October 7, 2008
Getting your webmail account hacked is a painful experience these days, but how can a user be assured their account has not been compromised? The hard part is that it is pretty much impossible to tell. The best defense is a good offense.
In the case of hacking Sarah Palin's email account, the attack vector was the password reset mechanism. Yes, those crazy "secret questions." If you've ever blogged or posted any personal information about yourself, say, in Facebook or LinkedIn, it may be likely for anybody with some spare time and an internet browser and search utility to find out about what your questions and answers are. In this case, the attacker guessed her answers, and was able to receive the password sent via the "forgotten password" mechanism.
The other vector for webmail account compromise has been the notorious "Confirm Your Account ASAP Or Else We Will Turn It Off" phishing attacks. In this case, the unwary user sends the password off to the sender, who then not only uses their account to send out more spam and phish, but also changes the secret questions ( remember that they have the password already), so they can get back in after the user learns they've been duped and change their password again.
A wary 'paranoid geek' will come to the conclusion of changing passwords regularly will help, but the secret questions also need to be hard to guess. Some very useful insights to managing your secret questions and password controls are found in this Lifehacker article by Adam Pash. Adam recommends...
Adam recommends the answers to the secret questions be setup in a pattern of nonsensical order. This increases the entropy an attacker must overcome, preventing guessing based on commonly known information about you (e.g. date of birth, high school attended, zip code where you grew up, etc.). Inevitably you forget an answer to a secret question to a site you don't commonly use, and doom awaits you.
I recommend using PasswordSafe, and you can look at a review of password management utilities. It is easy to keep things straight when you use a cataloging and encrypted utility.
Case policy will also require password changes, so you can look forward to password guidance at the ITS Password Site.
Posted by Thomas Siu at 11:02 PM