Sarah Palins Email... the "Hacker's" Interview

[Zylstra]

http://itmanagement.earthweb.com/secu/article.php/3772981/The+Security+Lesson+in+the+Sarah+Palin+Email+Hack.htm

Sarah Palins email was recently hacked, as many of you know. She took the poor choice of using an @yahoo.com email address, meaning that there was a wonderful Password Recovery feature.
Details about how this feature was abused:

As it turns out, I was right. Here’s how the alleged hacker claims to have accessed the account (sic):

“…after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screen[shots] that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…"

Read more:
http://itmanagement.earthweb.com/secu/article.php/3772981/The+Security+Lesson+in+the+Sarah+Palin+Email+Hack.htm

Another story:
http://blog.wired.com/27bstroke6/2008/09/palin-e-mail-ha.html ( << A direct quote by the "hacker" contains a language obscenity)

[kpac]

Hadn't heard it actually. Nice story.

[drmsucks]

Why anyone would provide correct info to the "forgot your password" questions escapes me. The answers to all those questions are PASSWORDS and need to be treated as such.

If the answer to "Where'd you meet your husband" had been: -Pr$>68b&zhQ2)}52F, I don't think they would have gotten in.

[soybean]

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…"

ROTFL

[mcxeb52!]

I wonder what Palin's face looked like when she couldn't access her own account on first go 

[evilfantasy]

The question I have is where is the mention of the alternate email you need to retrieve the account information?

I said in another thread that since it's Yahoo I wouldn't doubt if the information was sold rather than hacked. It doesn't add up for me.

Like most web account services, Yahoo Mail provides an option to reset or recover one's user name and password. What is unclear is how the account recovery was rerouted from the alternative email address chosen by Palin to a secondary email address.

Palin's email account hacked via social engineering

[drmsucks]

I said in another thread that since it's Yahoo I wouldn't doubt if the information was sold rather than hacked. It doesn't add up for me.

Do you mean that you think that someone at Yahoo broke in to the account and sold the info?

[evilfantasy]

Yep. It's happened with Yahoo before in selling email addresses to spammers.

I have one Yahoo email that I have never used to sign up for anything. It collects spam daily.

[drmsucks]

Interesting...

[BC_Programmer]

Selling E-Mail Addresses is One thing, selling their passwords is another.

[evilfantasy]

True, but what I'm not getting is there is no mention of the alternate email address that is required to retrieve account info.

Just doesn't add up for me...

[drmsucks]

By "alternate email address," do you mean an address to send the password to - after answering the recovery questions?

[evilfantasy]

Yep. You need one to finish the security questions when registering a new account.

[Siscorskiy]

PWNED....

[kpac]

PWNED....

Hmmm?

[Siscorskiy]

She shouldnt have made the recovery questions "the real stuff"

 

[mcxeb52!]

it's a second password! Case Closed!

[Dead_reckon]

Yeah, I agree. I think her account was sold off. Sad world this is.

[parker90]

shes only got herself to blame.
 

[mcxeb52!]

shes only got herself to blame.
 

she must be glad that her email isn't important to the world. At least the email in the yahoo address that got hacked!

[!~*:.Pink Floyd.:*~!]

Shes a political candidate For Crying out loud.

you think Palin might have a personal Adviser that checks emails for her and notice how easy it is to get into her account.

[patio]

shes only got herself to blame.
 

So this makes it OK to do what they did ? ?
That's a twisted line of reasoning...

[squall_01]

no but the thing is you need to make them secure I dont use any of that just something close an a character from my one game. 

[mcxeb52!]

Not ok to be a hacker and hacking but also not ok to make things hack easy

[BC_Programmer]

not hacker ROXOR 712 15 sqr(12) 67 lulz mcgyver bullet straw!

[squall_01]

You want your password to be impossible to understand.

[mcxeb52!]

