Criminal and negligent
The net is buzzing about Republican Vice President candiate Sarah Palin’s email account being hacked, and if you somehow missed it, this Wired blog post is a good starting point.
I won’t engage in spreading rumours about who might have done it. The bottom line is that he or she, at best, did something dumb. While there still appears to be a cool factor surrounding the commission of high tech crimes, the result is really no different than breaking into somone’s home, office, or car. And doing it to a VP candidate is just pain dumb. Given the high profile of this case, the authorities will make an example of whomever is responsible, resulting in a disproportinate sentence. It’s too bad that the perpetrator thought about the FBI after the fact, instead of before.
But this story is about much more than that. It’s about weak authentication, poorly designed password recovery, poor business practices and a negligent Governor.
Security professionals have been telling people for decades that passwords are a bad idea and that they suffer from numerous weaknesses. People choose passwords that are easily guessed, they are all too often rapidly obtained through technical and social attacks, and many password systems have serious, fundamental technical flaws. But we continue to use passwords because they’re easy and cheap.
We can choose complex passphrases that are hard to crack, but doing so also makes them harder to remember, especially for those of us with dozens of them. So, to help users, companies like Yahoo provide automated reset mechanisms. The problem is that these are, for the most part, weaker than the password itself, as was clearly demonstrated in Palin’s case. Many of these systems are fundamentally flawed and fail to take target familiarity into account.
As threat levels and asset values increase, so does the need for stronger security controls. Those in the spotlight are explosed to a larger threat, and information such as their email has a higher perceived value to potential attackers. However, because it is generally easier to obtain person information about such people, password reset mechanisms that rely upon personal information provide a lower level of security. In other words, they protect people like Palin less than they protect you and me. They fall clearly into the “really bad idea” category, and surely the security people at Yahoo know it. These flawed password reset systems make it significantly easier to reset and obtain the password of someone you know than a random stranger. And let’s face it, an email account belonging to your boss, ex, or another kid as school is far more interesting than a strangers. Shame on Yahoo (and others who do the same dumb things) for implementing such a poor security system.
Perhaps Yahoo and hundeds of others will wake up, smell the coffee and fix their reset mechanisms. But until they do, there is a solution for users: When providing “answers” to password reset questions, don’t “answer” the question they ask. For example, you might be asked the first school you attended or your first pet’s name. Be funny, be silly, be random. Make something up, and write it down if you have to. If Palin had simply answered that she met her husband “UnderThePinkOakTree”, her Yahoo account wouldn’t be in the news.
Of course Governor Palin shouldn’t have been using a free Yahoo email account to conduct government business in the first place. Not only is it a well-known way to dodge information retention and access legislation, but free email accounts, as this incident demonstrates, simply don’t provide the level of security required for government business or political campaigns. Palin and her handlers should have known better. In fact, according to news reports, she has previously been criticized for conducting state business via her personal email account, so I think it’s safe to say that not only should she have known better, but she in fact did know better and continued to do so.
So where does this leave us? A dumb criminal, a negligent Yahoo, and a VP candidate that doesn’t learn from her own mistakes, none of which bode well for the American voter.
Your Own Worst Enemy
Mention computer security to most people and the ensuing conversation inevitably involves viruses, spyware, spammers, and teenage hackers. Yes, it’s true that criminals are heavily involved in identity theft, foreign governments are stealing intellectual property, and pedophiles are trolling the Internet. But if we’re really looking for the number one threat to our money and information, let’s start with a good look in the mirror.
Backups
Computer hard drives consist of one or more metal disks called platters that usually spin at 5400 or 7200 RPM. Tiny heads move over the surface of the disks, reading or writing magnetic impulses as the platter spins by. To put it in perspective, the edge of a platter running at 7200 RPM is travelling at over 100km/h. While modern drives are very reliable, and often boast Mean Time Between Failures (MTBF) of up to five years, all it takes is a small particle of dirt, a bearing failure, or enough of a shock to cause the head to touch the platter, and it could be all over for your data. So even if you have the best antivirus protection money can buy, and you’re confident that you could never ever (ahem) accidentally delete the wrong file or folder, not backing up important files is playing the MTBF odds, and if you play long enough, you will loose.
Viruses
I think it’s safe to say that most of us are sick of hearing about viruses. Every year criminals (and have no doubt – virus writers are criminals) turn out a large number of them. Some are brand new, and occasionally one has a serious impact. However, the vast majority of virus infections are preventable, and while I hate to be accused of blaming the victim, the reality is that viruses are out there and your computer will be infected if you don’t take four simple precautions: Use a firewall between your computer and the Internet, install antivirus software and keep it up to date, don’t open email attachments that you aren’t expecting, and don’t surf the web looking for free software or porn.
Phishing
It’s getting real old, but scammers are still tricking people into logging into look-alike sites just to get their usernames and passwords. If you follow two simple rules you are unlikely to become a victim: First, financial institutions don’t email asking for updated information, and they don’t email about fraud or account suspensions. If you get email asking you to urgently update your information or log into your account due to fraud, just delete it. Second, don’t click links in email to any web site that requires you to log in. Instead, open the browser yourself, type in the URL, or select it from your bookmarks. It may take a bit more time, but it will prevent you from following links to bogus sites and giving away your username and password.
Financial Scams
If I walked up to you on the street and asked to borrow your bank account to move ten million dollars into the country in exchange for a ten percent fee, you’d probably laugh. But for some reason when the same solicitation arrives by email, people are happy to oblige, pay “fees†in advance, and are surprised when they get ripped off. The Internet gives you access to a vast amount of information around the world. It also gives fraud artists worldwide access to you. Your best defence is common sense – nobody is going to pay you millions (or even hundreds) to move their money for them. If they have millions of dollars, they don’t need your help to move it, no matter how good their excuse.
Spam and Chain Letters
A lot of people get offended when I lump spam and chain letters into the same category, but let’s be honest – while spam is sent for commercial advertising and chain letters are forwarded by well-meaning (yet gullible) family, friends, and acquaintances, the result is the same: Trash in our inbox.
Spammers collect email from web sites, mailing list, and anywhere else they can find them on the Internet. Then they sell the addresses to others, who, being like-minded, aggregate and resell their lists to others, ad infinium. In a very short period of time, your email address is widely distributed. So our first line of defence against spam is avoidance: Don’t post your email address on the Internet. If you must do so, use a secondary email address or a disposable email address from one of the dozens of companies on the Internet that provide them. Some of the disposable email address services offer addresses that automatically expire after 24 hours, which are perfect for those companies that require an email address to download a “free†document. Along the same lines, another strategy is to give family, friends, and those you personally know one address, and use another address from Gmail or Hotmail for everything else. In the event that spam levels become uncontrollable, you can then abandon it without loosing touch with family and friends. (As an aside, Gmail’s free spam filtering is top notch.)
Of course the problem may be your family and friends forwarding chain letters. If you’re lucky, a polite request may do the trick. If not, you may have to resort to the “reply-to-all with a link to snopes†technique and hope that a bit of embarrassment helps them to think next time.
On the other hand, if you like to forward chain letters, perhaps you’re the problem. Next time you get one check out snopes.com before you forward it. Chances are you’ll find it there, along with information on why it’s not true. Then hit your delete key.
Keep in Touch
Kudos
Recent Comments