Don't be the next Sarah Palin (security victim, not VP candidate)

Don't be the next Sarah Palin (security victim, not VP candidate)

Summary: It looks like the Sarah Palin Yahoo mailbox attack mentioned by Ryan Naraine and Chris Wysopal is real. Assuming that you are a high-value target, let's talk briefly about how you can prevent this from happening:Connect to your mailbox only from computers you trust.

SHARE:
TOPICS: Browser, Security
46

It looks like the Sarah Palin Yahoo mailbox attack mentioned by Ryan Naraine and Chris Wysopal is real. Assuming that you are a high-value target, let's talk briefly about how you can prevent this from happening:

  • Connect to your mailbox only from computers you trust.
  • Use complex, difficult to guess passwords.
  • As Chris Eng pointed out, you should carefully scrutinize the password reset policy used by the webmail system.
  • Fetch your mail to your local system via IMAP and delete the messages from the server.

If you must use a webmail system and you want to be extra careful about web-based attacks, noted security expert Dino Dai Zovi suggested the following:

  • Use separate web browser applications (either Internet Explorer, Safari, Firefox, Opera, or Chrome) for your critical accounts and your general web surfing.

Stay tuned.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • This is why professional org's. such as AICPA...

    warn the members that using public e-mail services could expose them to possible malpractice law suits if client info is compromised.

    Use a third party cloud provider and risk everything.
    bjbrock
  • HER E-MAIL SITS IN YAHOO'S MEMORY!

    If you do not delete your e-mail it resides in Yahoo's memory at their ISP's location.The hackers hacked Yahoo!
    BALTHOR
    • They didn't hack Yahoo...

      they hacked Palin's password.
      bjbrock
  • You forgot cookies

    Yahoo! mail was reported vulnerable to the insecure cookie attack. Zero Day reported on this.
    alecco
  • Is it really that easy

    to hack someone's email account?
    owkmann
    • An article at Wired indicated...

      they cracked or guessed her password. Whether by brute force, packet sniffing or some other method they didn't say.

      I think it's a good idea, and we do this at my company, to lock an account after so many failed logon attempts. That probably wouldn't be very feasible for a provider such as Yahoo or Google. But then if you are going to use e-mail from a provider this big that cannot personally manage their network, as in hands on, then prepare to pay the price.
      bjbrock
      • Thanks (nt)

        nt
        owkmann
      • Update

        They got Yahoo to reveal her password by successfully
        impersonating her to their bots.

        They guessed she met her husband at Wasilla high based on
        her comment. It took them a few tries, but Yahoo didn't care.

        Then they entered in her birthdate, which is public record.

        Then, finally, they entered in the zip code of her home
        residence. Made possible by Democrat hacks who released all
        that stuff a couple of weeks ago (including part of her SS
        number).

        So, I guess lesson learned: Don't trust your data to the cloud,
        because they are the weak point in any chain.
        frgough
  • RE: Don't be the next Sarah Palin (security victim, not VP candidate)

    Anonymous is not a group of hackers - it's a leaderless collective of like-minded individuals, from all walks of life.

    http://www.enturbulation.org/press-media/faq
    DavidMudkip
  • DO NOT USE PUBLIC WEB MAILS

    such as gmail, yahoo, hotmail, etc., especially for business correspondence! only ignorants use it!
    joemartn
    • Or throses...

      Wanting a free tempory e-mail address they can get rid of when they don't need it any more.
      kirogl
    • I USE PUBLIC WEB MAILS

      I'm not ignorant. Hack away, Joe. I don't care.
      Badge3832
    • public web email is useful when...

      1. Your email provider has technical problem

      2. You travel, and your provider does not provide ability to connect from anywhere and any network

      3. You need to use email from the site that does not allow you to connect to your provider

      4. Your provider uses some cumbersome web mail application, there are plenty of them

      5. Attachment file size and paranoid attachment filtering.

      I am trying to avoid using public web mail because I run my own business, and it is essential for me to know exactly what my customers said and when, and what I replied and when. But, for the reasons above, I am forced to use public email sometimes.

      When it happens, I usually forward those mails to my main account, and I have a filter that treats them in special way.

      One of my customers have .zip files filtered out. Until we found out that we can use .rar and .tar.gz (which were ignored by their IT dep.) he used webmail.

      The bottom line is that I am NOT able to avoid public web mail completely.

      DG
      trenchsol
  • RE: Don't be the next Sarah Palin (security victim, not VP candidate)

    And Sara Palin wants to be the next VP... She should stick to HOCKEY. A single cell aneba( did I spell aneba correctly??)would know better than to use a public e-mail address. Just think she would only be a short heartbeat from the PRESIDENCY... That scares the HELL out of me, think GOD that we have an alternitive by the name of OBAMA/BIDDEN....
    mr1koolken1
    • alternative...

      >we have an alternitive by the name of OBAMA/BIDDEN

      Yeah .. if you want this to become the Communist States of America......
      bobjones68@...
    • And we're supposed to...

      ...take political advice from someone who can't spell amoeba? ;)

      Seriously, this is one of the larger problems of the computing age: ordinary people's ignorance of just how insecure things like webmail really are, and how serious is the risk of cyber security breach. I don't expect anyone, outside of the info-technically literate, to have a serious grasp of this, not even politicians -- [i]especially[/i] politicians, even Al Gore, who we all know invented the Internet. :p

      Guys and gals, the only thing we can really do is to educate both the public and the politicians to the best of our ability, but what that takes is for us to stop speaking to them in jargon and start speaking in plain language that they can understand. If we can do that, we have a chance, albeit just a chance, of seeing sane public policy coming out of our respective governments. If we [i]can't[/i] do that, then we're probably not as good at our jobs as we think we are.
      geekster
      • hear hear

        "Guys and gals, the only thing we can really do is to educate both the public and the politicians to the best of our ability, but what that takes is for us to stop speaking to them in jargon and start speaking in plain language that they can understand."

        With the resivation that "speaking in plain language that they can understand" generaly means, dumbing down and that helps no-one.
        kirogl
        • But it doesn't have to mean ...

          ...dumbing down; in fact, it shouldn't mean that. It's admittedly a skill to be able to explain complex concepts in plain language, but it can be done. Look at what some of our top physicists do on the Science Channel. No, they're not explaining all the math of particle physics or string theory, but they're still conveying the principles involved in a manner that reasonably intelligent people can understand.

          One of the biggest mistakes technical people make IMO is to try to explain all of the nuances of a problem to someone who only requires the view from 5000 feet. We need to recognize that unschooled does not mean unintelligent; it only means that we need to explain things more broadly.
          geekster
    • Amoeba

      Since all Amoeba are single-cell (http://en.wikipedia.org/wiki/Amoeba), it probably doesn't need the adjective.

      No offence intended by my correction.
      eliavecellio@...
    • And they say Rabies is extinct, not so

      Buddy, get the shots, they are a pain in the stomach but you will feel much better when cured of this crazyness...
      HawkCW4@...