This case makes a rather interesting discussion piece for a course I teach on Internet Security… and reminds me of the many conversations I’ve had with security colleagues in the past when I was involved with the implementation and institutionalization of authentication credentials, access control procedures, authorization mechanisms, and single-sign-on (SSO) implementations.
The gist of the story about Sarah Palin’s Yahoo! email hacking is that the intruder gained access via the forgotten password mechanism on the Yahoo! webmail interface. By following the typical verification prompts and challenge questions, the intruder was able to reset the profile's password. All that was needed were just a few pieces of information that were easily acquired through Google searches and Wikipedia entries about the Alaska Governor. Overall, this was a case of knowledge-based security mechanism hack, and it is also a classic illustration of the importance of proper password management. It demonstrates how our common password habits can expose us to a rather simple security hack. That being said, the consequential impact of this simple hack can turn out to be something quite destructive such as the disclosure of confidential information.
Relevant details and a quick chronology of this incident are as follows:
- the person (lets call him Rubico) who hacked in to Sarah Palin’s Yahoo! account used “an anonymizer” service called CTunnel (http://www.CTunnel.com) to browse to the Yahoo! email service site.
- Rubico used Sarah Palin’s email address on the login screen and clicked on the "Forgot your ID or password?" link. He knew Palin’s correct email address from several online websites of government institutions, groups and committees that Palin had served on.
- Rubico was then prompted to either supply an alternative email address for resetting the password, or to choose the option to reset without access to a registered email account. To me, this option to bypass the alternative email mechanism is an obvious red flag. Rubico, as can be expected, chose the latter option.
- At this point, Rubico was asked to answer a "secret" security question. This so called knowledge-based authentication is supposed to add an additional layer of validation in a single-factor authentication scheme whereby the end-user has to provide something else he/she knows. In Palin’s case, her “secret” question was “Where did you meet your spouse?”, and Rubico had found the information to answer this question through public sources. Apparently, she had revealed in her TV interviews that she and her husband were high school sweethearts. So Rubico tried a couple of variations of the name of the local high school where she grew up and eventually got a hit on “Wasilla High”.
- Finally, the Yahoo! account profile verification prompts ask to verify the ZIP code and Country. Once again, for public figures such as Palin, this information is generally commonly available.
- Once Rubico entered the correct answer to that single “secret” question, and completed the profile verification prompts he was immediately allowed to change Palin’s password, and he promptly changed it to “popcorn”. At this point, if you’re like me, you’re probably wondering why Yahoo! didn’t make the password reset mechanism and the validation workflow a little more challenging.
- The only somewhat positive aspect of the validation workflow is its last step where the end-user is notified that his/her account is now "up to date", and that he/she will also receive an email on the alternative email account with a notification of the changes that were made to the account. This is probably how Palin would have discovered that her Yahoo! email account was compromised, but alas, that news was already out in the open through numerouschat channels and public discussion forums.
So, it’s pretty apparent in this situation that the authentication mechanism is only as strong as its weakest component, and the fact that there is an option to reset the password without ever having to leave the browser window is a critical issue in the validation workflow. Why not include an out-of-band multiple factor authentication component to authorize security related changes such as password resets? Why not use something similar to MyOpenID (http://www.myopenid.com) or Passpack (http://www.passpack.com) to complement or strengthen the current procedures?