December 23, 2024

Archives for 2008

Palin's email breached through weak Yahoo password recovery mechanism

This week’s breach of Sarah Palin’s Yahoo Mail account has been much discussed. One aspect that has gotten less attention is how the breach occurred, and what it tells us about security and online behavior.

(My understanding of the facts is based on press stories, and on reading a forum post written by somebody claiming to be the perpetrator. I’m assuming the accuracy of the forum post, so take this with an appropriate grain of salt.)

The attacker apparently got access to the account by using Yahoo’s password reset mechanism, that is, by following the same steps Palin would have followed had she forgotten her own password.

Yahoo’s password reset mechanism is surprisingly weak and easily attacked. To simulate the attack on Palin, I performed the same “attack” on a friend’s account (with the friend’s permission, of course). As far as I know, I followed the same steps that the Palin attacker did.

First, I went to Yahoo’s web site and said I had forgotten my password. It asked me to enter my email address. I entered my friend’s address. It then gave me the option of emailing a new password to my friend’s alternate email address, or doing an immediate password reset on the site. I chose the latter. Yahoo then prompted me with my friend’s security question, which my friend had previously chosen from a list of questions provided by Yahoo. It took me six guesses to get the right answer. Next, Yahoo asked me to confirm my friend’s country of residence and zip code — it displayed the correct values, and I just had to confirm that they were correct. That’s all! The next step had me enter a new password for my friend’s account, which would have allowed me to access the account at will.

The only real security mechanism here is the security question, and it’s often easy to guess the right answer, especially given several tries. Reportedly, Palin’s question was “Where did you meet your spouse?” and the correct answer was “Wasilla high”. Wikipedia says that Palin attended Wasilla High School and met her husband-to-be in high school, so “Wasilla high” is an easy guess.

This attack was not exactly rocket science. Contrary to some news reports, the attacker did not display any particular technical prowess, though he did display stupidity, ethical blindness, and disrespect for the law — for which he will presumably be punished.

Password recovery is often the weakest link in password-based security, but it’s still surprising that Yahoo’s recovery scheme was so weak. In Yahoo’s defense, it’s hard to verify that somebody is really the original account holder when you don’t have much information about who the original account holder is. It’s not like Sarah Palin registered for the email account by showing up at a Yahoo office with three forms of ID. All Yahoo knows is that the original account holder claimed to have the name Sarah Palin, claimed to have been born on a particular date and to live in a particular zip code, and claimed to have met his/her spouse at “Wasilla high”. Since this information was all in the public record, Yahoo really had no way to be sure who the account holder was — so it might have seemed reasonable to give access to somebody who showed up later claiming to have the same name, email address, and spouse-meeting place.

Still, we shouldn’t let Yahoo off the hook completely. Millions of Yahoo customers who are not security experts (or are security experts but want to delegate security decisions to someone else) entrusted the security of their email accounts to Yahoo on the assumption that Yahoo would provide reasonable security. Palin probably made this assumption, and Yahoo let her down.

If there’s a silver lining in this ugly incident, it is the possibility that Yahoo and other sites will rethink their password recovery mechanisms, and that users will think more carefully about the risk of email breaches.

Hurricane Ike status report

Many people have been emailing me to send their best wishes. I thought it would be helpful to post a brief note on what happened and where we’re all at.

As you know, Hurricane Ike hit shore early Saturday morning. The wind, combined with a massive storm surge, caused staggering devastation along the Texas coast. Houston is further inland, so the big issue for us was and still is fallen trees and downed power lines. Rice University, as a result of what must have been a huge amount of advance effort, came through with flying colors. They had power and a working network pretty much the whole time. They didn’t have any water pressure for a while, but that came online Monday. Our main data center, built recently with an explicit goal of surviving events like this, apparently lost power for a while, at least in part. (I don’t have the full story yet. I do know that a failed DNS server caused our email server to experience problems.)

Our own house had no particular damage, although the back fence came down. We still have no power, but we’ve had water pressure (initially low, now fine) and natural gas the whole time. The hardwired telephone had a few outages, but continues to work reliably. Cellular phones were initially dicey but are now working great.

