Mounting a Hacker Attack

An interesting article appeared on Time.com last week about the development of those pesky security questions that appear on virtually every website that requires a log-in process.



http://www.time.com/time/business/article/0,8599,1843984,00.html?xid=rss-business



The article focused on a recent hacking into Gov. Sarah Palin's Yahoo email account. Someone claiming to be the hacker posted their tactics online:



1. Go to email account that you wish to hack.

2. Click on "Forgot password"

3. When security questions appear, use Wikipedia, the US Postal Service website and online newspaper archives to find the answers to the questions provided.

4. Read your victim's email, and if they happen to be a public figure, post screen shots on Wikileaks.



A couple colliding forces made this hack possible - Yahoo's security questions were biographical, which made their answers easy to retrieve, and Sarah Palin is a public figure and has lots of public data, including a wikipedia page from which to garner general information. Despite this easily avoidable instance, many websites are looking to make their security questions more sophisticated, asking "What is your favorite historical figure?" or "What country do you want to visit?" While these questions are much more difficult to hack (unless you post such information on your public blog or Facebook page), the answers are also difficult to remember. I don't personally have a favorite historical figure and if I picked one for the sake of a security question, you bet that I would forget it immediately, unless I taped a Post-It to my computer screen, thereby entirely defeating the purpose.


Given our recent class discussions about security and privacy, this topic hits home for me because I struggle with the best way to use security questions on many websites. Before the industry as a whole is able to improve internet security on a larger scale, some suggestions for security questions are to add a number at the end of a word (i.e. maidenname1) or spell words backwards (i.e. tops for your dog Spot). It's not Sarah Palin's fault that she picked easy to remember facts about her life; nor is it Yahoo's fault for offering those questions. This just demonstrates a potentially larger problem and will require much more time and effort to fix.