IS YAHOO MAIL SAFE?

In a blow to the republican vice presidential candidate’s privacy, hackers have taken
over and copied all the e-mails out of Governor Palins e-mail account on Yahoo. The
best part is that no one knows if the account was hacked via a Yahoo Zero day or a bad
password choice.

Given what is being described as a major breach of confidentiality and privacy on the
part of the republican candidate, Veracode has an idea of exactly how the yahoo mail
hack was carried out via the Yahoo password reset screen. If you know basic
information about the person you are interested in, and have access to the backup e-
mail account that the person uses, you can get a password reset sent to that other
account.

So if you back up is an account that someone else has access too, regardless of who
they are, the yahoo password reset function will work just the way it was intended.
The problem is that at least the backup account has to be compromised in some
manner to make this work. The data though that is in Wikileaks is a lot of information
that investigators were wanting to get but were being difficult to get legally. None of
the information on Wikileaks can be used in court, and odds are now that the account
has been compromised, none of the yahoo information can be used either. Wikileaks
reports that:

Circa midnight Tuesday the 16th of September (EST) activists loosely affiliated with
the group 'anonymous' gained access to U.S. Republican Party Vice-presidential
candidate Sarah Palin's Yahoo email account gov.palin@yahoo.com and passed
information to Wikileaks. Governor Palin has come under criticism for using private
email accounts to conduct government business and in the process avoid
transparency laws. The zip archive made available by Wikileaks contains screen shots
of Palin's inbox, two example emails, address book and a couple of family photos. The
list of correspondence, together with the account name tends to re-enforce the
criticism. Following the release of this story, both Sarah Palin's better known account
gov.sarah@yahoo.com and the gov.palin@yahoo.com account have been suspended
or deleted as revealed by a test email sent to these addresses by Wikileaks. Although
the reasons for the deletion of both accounts can not not yet be established, one
interpretation is that Palin is trying to destroy her email records. Source: Wikileaks

This hack brings home the idea to the candidates that information security is
something that needs to be talked about at a national level if we are to be successful in
defending cyberspace in the USA. This is the kind of example that will bring a deeper
focus at least on the vice presidential candidate that we need some very real
information security, and she will have her own story to tell about it. This is not a
good thing on many levels, because the data has now been compromised and is
useless to law enforcement in case she really was doing something that she should
not have been doing. So while the hackers on this one might have provided the data
in the yahoo mail account, in the end they might have ended up compromising the
entire State of Alaska investigation into Governor Paulin’s actions.