- The Washington Times - Thursday, September 25, 2008

ANALYSIS/OPINION:

As FBI agents close in on the computer hacker (said to be David Kernell, son of Democratic Tennessee state Rep. Mike Kernell) who broke into the private e-mail account of Republican vice-presidential nominee Sarah Palin, one startling aspect of the case has emerged - just how easy it was to compromise.

Like many people, Mrs. Palin uses a “webmail” service to send and receive e-mail messages through the Internet.

Since the late 1990s, webmail sites of Yahoo, Microsoft, Google and America Online have attracted hundreds of millions of users through convenient access and free pricing.

Webmail has one important flaw, however, and that is that anyone on the Web can try to get access to your account information.

In the past, attacks on people’s e-mail accounts have relied on computer viruses or programs designed to illegally obtain information. A more sophisticated technique, so-called “phishing,” involves tricking someone to disclose voluntarily their passwords or credit cards through fake Web sites.

In the Palin case, the person who broke into her account did not have anything to do with the computers she uses on a daily basis. Instead, the hacker used a flaw in Yahoo’s webmail service that requires all Yahoo users to secure their accounts through easily obtainable information such as a pet’s name, where you met your spouse, or what your high school mascot was.

While that may seem like personal information, it actually isn’t. Someone with even a casual knowledge of your personal life in many cases could complete that information, as could someone with some time on his hands.

Throw in Google, Facebook, MySpace and personal blogs, and there is a lot of information out there about many of us. A malicious person finding that out would then be able to change your password and have full access to your account.

That’s exactly what happened to Mrs. Palin. Her information was even easier to get since it already had been reported by the news media, as journalists have dug into her background to inform the public. (A similar incident happened to singer/reality television star Paris Hilton in 2002.)

We know all this because the hacker, using the pseudonym “rubico” that the Web site ZDNet linked to Mr. Kernell, told all of this in a posting to a Web bulletin board in which he disclosed how he broke into Mrs. Palin’s account.

It took all of 45 minutes. The hacker was able to reset Mrs. Palin’s password by finding out her birthday, ZIP code and where she had met her husband, Todd.

For someone whose personal life isn’t so public, it would take longer, but it can still be done.

That’s a problem. One that Yahoo owes it to its users to fix.

The best way to do this would be to allow people to specify their own security questions rather than choosing from a list of too-easy queries. Instead of asking your dog’s name, you should be allowed to ask much more personalized questions.

In the meantime, if you’re currently a Yahoo e-mail account holder, there are several things you can do to improve the security of your information:

• Link your account to another one. If you forget your password with your Yahoo account, you can have your password reset instructions e-mailed to your other e-mail address, instead of being asked the default generic questions.

• Answer the questions with a number. If you must answer that your dog’s name is Rover, set up the answer as Rover99 instead. That makes it harder for a would-be attacker to get in.

• Use a synonym. Instead of saying “Rover,” type in a description of your dog. Just make sure to remember it exactly as you typed it in if you ever need to remember.

If none of the above proves satisfying, you can always switch e-mail providers. Gmail, the e-mail service offered by Google, allows you to specify your own password-hint questions as does Microsoft’s Windows Live service.

Matthew Sheffield is a Web consultant and creator of NewsBusters.org. E-mail: msheffield.times@gmail.com.