Luckily, the weather has been unseasonably cool, so we and all our neighbors have been leaving windows open. Over the weekend, the highs are in the mid 80’s (28-30C), with cooler weather at night, so we’ll do okay on that front. At this point, many restaurants are open, so the lack of power doesn’t mean living off canned food. Likewise, some gas stations and supermarkets are coming online again. Life, at least in this part of the city, is starting to resemble normality.

A looming concern is mosquitos. After Tropical Storm Allison in 2001 (see my photos), the big issue was clearly mosquitos. Lots of rain means lots of standing water, and that means mosquitos are on their way. Back then, few people lost power. This time, it’s going to get ugly.

Rice had a full faculty meeting on Tuesday morning. Our president announced that we would be resuming classes on Tuesday afternoon, but we could not have any assignments due or exams given this week. Last night, we got an email saying that everybody has made assignments due Monday next week, and that we needed do something else (without saying what). Apparently, there’s been an outpouring, among our students, of interest in volunteering to help the community (a good thing!), and I’d certainly like our students to get out and help. But if we’re supposed to get back to teaching, then that means work. I’m not sure how we’ll ultimately resolve this.

Unscientific data: our president asked for a show of hands at the meeting. How many faculty had no power? Maybe 90%. How many faculty had no daycare for their kids? Maybe 80%. How many faculty had significant damage to their homes? Maybe 20%.

For any of you who want to see what I saw, I took a bunch of pictures.

Meanwhile, I need to get back to work myself. We’ve got a research paper due Friday. Life goes on.

Welcome to the new Freedom to Tinker

Welcome to the new, redesigned Freedom to Tinker. Beyond giving it a new look, we have rebuilt the site as a blogging community, to highlight the contributions of more authors. The front page and main RSS feed will offer a combination of posts from all authors. We have also added a blog page (and feed) for each author, so you can read posts by your favorite author or subscribe to your favorite author’s RSS feed. Over time, Freedom to Tinker has evolved from a single-author blog into a group effort, and these changes better recognize the efforts of all of our authors.

Along with the redesign, we’re thrilled to add three authors to our roster: Tim Lee, Paul Ohm, and Yoshi Kohno.

Tim Lee is a prominent tech policy analyst, journalist, and blogger who has written for sites such as Ars Technica, Techdirt, and the Technology Liberation Front. He is now a computer science grad student at Princeton, and a member of the Center for Information Technology Policy.

Paul Ohm is an Associate Professor of Law at the University of Colorado, specializing in computer crime law,criminal procedure, intellectual property, and information privacy. He worked previously as a trial attorney in the Computer Crime and Intellectual Property Section of the U.S. Department of Justice; and before law school he worked as a computer programmer and network administrator.

Yoshi Kohno is an assistant professor of computer science and engineering at the University of Washington. His research focuses on assessing and improving the security and privacy properties of current and future technologies. In 2007 he was recognized by MIT’s Technology Review magazine as one of the world’s top innovators under the age of 35. He is known for his research on the security of implantable medical devices and voting machines, among other technologies.

Finally, Freedom to Tinker is now officially hosted by Princeton’s Center for Information Technology Policy. A major goal of CITP is to foster discussion of infotech policy issues, so it makes sense for CITP to host this kind of blog community for CITP members and friends.

We hope you enjoy the new Freedom to Tinker. As always, we welcome your comments and suggestions.

On digital TV and natural disasters

As I’m writing this, the eye of Hurricane Ike is roughly ten hours from landfall.  The weather here, maybe 60 miles inland, is overcast with mild wind.  Meanwhile, the storm surge has already knocked out power for ten thousand homes along the coast, claims the TV news, humming along in the background as I write this, which brings me to a thought.

Next year, analog TV gets turned off, and it’s digital or nothing.  Well, what happens in bad weather?  Analog TV degrades somewhat, but is still watchable.  Digital TV works great until it starts getting uncorrectable errors.  There’s a brief period where you see block reconstruction errors and, with even a mild additional amount of error, it’s just unwatchable garbage.  According to AntennaWeb, most of the terrestrial broadcast towers are maybe ten miles from my house, but that’s ten miles closer to the coast.  However, I get TV from Comcast, my local cable TV provider.  As I’ve watched the HD feed today, it’s been spotty.  Good for a while, unwatchable for a while.  The analog feed, which we also get on a different channel, has been spot on the whole time.

