Attacker: Hacking Sarah Palin's email was easy

Attacker: Hacking Sarah Palin's email was easy

Summary: A college student identified as Rubico has claimed responsibility for hacking into Sarah Palin's personal email, and provided a detailed 1st person account of how he hacked into the email account using the password "popcorn" which he managed to reset by successfully answering her security question “Where did you meet your spouse?

SHARE:
95

Yahoo Security QuestionsA college student identified as Rubico has claimed responsibility for hacking into Sarah Palin's personal email, and provided a detailed 1st person account of how he hacked into the email account using the password "popcorn" which he managed to reset by successfully answering her security question “Where did you meet your spouse?” by Googling for the answer :

"Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story. In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!) the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs. I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower."

Originally blamed for the email hijacking, the Anonymous movement against the Church of Scientology has distanced from the hack :

"One of the main tenets of the anonymous movement against the Church of Scientology is to stay legal. Anonymous is no fixed group, just a term for anyone who acts without giving their name. We don't know who is responsible for the hack on Sarah Palin's mail account or what their attitudes to Scientology or anything else are. For us, they are anonymous, because we don't know who they are and they are not us."

Meanwhile, the owner of the Ctunnel.com service recently commented that if the attacker's screenshot didn't include theWikileaks Palin Defaced complete URl using Ctunnel.com it would have been hard to track him down through his service since a lot of people login to their Yahoo mailboxes while using it. And since the attacker did include the complete URL, and according to him did a mistake by using a single proxy service next to taking advantage of "proxy chaining" by using multiple different proxy servers/services across the globe, the FBI has already approached the owner of Ctunnel.com.

It's also worth pointing out that in the time of posting this, Wikileaks.org's article on "Sarah Palin Yahoo account 2008" has been defaced with the following message, reminding us that Wikileaks has a "fan club" too :

"I NOW HACK THIS WEBSITE! AREN'T YOUR PROUD OF ME, WIKILEAKS. I CAN PLAY YOUR GAME TOO!!!"

Gmail Security QuestionsThe massive media coverage is covering nothing else but an old school password reset tactic made possible due to the oversupply of personal information regarding the victim. Moreover, this incident once again puts the "security question vulnerability" in the spotlight. Last month, a posting at SecuriTeam's blogs reasonably pointed out how personalizing the security question to something a little less obvious, is a feature currently offered only by Gmail, which shouldn't be the case despite the fact that anyone can give an entirely different answer to each of the common "security" questions asked :

"Anyone that knows my address can easily figure out the name of my first school or my high school mascot. All of my neighbors, family and friends know both my dog’s name and my dad’s middle name, and everybody in the world knows I just LOVE the Lakers. As for my wife and me, the people who attended our wedding had the chance to hear about it in the ceremony - in case you couldn’t make it, we met on a roof of a bus, in Ladakh, India in 1994…

The fact that the answer to each of the security questions above is relatively easy to find out, makes them a security vulnerability in my Yahoo! account. By letting me make a security key based on the name of my first school, Yahoo! actually puts me at risk, allowing anyone that knows where I live to hijack my account. It’s like saying “We have the greatest lock to protect your house. Now, why don’t we hide the key under the mat”."

Hacking is supposed to be about intellectual exploration, so resetting the password of someone's Yahoo mailbox no matter if it's the Pope, requires no more than two brain cells put into action. However, the political consequences and the long-term impact of this hack are an entirely different topic yet to be discussed based on the interpretation of the data found within.

Topic: Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

95 comments
Log in or register to join the discussion
  • The hacker could use a life

    Seriously, what a clown.
    LBiege
    • My guess is the prison system

      will give him that life.

      You know; tell him when to eat, tell him when to sleep, tell him when to go outside.

      Heck, he's going to has his life laid out for him every morning...
      John Zern
      • Prison

        Sounds good to me....
        samp1024
        • For her, May be

          I think he needs more school on learning how to shut up.
          nucrash
      • If he gets life, Palin should be fined.

