Imagine waking up one day to this news flash: “Your pastor’s private e-mail hacked, family photos raided; cesspool blog gloats; feds investigate!”
No lie folks, when I wrote my post yesterday entitled ‘5 simple steps to stronger passwords‘ it was well before the Palin story got out – I just set the ‘Publish’ timer later in the day to catch the lunch crowd.
That said, the hack of Sarah Palin’s email account via Yahoo’s password recovery system serves as a wake-up call that screams that no matter how strong a password you use – if you have weak password recovery questions – you’re open for an attack.
So before I can offer my famous list of 5 ways to strengthen your email recovery security questions, let’s quickly look at ‘The story behind the Palin e-mail hacking‘ via my plain English account on how they hacked Sarah Palinâ€™s Yahoo account over at blogs4God.com.
- Last week, the Washington Post published an article about Sarah Palinâ€™s use a private Yahoo e-mail account , allegedly for State business.
- firstname.lastname@example.org is published for public consumption by ThinkProgress.org andÂ CommonDreams.org.
- A hacker identified as email@example.com spends less than an hour obtaining the personal information about Palin to successfully fill in the blanks to the following Yahoo Password Recovery questions:
- Birthdate: via the WikiPedia (15 seconds)
- Zipcode: All 2 of Wasilla’s zip codes via the U.S.Postal Service online
- Where did you meet your spouse:Â â€œWasilla highâ€ after said hacker spent about 40 some-odd minutes chasing down various Google stories on Palin’s personal life.
- rubicoÂ – posts the above on a bbs entitled /b/ hosted at 4chan.org.
And there you have it, a public person whose birthdate is going to be published, from a small town with only 2 zip codes, need only wait for someone read one of 1,000 accounts that she married her high-school sweet heart.
But Dean, I’m not a public figure. Should I worry? Glad you asked …
- find a blog post, a sermon, a Twitter tweet, or an RSS feed cacheÂ that talks about your birthday and/or place of birth;
- use a domain search, a Facebook, StumbleUpon or MySpace page that lists your city of residence;
- use either of the above techniques to find out:
- city of birth due to a reference to your childhood, favorite sports hero, church or school reference, a biographical write-up for an award, article or other citation
- your mother’s maiden name through a genealogical reference, or perhaps a past discussion of your wedding
- the name of your pet via a Flickr or Picassa gallery entry
- any of the above through clever social networking – such as a phone call to a friend, a ‘coincidental’ meeting, a dive through the dumpster, mailing you a bogus contest entry or setting up a seemingly benign web service that collects the same information for malicious purposes.
As you can see, it’s not that hard for someone determined enough to get your data.
Okay man, I’m freakin’ out, what do I do? Glad you asked …
Here are 5 things you can do to overcome the security flaws associated with information submitted to an Internet service (or even cell phone provider) during registration and/or its associated self-service password reset services:
- select something that can’t be easily guessed
- select something that can’t be easily researched
- select something that won’t change over time
- select something that is not complicated and easily remembered
- select something you haven’t used elsewhere
Now in some cases, it is not possible to enter your own security question. In those cases, you can possibly enter information about someone else you can remember – like a family member, a fictional character from a favorite book, or a historical figure – just so long as you don’t mention online said family members, books, etc …
In those cases where you can select a security question, I’d recommend taking a trip to resources such as “Examples of Security Questions” where you can either copy – or better yet – derive a question that’s easy for you, and impossible for others.
Otherwise, you may find yourself splashed all over the news the same way Sarah Palin did, the hard way:
- 10:49 – TechVoice writes â€˜Hackers break into Sarah Palinâ€™s inbox!â€™
- 1:00 PM on Wed Sep 17 2008 – â€˜the Gawker posts the WikiLeaksâ€˜ material, photos and all under the auspice of â€œDid the internet just cause Sarah Palin to destroy evidence?â€œ
- 2:00 PM – Wired News reports the story, and receiving confirmation from Amy McCorkell that she indeed sent the message that appears in one of the screen shots.
- 3:00 PM – Michelle Malkin blogs â€˜Sarah Palinâ€™s private e-mail hacked, family photos raided; cesspool blog gloats; feds investigateâ€™
- 4:40 PM – the Register.co.uk reports â€˜Anonymous hacks Sarah Palinâ€™s Yahoo! accountâ€™
- 5:00 PMÂ – Fox News broadcasts â€˜Palinâ€™s E-Mail Account Hacked, Published on Web Siteâ€˜
- 06:15 PM – the Drudge Report broadcasts the Fox News broadcast
- 7:00 PM – Michelle Malkin writes â€˜Gawker lies againâ€˜ in response to the Gawker effectively mirroring the WikiLeaks story – family photos and all
- 7:30 PM – Michelle Malkin publishes â€˜The story behind the Palin e-mail hackingâ€˜ which includes an email from a tipster who captures all the dialog about 4chan.org, /b/ and firstname.lastname@example.org
- 7:30 PM – CNN writes that McCain camp seeks investigation over reported e-mailÂ hack
- 9:11PM – the SF Gate writes Hackers break into Sarah Palinâ€™s e-mail account, going on to give out the email address of Todd Palinâ€™s with an explanation of how it was derived
- 9:22 PM – the Register.co.uk reports Memo to US Secret Service: Net proxy may pinpoint Palin email hackers
- 11:30 PM – my wife tells me, I begin writing this chronology
- At some point in the day, ICANN deleted the DNS entry for WikiLeaks
Get the picture?