Tuesday, September 23, 2008

Itis a shame I don't have more time to write....? The "Questions" that lead to hacker attacks.

I haven't had much time to write on here due to the fact of now being in school and not having a much time to devote to watching and reporting on the newest security trends.

Intro:
But I thought I would just add a link to this interesting current event that I saw today. The U.S. Vice President running for office, Sarah Palin, got her Email address hacked and the contents posted here: http://wikileaks.org/wiki/Sarah_Palin_Yahoo_account_2008


The Who:
The person that did it was named Anonymous, but later was found to be the hacker, Rubico, according to Dancho Danchev in his blog: http://blogs.zdnet.com/security/?p=1939

He claimed to have used simple guessing from Wikipedia and Google content to guess Yahoo's security questions of "What is your Zip code?" and "Where did you meet your spouse?"

Bubico tried to keep himself anonymous by using a proxy server website that hides his ip address named . However in his hast to tell the world about his discovery he left the hash in screenshot... http://ctunnel.com/index.php/1010110A58a5cd1e8ab470889 82c83282fd768456ebe14f44221026

It is uncertain whether the FBI reconstructed his IP address from that or from the posts he left on other blogs and bulletin boards such as 4chan.com . Needless to say they have a suspect: David Kernell, son of Tennessee representative Mike Kernell (check out http://www.wbir.com/news/local/story.aspx?storyid=64033&provider=top video in top right shows witness accounts)

Conclusion:
What we should take away from this is the fact that if we use a 45 character password with all the symbols, numbers and letters, it is worthless if we use common security questions that someone can guessed off our myspace or facebook pages...

One thing I recomend, and I practice, is to use a fake answer that only you know, and keep that in your wallet or some other safe, none electronic location.

Danchev states that currently Gmail allows you to customize your question which may prevent it from being so easy to guess, unlike Yahoo, Hotmail and others which use standard questions.

For more detailed information check out:
http://blog.chess.com/billwall/a-chess-playing-hacker
(apparently David was a regular on the site, and they made a very detailed post describing all that has happened, including the suspected prison sentence)