From this, it would appear that Comcast is getting its feed out of the air, and thus has all the same sorts of weather effects that I would have if I bothered to put my own antenna on the roof.  Next year, when the next hurricane is bearing down on the coast, and digital TV is the only TV around, it’s an interesting question whether I’ll get something useful on my TV during a disaster.  Dear Comcast, Engineering Department: please get a hard line between you and each of the local major TV stations.  Better yet, get two of them, each, and make sure they don’t share any telephone poles.

[Sidebar: In my old house, I used DirecTV plus a terrestrial antenna for HD locals, run through a DirecTV-branded HD TiVo.  Now, I’m getting everything from Comcast, over telephone poles, into a (series 3) TiVo-HD.  In any meaningful disaster, the telephone poles are likely to go down, taking out my TV source material. I get power and telephone from the same poles, so to some extent, they make a single point of failure, and thus no meaningful benefit from putting up my own antenna.

Once the storm gets closer, I’ll be moving the UPS from my computer to our, umm, shelter-in-place location.  I don’t expect I’d want to waste precious UPS battery power running my power-hungry television set.  Instead, I’ve got an AM/FM portable radio that runs on two AA’s.  Hopefully, the amount of useful information on the radio will be better than the man-on-the-street TV newscasters, interviewing fools standing along the ocean, watching the pretty waves breaking.  Hint: you can’t “ride through” a storm when the water is ten feet over your head.]

Preparing for a natural disaster

As Tinker readers may know, I live in Houston, Texas, and we’ve got Hurricane Ike bearing down on us.  Twenty-four hours ago, I was busy with everything else and hadn’t even stopped to think about it.  Earlier this week, the forecasts had Ike going far south of here.  That all changed and now it appears likely that Ike will hit the Texas coast not to far away.  The eye of the storm is probably not going anywhere near us, but we’ll be on the “dirty” side of the storm, and that means lots of rain and possible power outages.

Yesterday, I went to the supermarket and stocked up on assorted non-perishable goods, waters, batteries, and all that.  The lines were entirely reasonable.  The supermarket was clearly more prepared than I was, bringing in several shipping palettes of bottled water.  (Today, I’d bet the supermarket is crazier, but I’m not heading there to find out.)

My house is 51 feet above sea level and is outside the statutory flood plain.  At least in theory, I don’t have to worry much about flooding.  The most likely concern would be wind-driven rain getting through the not-terribly-well-sealed front door or some of the “French doors” that our builder overused on the house.  (“French doors”, which I doubt have much to do with France, are double doors, hinged on the side, and meeting in the middle where they latch to one another.)  My plan is to run a seam of duct tape around around the outside of the doors and windows on the first floor.  We’ll get in and out via the garage (which we tend to do, anyway).  I’m not going to try climbing up a ladder to the second story, since those “casement” windows seem to be more solid.

To evacuate or not to evacuate?  That’s the question.  When Hurricane Rita came through three years ago, we spent a thoroughly unpleasant 17 hours driving from Houston to Dallas (normally a four hour drive), where my parents live.  This time, our plan is to ride out the storm and then evaluate what we’re doing next.  Assuming the house is intact and we have power, we’ll be fine.  If we lose power and it appears unlikely to come back any time soon, or if our house is thrashed, then we’ll worry about evacuating.

Of course, I have to worry about more than just my family.  I also have to worry about my research group, the students in my classes, and so forth.  My security class meets this afternoon.  We’ll be talking about disasters.  (I tried to get some people from our university’s IT department to come talk about their disaster preparation, but unsurprisingly they’re busy preparing.  I’ll try to get some of them after it’s all over.)

For our research group, I’ve got a paper in the works for NDSS ’09, whose submission deadline is basically the same as when the hurricane is due.  The chair was nice enough to give us an extension, so now we just have to work out how we can keep doing the writing, even if there’s no power around.  (Felten has graciously offered to host our subversion server.  Luckily, the experimental work is all done, so it’s just a matter of getting it written up properly.)

Who knew disaster preparation could be so much fun?