At BlackHat 2006, the organizers handed out books titled “Perfect Passwords“, a fantastic writeup on selecting, using and evaluating passwords: “Author Mark Burnett has accumulated and analyzed over 1,000,000 user passwords and through his research has discovered what works, what doesn’t work, and how many people probably have dogs named Spot”. Unfortunately, some of the government attendees must have set that book aside to read later. They have the opportunity to reread the text at the book’s preview on Google’s book search.
Yesterday, a link to wikileaks.org made the rounds, along with comments for Sarah Palin, a U.S. Vice Presidential nominee currently in the political media limelight. She reportedly was accused of using a Yahoo! email account for government business to avoid requests under Alaska law for the communications, and hacktivists recently attained access to her Yahoo! account, although it is unclear how they attained access. They posted contents and an index of the mail account on the wikileaks site. Some screenshots of the information were posted on sites like gawker.com. The wikileaks site is either overwhelmed with traffic today or was altogether taken down last night. The Fbi and Secret Service reportedly are investigating the breach.
Simple security practices are necessary to follow. Use a strong password that you can remember, and it’s not “Spot” or “password” (see Perfect Passwords). Pay attention to what you are doing when using your computer and visiting websites or responding to IM and emails or requests for information, and finally, use the secure resources that include antimalware protection provided by your organization.
Update — it appears that the “Forgot your password?” feature was exploited to gain access. Standard security practices would have avoided that problem.
It looks like the hackers got the password by answering the”security questions” that Yahoo asks when you forget your password. Unfortunately, all the answers were publicly available, such as her zip code, where she met her husband, etc.
Security by obscurity doesn’t work once you become famous.