You want your password to be impossible to understand.

who cares about understanding it? I just need to know it;D

[squall_01]

thats what I'm saing like useing you birthday would be bad. oh crap have to change mine 

[kpac]

thats what I'm saing like useing you birthday would be bad. oh crap have to change mine 

Yes, but does anyone on here (besides yourself) know your birthday?

[patio]

yep...

[patio]

September 22nd 1988...

[typhoeus]

Right, well let's hack him then.  Quick, before he changes his password.

Yes, but does anyone on here (besides yourself) know your birthday?

Doesn't your name appear in bold on the birthday list on the main page if that exact day is your birthday?

[kpac]

Doesn't your name appear in bold on the birthday list on the main page if that exact day is your birthday?

Oh yea....

[mcxeb52!]

John MCCain: i am john mccain. i am now 72 years old and hoping that sarah learns enough to take over the presidency because i won't live too much longer.

[squall_01]

thats the truth but I can still have it differnt ways then that theres like 20 possible ways if that was my password an all so if you recall the one post it some what mentioned it.

[patio]

Once again squall you've illustrated it nicely...

[squall_01]

I did???

[evilfantasy]

I wonder how he feels now. Do they serve popcorn in jail?

Palin hacker indicted http://www.thesmokinggun.com/archive/years/2008/1008081palin1.html

A federal grand jury has indicted the son of a Democratic Tennessee state lawmaker for allegedly hacking into Sarah Palin's e-mail account.

A 20-year-old named David Kernell, f Knoxville, Tenn., the son of state Rep. Mike Kernell, was indicted yesterday by a federal grand jury for intentionally accessing without authorization the e-mail account of the vice presidential candidate.

Kernell, an economics major at the University of Tennessee, faces a maximum of five years in prison, a $250,000 fine and a three-year term of supervised release.
http://www.theglobeandmail.com/servlet/story/RTGAM.20081008.WBwbStumped082120081008102621/WBStory/WBwbStumped0821

Oh, and I think the word "hacker" is a bit over used here.

[typhoeus]

Oh, and I think the word "hacker" is a bit over used here.

Good point.

I wonder how he feels now. Do they serve popcorn in jail?

With the Friday night movies.

[Zylstra]

Well, the definition of Hacker fits...
But, still...

[street1 (RIP)]

I am from Georgia and would like to know,was he a hacker,or cracker?

[fireballs]

I agree with street he's a cracker. Hackers are best konwn for writing programs ('hacking' them down to fit on older HDD) what this guy did was social engineering with abit of common sense, if his story is to be believed.

FB

[street1 (RIP)]

I thought so fireballs,my son writes software for ProLogic
and he is a hacker.Only way to fix problems that have gone
 noisey flat...

[kpac]

Definitions:
Hacker
Cracler

 

[Zylstra]

Google Query: "Define: Hacker"

Definitions of hacker on the Web:

    * The term used to refer to someone skilled in the use of computer systems, especially if that skill was obtained in an exploratory way. ...
      www.contentverification.com/glossary/f-j.html

    * Originally used to describe a computer enthusiast who pushed a system to its highest performance through clever programming.
      www.smartbizconnection.com/advertising_glossary_index.htm

    * The dictionary defines "hacker" as a slang term describing a person who carries out or manages something successful. A hacker is someone who spends many hours with the computer often successfully operating it by trial and error without first referring to the manual. ...
      www.fas.org/irp/congress/1996_hr/s960605a.htm

    * This is someone who enjoys exploring and learning about computer systems. It is often confused with cracker, which is a person who has a mischievous attitude and often attempts to break into computer systems.
      www.broadband-guide.org.uk/jargon-buster.html

    * A person that accesses electronic information without permission in order to cause harm by creating a virus or worm.
      www.masd.k12.pa.us/facility/teachweb/sverdecchia/compterm.htm

[evilfantasy]

Social engineering

All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases.[2] These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create criminal attack techniques, some of which are listed here:
http://en.wikipedia.org/wiki/Social_engineering_(security)