The Security Benefits of Being Unimportant

A recent news item is the “hacking” of the Yahoo mailbox used by Sarah Palin (the Republican VP candidate) [1]. It seems most likely that it was a simple social-engineering attack on the password reset process of Yahoo (although we are unlikely to learn the details unless the case comes to trial). The email address in question had been used for some time to avoid government data-retention legislation but had only been “hacked” after she was listed as the VP candidate. The reason of course is that most people don’t care much about who is the governor of one of the least populous US states.

Remote attack on a mailbox (which is what we presume happened) is only one possible problem. Another of course is that of the integrity of the staff at the ISP. While I know nothing about what happens inside Yahoo, I have observed instances of unethical actions by employees at some ISPs where I have previously worked, I have no doubt that such people would have read the email of a VP candidate without any thought if they had sufficient access to do so. If an ISP stores unencrypted passwords then the way things usually work is that the helpdesk people are granted read access to the password data so that they can login to customer accounts to reproduce problems – this is a benefit for the customers in terms of convenience. But that also means that they can read the email of any customer at any time. I believe that my account on Gmail (the only webmail service I use) is relatively safe. I’m sure that there are a huge number of people who are more important than me who use Gmail. But if I was ever considered to have a reasonable chance of becoming Prime Minister then I would avoid using a Gmail account as a precaution.

There is a rumoured Chinese proverb and curse in three parts:
May you live in interesting times
May you come to the attention of those in authority
May you find what you are looking for [2]

In terms of your email, everyone who has root access to the machine which stores it (which includes employees of the companies that provide warranty service to all the hardware in the server room) and every help-desk person who can login to your account to diagnose problems is in a position of authority. Being merely one of thousands of customers (or millions of customers for a larger service) is a measure of safety.

As for the “interesting times” issue, the Republican party is trying to keep the issue focussed on the wars instead of on the economy. The problem with basing a campaign on wars is that many people will come to the conclusion that the election is not about people merely losing some money, but people dying. This could be sufficient to convince people that the right thing to do is not to abide by the usual standards for ethical behavior when dealing with private data, but to instead try and find something that can be used to affect the result of an election.

Mail that is not encrypted (most mail isn’t) and which is not transferred with TLS (so few mail servers support TLS that it hardly seems worth the effort of implementing it) can be intercepted at many locations (the sending system and routers are two options). But the receiving system is the easiest location. A big advantage for a hostile party in getting mail from the receiving system is that it can be polled quickly (an external attacker could use an open wireless access-point and move on long before anyone could catch them) and that if it is polled from inside the company that runs the mail server there is almost never any useful audit trail (if a sysadmin logs in to a server 10 times a day for real work reasons, and 11th login to copy some files will not be noticed).

One of the problems with leaks of secret data is that it is often impossible to know whether they have happened. While there is public evidence of one attack on Sarah Palin’s Yahoo account, there is no evidence that it was the first attack. If someone had obtained the password (through an insider in Yahoo, or through a compromised client machine) then they could have been copying all the mail for months without being noticed.

It seems to me that your choice of ISP needs to be partly determined by how many hostile parties will want to access your mail and what resources they may be prepared to devote to it. For a significant political candidate using a government email address seems like the best option, with the alternative being to use a server owned and run by the political party in question, if you can have the staff fired for leaking your mail then your email will be a lot safer!

6 comments to The Security Benefits of Being Unimportant

  • Russell,

    It’s well known how the account was broken. It’s no longer speculation. It’s also been reported on many websites.

    The Australian article above also raises what many ppl have already known, ‘personal questions’ aren’t always personal and allow people to get into accounts with relative ease.

    Realistically, such ‘password resets’ should require at least 2-factor authentication (eg: emailing a secondary Email account to ‘confirm’ the password request, etc).

    For the likes of Yahoo! and Gmail and Hotmail — I suspect we may see them now look at ‘VIP users’… basically a service for VIPs… where extra measures are taken to identify them (call them, ask for ID, even offer them a token instead).

    Though, in this case, it shows the stupidity of the end-user… using a public Email system for work related events.

    In any event…. it’s been interesting, and will be of interest to see what comes of it all.



  • etbe

    Matt: Thanks for the link.

    The stupidity of Sarah Palin is well documented and is entirely independent of her bad choice of email hosting. Of course given the fact that she wanted to hide from the law, she was forced to use some email service other than the government one. Maybe paying for an email service that would phone her for a password reset would have been a good idea.

    The idea of VIP users is a good one, I expect that they will have such an offering soon.

    But it wouldn’t solve the issue of untrustworthy sysadmins.

  • Good point etbe in relation to untrustworthy sysadmins.

    Really only encryption on the mail-store would resolve this. Though there is nothing stopping them tapping the actual network traffic. (The joys of cleartext SMTP traffic).

    To be honest, I find most pollies stupid… Palin no different to the majority out there.

  • […] developer Russell Coker has an interesting blog entry about the recent hack attack on Sarah Palin’s email account. From his blog: “Mail that […]

  • Dan C

    “not transferred with TLS (so few mail servers support TLS that it hardly seems worth the effort of implementing it)”

    While I agree, there are not nearly enough providers utilising inter-MTA TLS. I think it’s foolhardy to suggest that it’s not worth implementing because others haven’t.

    Depending on how arcane your choice of MTA is it shouldn’t be more than a 10 minute job to implement. From there-on out it will be utilised whenever possible.

  • etbe

    Dan C: Implementing a basic self-signed certificate can be done in 10 minutes, but that doesn’t prevent MITM attacks. Getting the infrastructure right for signed certificates is the hard part.

    Matt: There’s a state MP who catches the same tram as me, he seems quite intelligent. NB Fooling someone who watches you on TV is much easier than fooling someone who is sitting next to you on a tram.

    Sarah is really stupid by any standards, she’s a bogan and proud of it.