        What a bunch of crap this his. She was the id10t who decided to use Webmail with a public password reset mechanism to which anyone could hack and crack with public information.

        The only thing he should go to jail for is being an attention whore.
        nucrash
        • huh?

          She did nothing wrong...you want to send someone to jail for what? Using Yahoo! Do you work for Google? If someone breaks into my house because I left the key under the mat, should I go to jail because I made it too easy? What a crackpot!
          cuba_pete@...
        • So you're saying

          You don't honestly believe the victim of a crime should be punished. If someone bashed in your door and hacked up your family, should you be punished because you only locked the door with the knob and chain?

          I don't know what planet you come from, but here on earth the perp goes to prison, and has to pay resitution to the victim.

          You crackpot Nutter
          thomasmarshall3@...
          • I don't know

            but shouldn't you think the next vice president of US of A should be a bit smarter then this? I would expect more that this. She could be the owner of the finger that could trigger the nuclear mass destruction weapon attack. It could be just a heart beat away, and that seems not to far away, if you select her boss.

            Oh, I forgot. You elected Mr Bush Junior last times...
            Jxn
          • We are not as smart as you

            and I would have thought Barry would have walked out of that church rather than sitting there for 20 years...
            aldotcom
        • computer crimes are way overpunished

          no different than someone opening your mail out of you mailbox. whats that like... maybe a fine (first offense?)
          pcguy777
      • and every night

        He'll also meet new "friends"
        decan9@...
    • I applaud the Hacker

      He is bringing to the public, the failings of our current system of resetting passwords.

      I am upset with his refusal to remain anonymous.

      Be glad this was some one state side involved in the hack, if this happened overseas, we wouldn't hear about it for some time.
      nucrash
      • Lets Just Think This Through,

        i dont care that she was hacked, i dont even care that the hacker came out about it.


        what i do care about is the lack of security on the web,
        the lack of common sense in government, and the inability of people to recognize that muckrakers, and catalyst of discussion are bringing to light issues that plague us weather we like them or not.

        we need to focus on the understanding that what palin did was not, ok. and even after being exposed about this in the media she continued to use this email address for state, and government business. do we want the president, and vice president to use a yahoo account for presidential, or government correspondence? is that wise? the answer is no on both accounts.


        i feel like we are getting hung up on the hacker. because it is such a dirty word. he didnt purge her bank account, or ruin her " good name" he merely used his knowledge of the system available and got hard answers for the public. confirming stories that she did use a personal account for state business. i dont think him a saint, but i dont think what she is doing is exactly prudent or acceptable either for someone in her position.

        while two wrongs dont make a right, i see one wrong as necessary to eradicate ones that can cost lives, and security for time to come. the wrong that led to exposing palin's ignorance about internet security is a minor one in comparison.

        more over, none of this media coverage about the hacking has mentioned that she uses this account and makes it such that the people on her cabinet had to use personal accounts, so as to escape those records from being seized in the event of an investigation. the ones on the government email would be of easy access to courts if demanded. the government would have to really try, in writing, to get the private messages of involved individuals into an investigation.

        this suggests that there is something to hide in her, government business.


        i give her the benefit of the doubt and agree to hear her campaign message with patience and a clear head. i dont have to agree with these practices nor condone or encourage her to continue doing this if appointed to serve the country.


        leave the hacker out of this, he is one person working for himself. she is trying to be one person who works for the country. in my opinion a way bigger deal...this is a setback for her credit with alot of Americans i think.
        epaph
        • Did any of the posters read what this guy

          said about ALL the messages in her Yahoo! email account? There was no evidence that she had ever used her Yahoo! email account to circumvent the requirement to use her official email account for official business. NONE!

