Thursday, September 18, 2008

Publicity Yahoo doesn’t need

By now, everyone knows that Governor Sarah Palin uses Yahoo for her e-mail, thanks to the anonymous group (named “Anonymous”) that broke into her e-mail account and shared it with the world. While Federal agents are investigating the invasion of privacy, and pundits filter the revelations through their pre-existing opinions (either for or against), to me it was remarkable how banal the revelations were.

But from a business standpoint, what seemed important was the reaction by security experts that of course no enterprise should use free webmail services for official business. As someone who used to plan security policies for his (small) firm’s IT infrastructure, my initial reaction was that this was just snobbery on the behalf of these “experts” to sell their expertise. (And, of course, the obligatory slew of press releases by firms seeking to capitalize on the revelation).

Since remotely-accessible e-mail systems are only as good as their passwords, the one key issue for any service is how facistic the password security algorithm is. If the guv used “ToddTrig” as her password then anyone could have guessed it with a hacking attack — whether the mail was hosted by yahoo.com or state.ak.us. If it requires a number and a letter and rejects things that are too easy, that would be better. However — as any CS-educated user will tell you — if they require changing the password every 6 months, all that means is that people will write down their passwords (a no-no) and it would provide no security at all against this attack.

(Many organizations require a VPN for remote access to any corporate information, which used to seem like overkill but today does not. However, requiring a VPN means that people will say “use my personal e-mail account” when business associates want to contact them on vacation).

The one line of argument that did seem persuasive is the area of password recovery:

Password recovery procedures are an area where the balance between security and usability is so blurred that most times the security aspect is non-existent, despite appearances. The leading theories about how the breach to Sarah Palin's account came about were that it was through the password recovery options associated with the Yahoo webmail interface.

Even if a user has selected non-standard secret questions, or has linked other email accounts, this sort of information isn't going to take a determined hacker very long to dig up, especially if the target is already someone in the public eye.
Having recently had to reset the password for one of my online banking services, it is quite clear that some firms do a much more serious job than others at coming up with password reset systems. My bank required a series of questions — and doesn’t use the same questions all the time, so someone sitting behind my shoulder might not know what to do last time. They also show me a secret picture to discourage “man in the middle” type attacks.

I just tested the password retest mechanisms at Yahoo and Google, and (today) both seemed better than most. Both use a captcha to prevent automated attacks. Yahoo gave me my custom challenge question, one where I won’t forget the answer but it’s so obscure no one will know the answer (although they could mechanically try to guess it). After L’Affair Palin, perhaps I’ll pick a different obscure question with an even more obscure answer.

Google refused to let me reset it online, but instead forced me to use my secondary email address. If I don’t have access to it, then I have to wait:
If you don't have a secondary email address, or if you no longer have access to that account, please try the 'Forgot your password?' link again after five days. At that point, you'll be able to reset your password by answering the security question you provided when you created your account.

To prevent someone from trying to break into an account you're actively using, the security question is only used for account recovery after an account has been idle for five days. The Gmail team cannot waive the five day requirement or access your password under any circumstances.

If you're unable to answer your security question or access your secondary email account, we regret that the Gmail team cannot provide further assistance. If you're concerned about the security of your account, please visit our Security Center.
Certainly this delayed gratification approach seems like it would prevent hacking of an actively used account.

Even so, this is the sort publicity that Yahoo (and Google and Hotmail) don’t really need, particularly when large bureaucratic IT departments start to ban the use of webmail accounts. Even famous people without IT departments will (not unreasonably) think twice about using such services for their mail.

Update Thursday 2:30pm. The Associated Press reports (on the Yahoo News site) that the hacker claimed to have guessed the answer to easy password challenge questions to get onto Palin's account:
The hacker guessed that Alaska's governor had met her husband in high school, and knew Palin's date of birth and home Zip code. Using those details, the hacker tricked Yahoo Inc.'s service into assigning a new password, "popcorn," for Palin's e-mail account, according to a chronology of the crime published on the Web site where the hacking was first revealed. …

Palin's hacker was challenged to guess where Alaska's governor met her husband, Todd. Palin herself recounted in her speech at the Republican National Convention that the pair began dating two decades ago in high school in Wasilla, a town near Anchorage.

"I found out later though (sic) more research that they met at high school, so I did variations of that, high, high school, eventually hit on 'Wasilla high'," the person wrote.
This is clearly an argument for individuals to choose their own challenge questions, and make sure the answers are obscure enough to protect against identity fraud.

No comments: