lazy with their passwords might use the name of their spouse or children, which can be found by an Internet search, especially a public figure like Palin.
Ken Pappas, security strategist with Top Layer Security, said many service providers have shucked off the responsibility of adequate security.
“These companies don’t believe it’s their problem, they believe it’s your problem and they aren’t gonna spend the money to fix it. It might take an incident like this to force change,” he said, and added the Palin incident “might be it.”
Litan said Gartner recommends a three-pronged approach, with at least one prong being outside of the personal computer. Litan said she had just returned from Brazil, which is embracing online banking in a major way, and it uses SecureID tokens. These tokens are created in the bank and use an algorithm to generate a random string every 60 seconds.
Only the user’s token and the bank’s servers know the algorithm used to generate the number. When the bank customer logs in to the bank, they are asked for their token number, which is constantly changing.
Pappas believes there needs to be an online effort similar to the Payment Card Industry (PCI) to create compliance testing. “It wasn’t like the credit card companies wrote PCI,” he explained. “It came from a movement in the industry, the consortium was formed, companies got together, started making up a good compliance policy, got it ratified and bang, PCI compliance was blessed. We may need a movement like that to occur.”
Litan thinks the industry can only get away with these minimal password security methods for another two years, if that. “People are starting to get spooked. If they hear about e-mail accounts being taken over, they won’t trust the system. So it will become a competitive edge.”