posted Sep 19, 2008

Michelle Malkin has the story behind the Palin email hack. (Warning: Link to Michelle Malkin, if you're sensitive about that. But the email quoted by that post is as close to primary source as I can get.)

In summary, Palin's email account was hacked by exploiting the fact that Palin's answers to the security questions that allow a user to reset their password could be even-more-easily-than-usually guessed by accessing public information, which then permitted full access to her account.

I wanted to discuss this situation from a computer security point of view, because there's a lot of interesting stuff going on in this example.


A later posting contains an AP reporter quoted as saying the following:

If Gov. Palin hadn’t been using a consumer-level Yahoo! account (more than one, actually) this crime wouldn’t have happened because the hacker exploited the service’s “forgot-my-password” mechanism, which is inherently insecure.

Previously disclosed e-mails indicate her administration embraced Yahoo! Accounts, among other reasons, because of questions over whether personal e-mail accounts are covered under Alaska’s Open Records Act. Palin’s critics in Alaska were poring over records they had obtained from the governor’s office of official internal e-mail communications and causing political hay.

The issues are inextricably linked.

In the context this comes from, this is intended as a defense of AP's actions. I find that weak, because the accusation that someone is breaking the law is not a pass to break the law yourself, even if the hacker was thinking of this which I'll give a probability of 0%, rounded to the nearest percent. But this is not the thing I really want to talk about, because what's done is done. I wanted to talk about that first paragraph.

Yahoo! provides email to who knows how many millions of people. It is a free consumer-grade product, which people entrust huge chunks of their personal lives to. Consequently, if they lose their password, they demand a way to get it back easily. Yahoo, of course, is in no position to deal with the thousands of support requests per day this can generate for a service they make little-to-no money on. (Yes, there are ads, but if they were providing any sort of human-based support for this product the profits, if any, would get eaten through in nothing flat.)

Therefore, Yahoo implements their password recovery service in the industry-standard way. They offer you some personal questions when you sign up, and if you can answer those personal questions, you are allowed to reset your password.

Many other online services that offer something other than email would mail you a token to change your password, or if they are less security-conscious, mail you your password. Obviously, for an email service this is not an option, so Yahoo is forced to give you the ability to change your password if you answer these questions.

The result is that these answers to your personal questions function as a secondary password. It doesn't matter if your normal password is eighteen characters long with five symbols and a number, if your proverbial "mother's maiden name" can be guessed, your account is wide open.

This causes two major problems. First, as in Palin's case, a lot of data is available online. Accounts owned by high-profile people like Palin are particularly easy, but a lot of people have a surprising amount of data online. This allows the general public a good shot at penetrating your email, if they can match up your real identity to an email.

Secondly, and more ironically, it weakens security against the people we're most concerned about seeing our email. Who would you rather allow into your account, a random human chosen from the United States, or your mother? Perhaps your conscience is clean and your email completely uninteresting to everyone you know, but in the general case, the people that it is most important to you to secure your email from are also those who are most likely to know the answers to your security questions.

My wife also happens to have an account on Yahoo. I know the password, and my wife knows I know the password (at times when she is on the road she'll call me up at work and ask me to check it), but if I pretend I don't and try the security question, I got it right in one try. Many of her friends and family could have gotten it, too.

She doesn't care. I've actually explained this to her, and I agree that for her, it's no big deal. This is likely true for the majority of users on Yahoo's network. This is why Yahoo works this way.

But of course this isn't true for all users of Yahoo email, as Palin demonstrates, governor of Alaska being a sufficiently important position to justify worrying about security, even before being a VP candidate. But knowing about security is hard. No sarcasm. At the very least, you need to sit through a lecture containing the contents of this blog post, most likely based on impenetrable legalese if you expect the service itself to do it, and even this remains only a summary tightly focused on issues arising with Yahoo email; this isn't even sufficient to make a decision about web mail in general, let alone computer security as a whole. As has been abundantly demonstrated, computer security ignorance is rampant, and if education was going to be the answer, we'd have seen some evidence of it working. There is no such evidence, and abundant evidence to the contrary. Computer security lately has been focused on trying to make security fool-proof, because even with the well-known problem of "better fools", it's still the only choice we've got.

So, finally I come around to the interesting question which I'd like to mention, which is: Whose fault is this? As always, it depends on how you define fault, but for the purposes of this blog post, I'm going to defend the claim that this is nobody's fault... or very nearly so, since obviously the hacker bears some responsibility. But even so, I contend it's less than you might think.

Both Yahoo and Palin behaved rationally, given the constraints of reasonable knowledge for the kind of entity they are and their personal interests. Yahoo can't help but work the way it does, or simply shut the service down. In a competitive market, that simply means some other email provider would emerge, face the same design constraints, and create the same system. Secure email is incompatible with free email, because of the costs of providing human-based support.

And even human-based support is harder than you think, because the very easiest human-based support would still be based around these simple security questions, which might require a bit more social engineering to exploit, but would still have been penetrated. Actually secure human support is more expensive yet, and would require a lot of cooperation from the users, which, again, is incompatible with a free service. In a competitive market, Yahoo faces two choices: Offer free, insecure email, or offer nothing at all. There is no third choice for a "free, secure" email system; by its very nature, secure email requires a certain level of commitment to security from the customer that a "free" customer base is not going to bring to the party.

Palin, being a government worker, had no reason to believe that answering these security questions was anything other than what Yahoo describes it as; Yahoo describes this on its email account sign-up form as "In case you forget your ID or password...", and if there is any hint of what I've just talked about, it's buried in the legalese I mentioned earlier, which I'm not going to comb through to see if it is there because part of my point is that no normal person will. I might be willing to mock a programmer for not thinking through the implications of the "security question" I've just laid out for you... in fact, scratch the "might", I definitely would... but I would not be willing to mock anybody without that knowledge and experience, anymore than I'd appreciate being mocked for my lack of even relatively-basic knowlegde of organic chemistry, or any other similarly rich, technical topics. It shouldn't take years of college education to understand the implications of signing up for a free email account... but, alas, it sort of does. (Or you could read this post, of course, but I couldn't arm you with enough knowledge to independently derive this conclusion on your own in anything like a post of this size.

The hacker, as I said, obviously bears some responsibility, but as with Yahoo, there's a large, competitive market here, and if this particular person hadn't done it, somebody else would have. (Many others tried, though we'll never know how many.) In fact, it was so easy that a fairly inept hacker was the one who pulled it off, as evidenced by the fact that despite using a proxy service, against all odds he still managed to leave enough info to get the hack traced back to them fairly easily and quickly, so it seems. (Boo to those who released a name at this stage of the investigation.) I won't guarantee I wouldn't have been caught with the full resources of the relevant federal agencies brought to bear on me, but I will guarantee I wouldn't have used a proxy not even designed for anonymous use, nor would I have left any URL in any screen shots for anyone to find! I sort of feel bad for this guy, because stumbling into the Fed's crosshairs like this shouldn't be this easy. Ultimately, that's not an excuse, but I can still feel a bit sorry for him.

The final verdict is that computer security is really hard, because security is fundamentally predicated on the user's ability to protect him- or herself, and that is a horrible thing for security to be predicated upon!

That's it. That's all the conclusion I've got. No solutions, no improvements, because I don't think there are any possible. Everyone acted perfectly rationally (as I would say the proposal that everybody needs to spend huge amounts of time to learn about security is totally irrational; even limiting it to "those who should know better" is an impossible educational task), and the end result was totally insecure. How do you fight that?

 

Site Links

 

RSS
All Posts

 

Blogroll