Palin e-mail hack raises new concerns
By
Shaun Nichols
23 September 2008 09:34AM
Tags:
information | personal | palin | security | warner
The bevy of personal information on the Internet could be making personal security questions a far less effective protection method.
Gary Warner, director of computer forensics research at the University of Alabama, Birmingham outlined the new risks which had surfaced in the aftermath of the Sarah Palin e-mail attack.
Warner said in a blog posting that the attack shows just how simple it can be to obtain information to foil the 'personal information' questions used by many web services.
The questions are intended to assure that only the intended user can reset an account's password. Users are asked information that a stranger would not know, such as an individual's zip code or pet's name.
As users put more of their lives online through the use of social networking and personal sites, however, Warner notes that more of that once-personal information is becoming publically available.
Warner pointed out that the information used by suspected hacker David Kernell to access the Yahoo mail account of Alaska governor and vice-presidential candidate Sarah Palin was found through a few Google searches.
Authorities have since tracked down Kernell's surfing history in performing the attack and recently raided his apartment.
Kernell was able to obtain Palin's zip code and birth date through a search, and figured out where she met her husband through online biographical information. Those three pieces of information were then used to reset Palin's password and access her account.
"Of course, it's worse if you are a celebrity," Warner noted.
"Governor Palin, after all, has a biography written that will answer most of these questions."
Warner pointed out, however, that with a little additional effort, information on regular people can be found on social networking sites.
An attacker could pick up a targeted user's personal information and employment history from sites such as LinkedIn and Facebook, while personal and family history information can be obtained from directory sites such as Classmates.com or genealogy sites.
To remedy the problem, Warner suggests a healthy dose of dishonesty. Users should enter false information when asked about personal history.
"Lie. Be dishonest. Do not tell the truth," wrote Warner.
"And then write down your security questions and put them wherever you keep your birth certificate and passport."
"They force you to have a security question, but please don't make it something the rest of the world can find out with a Google search."
Copyright © 2008 vnunet.com