Thursday, September 18, 2008

45 Minute Palin Hack? I Could Have Knocked It Out In 5

With news of Alaska Governor and Republican vice-presidential nominee Sarah Palin's personal Yahoo e-mail account being hacked coming to light yesterday, details on how the hack may have taken place are emerging. The alleged hacker is giving what appears to be a first-person account of how he was able to penetrate Palin's e-mail. The alleged hacker claims the intrusion was carried out via Yahoo's password reset feature. He also claims the exploit took no more than 45 minutes and simply required searching the Internet for basic personal information such as Palin's zip code, birth date and where she had met her husband. The purported hacker said he had hoped to break in and find something incriminating in the wake of media coverage debating Palin's use of a Yahoo account for state business, but claims to have come up blank.

See all the screenshots here.

Personally, I’m not all that fascinated by any of this. Actually, I’m a little disappointed it took this guy 45 minutes to complete the hack! I could have knocked that shit out in 5 minutes flat. If this alleged hacker is indeed the person who hacked Palin’s e-mail, then I’m also a little disappointed in the method in which he gained access. Unlike most hacks, it required no technical know-how or social engineering skills. It was simply a matter of web surfing and hitting a password reset button. That "hack" method is something even the least computer savvy person could accomplish. Now while this may not be the most complicated and difficult hack ever performed, it was successful. So in that sense, job well done.

Here’s the thing, hackers hack for several different reasons. But one thing all hackers have in common is the urge to brag about their hacks. Some simply can’t resist the temptation to brag and that leads them to getting caught. Other hackers are able to be mature and discrete enough about their hacks that they go virtually undetected, uncaught...well for the most part. Even the best, most talented hackers in the world, like my buddy Adrian Lamo, will tell you that hacking is bound to catch up to you sooner or later. So it’s only a matter of time before Palin’s true hacker/s come to light.

While this alleged hacker’s story is plausible enough on its face, if true it highlights the special vulnerability of such password reset mechanisms for web based e-mail accounts. In essence, it’s exploiting the very security system that is put in place to help protect and secure a user’s account! This is something I learned years ago when I was a teenager and broke into various AOL accounts strictly for shits and giggles. So my guess is that the Palin hacker, like most hackers, is a young male. Perhaps a young male with too much time on his hands, a small grudge and looking for a bit of fame – some notoriety for his discovery. Word has it that he’s a college student tied to the Democratic party.

So it does make sense that for a hacker who has committed the most publicized computer intrusion in recent memory, the perpetrator would effectively return to the scene to deliver a signed confession. And it is equally possible that the REAL hacker decided to play a prank on the student in question by trying to pin the hack on him. No matter what the story is, it will surely unfold in the coming days. More than likely, the hacker has left enough of a digital trail in order for him to be traced. While there are many lingering question here left to be answered, one thing is for sure...the fact that Sarah Palin has a Yahoo account is just more proof (or rather reinforces the fact) that old, unhip people use Yahoo. Gmail all the way baby!

***UPDATE***
As I expected, FBI agents have found the "wannabe hacker" and he is a dumb kid. So dumb in fact he used his regular e-mail address on the very message board in which he bragged about committing the hack! He is 20-year-old David Kernell, a student at the University of Tennessee-Knoxville. His father is Democratic Tennessee state representative Mike Kernell. (Oh, how embarrassed he must be.)

In his gloating, David Kernell that goes by the alias "Rubico", posted up screenshots of Palin’s Yahoo account complete with the full URL which included the proxy server URL (ctunnel.com) appended with a unique identifier. So it doesn’t take a genius to go through the logs and match up the ID to the appropriate IP address and BAM, you got the hacker. People think proxy servers are supposed to anonymize your information, and in a sense, they really don’t. Every incoming true/real IP address is logged with the time and destination website. So for those thinking you’re clever by using anonymous proxy servers to hide behind and shield your true identity, you’re just a big dummy like Kernell.

Stay in school, you dumbass. You have much to learn. Although he may not be returning to class, beccause if convicted, he could face a maximum of 5 years in prison! Just a word of advice, get rid of those curls, kid. I hear inmates have a fetish for the Goldie Locks look.

No comments:

Post a Comment