The FBI over the weekend executed a search on the apartment of a University of Tennessee student suspected in the hacking of Republican vice presidential candidate Governor Sarah Palin’s Yahoo e-mail account.
While that was going on, other hackers broke into the personal site of Fox News commentator Bill O’Reilly, who had been carrying on for several days in anger over the hacks, and posted subscriber information to the WikiLeaks Web site.
A spokesperson for the Department of Justice confirmed to InternetNews.com that “Investigatory activities related to the inquiry took place in Knoxville late Saturday night or early Sunday morning.” Last week, Tennessee state legislator Mike Kernell, a Democratic representative from Memphis, said his son David was a suspect in the investigation.
“I had nothing to do with it, I had no knowledge or anything,” Rep. Kernell told the Associated Press. “I was not a party to anything of this nature at all. I wasn’t in on this … and I wouldn’t know how to do anything like that.”
WBIR.com, the Web site for the NBC affiliate in Knoxville, said the younger Kernell and some friends fled the apartment when the FBI agents arrived, and the agents spent about two hours in the apartment. Several of Kernell’s roommates have been subpoenaed to testify before a grand jury this week in Chatanooga, according to WBIR.
More details have emerged on how “Rubico,” the person who took credit for the hack on the image board 4chan, was traced to Kernell. Normally when one posts to 4chan, they do so anonymously and there is no evidence of their identity. Rubico posted under his handle, and there was a link in his name to the e-mail address “[email protected]”
It took one Google search, the same way Rubico compromised Gov. Palin’s account in the first place, to connect it to Kernell.
How much liability?
Rubico reset the password on Gov. Palin’s account by using the forgotten password feature and answering a simple personal question, where she met her husband Todd. He got that answer through a Google search on the once-obscure Alaskan governor suddenly thrust into the global spotlight when Sen. John McCain chose her to be his vice presidential running mate last month.
So far, every security expert InternetNews.com has spoken with regarding the issue has said that personal questions make for lousy security.
“There’s no question that passwords that can be researched is a technology that’s about 20 years old now and needs to be eliminated,” said Dmitri Alperovitch, principal research scientist at Secure Computing’s TrustedSource Labs. “It’s pretty shocking how easy it is to hijack an account about a public official because there is so much information about them out there.”
Added Randy Abrams, director of technical education with antivirus vendor ESET Software, “Not a significant amount of thought went into the reset, but they also know their customer base doesn’t want to be hassled with a lot of security, so they try to make it easy for the users, which makes it easy for the hackers as well.”
The two offered a number of potential solutions that could be better than simply answering a personal question, like your mother’s maiden name, such as: letting the user pick their own types of questions instead of picking from a narrow list; making you call from your home phone line to reset the password; requiring more than just one question, avoiding questions with public information; sending the answers via SMS message to a mobile phone; or two-factor authentication.
They also stressed that Yahoo Mail is a free service, so you get what you pay for, and don’t expect Yahoo to break the bank on security, either. “They are providing a free service, so there is a question of how much security can you expect for something you don’t pay for,” said Alperovitch. “You can’t expect Yahoo to spend millions for a free e-mail service.”
“This is an example of the risks of cloud computing,” said Abrams. “You’re keeping your data on someone else’s computer. You don’t control it, you don’t control security around it. If you keep your data on [Google’s] GMail or Yahoo Mail, it’s vulnerable to being hacked 24/7.”
O’Reilly stirs a response
Someone with a little more liability on his hands is Fox News’s Bill O’Reilly, whose Web site was hacked over the weekend and subscriber information posted to Wikileaks. O’Reilly had been railing against Wikileaks and 4chan over the Palin hack all week on his show, The O’Reilly Factor.
“I’m not going to mention the Web site that posted this, but it’s one of those despicable, slimy, scummy websites. Everybody knows where this stuff is, OK, and they know the people who run the website, so why can’t they go there tonight to the guy’s house who runs it, put him in cuffs and take him down and book him?,” said O’Reilly on his show last week.
4chan, which revels in bad behavior, took this to heart, putting the words “DESPICABLE, SLIMY, SCUMY” at the top of the random talk channel, known as /b/, where Rubico first posted his work. To them it was a joke.
Someone else took it as a challenge and O’Reilly’s personal site was compromised over the weekend. The list posted to Wikileaks contains at least 205 names, e-mail addresses, billing addresses and passwords of subscribers to O’Reilly, which were not protected or encrypted.
O’Reilly’s personal page is not hosted by Fox’s parent company News Corp., it’s hosted by a Los Angeles company called Nox Solutions. Its list of customers is a who’s who of the political right, including Lara Ingraham, Bill Bennett and talk show hosts Mike Gallagher, Jerry Doyle and Michael Medved. It also hosts the sites of Larry King and Dr. Drew Pinsky, who are decidedly not right-wing. Queries to Nox by InternetNews.com were not returned, nor was a query to Fox News.
This article was first published on InternetNews.com.