I’ve got to hand it to the mainstream media because they finally understand something about Internet security. Usually it takes three to four years of my speaking and writing about a threat for a mainstream reporter to pick up coverage. But this time, thanks to the high profile and rediculously simple hack of Sarah Palin’s email account, the mainstream press is actually covering a security issue before it is resolved.
The issue this time – the moronic “security questions” that most websites as if you forget your password.
The article I’m refering to appeared in Time Magazine and it brings to the public eye something I’ve been writing about for a mere two years. The answers to the security questions that most websites ask are readily available. Any 12 year old with Internet access can find out where you grew up, where you went to high school, and your mother’s maiden name. And, if you’re like most people, you’ve dumped even more information onto Facebook, MySpace, and LinkedIn and that can be leveraged too.
This is the poignant paragraph from the article – misspellings are theirs, not mine:
it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)…the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college…I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high”
There’s a complete account of how easy it was to hack into the VP candidate’s Yahoo! account at Wikileaks. Read it and ask yourself one question – is this someone who we want making decisions about our nation’s security? How could someone with a country bumpkin approach to Internet security exhibit the leadership which we need now to protect us from the dangers of a largely unregulated Internet? I usually try to stay out of politics except to poke fun at our fine nation’s lampoonish implementation of democracy, but I can’t resist this. How soon will it be before Ms. Palin changes nuclear launch codes to her grand-daughter’s first name?
I was interviewed many months ago about why these challenge/response security questions are a useless measure. The fact is that a hacker willing to do some digging can get most of that information right online from your social networking profiles. Did you list your favorite book in your MySpace page? Then it’s probably not the right security question for your banking site.
One measure that security experts are starting to suggest is not answering the questions truthfully. Make up nonsensical answers and keep them a secret. Then it would be very hard to guess them, and also very hard for you to remember them. So what’s your favorite book becomes, “Raskolnikov’s Underwear” instead of “Crime and Punishment.”
That seems like a temporary measure at best. Perhaps the real problem should be solved and all of those security questions should be replaced with actual meaningful secrets.
Or are no secrets safe today?