Not Just Palin's E-Mail Vulnerable
Supposedly, according to some security researchers, the Yahoo e-mail account of Alaska Gov. Sara Palin, also the Republican Vice Presidential nominee, was cracked using a simple password reset feature. All that was needed, apparently, was the account's user name and the answer to one security question.
That would put not only Yahoo, but Gmail and Hotmail at risk of the so-called password-reset attack. Family members, close friends and even possible close enemies, like ex-spouses, might know enough to figure out how to break into the accounts of those close to them.
Sending the password to an alternative e-mail address, a possible mitigating control, is offered but frequently not used on these free e-mail services either.
Other security researchers doubt this is how Palin's account was hacked. But, either way, the security of online e-mail accounts is something to think about.
Here are some more tips from PC World.
That would put not only Yahoo, but Gmail and Hotmail at risk of the so-called password-reset attack. Family members, close friends and even possible close enemies, like ex-spouses, might know enough to figure out how to break into the accounts of those close to them.
Sending the password to an alternative e-mail address, a possible mitigating control, is offered but frequently not used on these free e-mail services either.
Other security researchers doubt this is how Palin's account was hacked. But, either way, the security of online e-mail accounts is something to think about.
Here are some more tips from PC World.
posted by The IT Security Guy at 9:22 AM
2 Comments:
Very interesting. To think government official is using yahoo mail. I would hope they are very paranoid about their security and using their own service, digital signatures, VPN network, SSL and so. But it appears not!
A challenge question that does not rely on shared secret between the authenticator and the authenticatee is the main reason a lot of password reset are unsecure. Questions about your favorite movie, actor, team can be guessed from public profiles, questions about maiden-names can be obtained via family tree searches. This is another example of flawed security requirements driving the implementation of security controls. A call for software security awareness and training.
Post a Comment
<< Home