          Also, he turns out to be the son of a Tennessee Democratic congressman. I wonder how dad feels about his son now? Remember, the FBI and Secret Service are looking into this, and that Democrat Congressman's son is in for some long, painful times in the justice system. It wouldn't matter if it were Sarah Palin, Biden, McCain or Obama, or some TV newscaster (just went down in Penn, by the way). This guy is toast, and notwithstanding what most of the commentors on the articles say, the majority of American Independent and even middle-of-the-road Democrats will use this against the Democratic ticket. Along with failing to win the Presidency the Democrats are doing everything they can to lose Congress, too.

          Walter M. Clark
          walterclark@...
          • Yep!

            I have to agree with you. Because someone is so eat up with the politics of Lemmings (Follow the crowd) they take everything that appeals to their positions and run with it..never questioning anything.

            We don't get to choose which laws we break, unless the law it's self is un-lawful. The correct remedy, however, is to change the law if it's not acceptable, or lawful.

            The hacker broke federal laws and put his political associations at risk. We MUST have both parties if we are to survive as a republic. With out one or the other, we will quickly dissolve as a nation which the founders worked to preserve. Neither party can be allowed to exist with out the checks and balances that serve to maintain some integrity.

            Some of us hate Democrats, some of us hate Republicans. We do this, sometimes, without any reasoning on our part. I can't bring myself to such a level of stupor. A stupor that can only see one side and it decrees that every one of the opposite view is wrong and evil. This is the mentality of ignorance.

            I have my favorites in politics, and I see those I would prefer not to see in power. Of the latter, I will not condone un-lawful acts against them.

            The media which may have displayed any part of her email account is complicit in this matter as well. If you display anything that is of a private nature, with foreknowledge that it was gained illegally, that puts you in the same company as the first criminal.

            Having said this, there was absolutely no proof of alleged official state's business being conducted. As usual, it's another chance to attack with prejudice and lack of knowledge. The hacker should meet the brunt of the Justice system, just as you or I would.
            swampcat@...
          • I have a question

            So, to all the people who think this "hacker" should rot in hell for eternity.
            When I was in highschool, my best friend and I stopped talking and she used info she knew about me to "hack" my email and other personal website accounts and mess around with them. Does this mean I can make her go to jail for 5 years??



            Sounds pretty ridiculous huh? So now, think about how ridiculous you sound.
            Andrae420
          • premature

            Hey, what do you think about this comment you made now, Mr. Walter Clark?? lol
            LiLac22281
        • Just think it through

          I suppose by your lack of concern for the act of the hacker, it would therefore be of little concern if someone were to stand at your mailbox and take your mail. I mean after all it is setting out there for anyone to take. Unless you use a post office box and then you are only vulnerable from those who can get behind the door.
          The Dem's didn't like it when the Water Gate crew went thru their correspondence.
          What the hacker did was a federal offense and they should ALL be prosecuted as well as those that posted any of the stolen items.
          garyrice@...
          • yes prosecute him

            but there are other issues to focus on outside of this.

            he did a bad thing to one person,

            she could have jeopardized many peoples safety and who knows what else if information about state business fell into the hands of someone who wasn't willing to come forward and expose the problem.


            what if a terrorist or someone with the intent to do harm to palin, or people around her, or the state of Alaska or what ever got a hold of this information and used it.


            we would all be praying this this was uncovered sooner. by hacker or otherwise.

            both people are ridiculous. both palin for using this address and the hacker for feeling it necessary to break in.
            epaph
        • OK

          OK, I thought it through, and I continue to think what the
          hacker did was wrong, simply wrong, and illegal--and he
          (assuming it was a he) should have a chance to experience
          our justice system. If he is found guilty, he should suffer
          the consequences. Attempting to glamorize, and
          rationalize, his criminal behavior is also wrong, and only
          encourages more people with computer skills--and little
          sense of right and wrong--to infringe on others' protected
          privacy. I could be next, or you, or anyone, not just
          someone this hacker wanted to harm politically.

          I suggest you think it through, again.
          frabjous