News & Current Affairs

September 19, 2008

Hackers infiltrate Palin’s e-mail

Hackers infiltrate Palin’s e-mail

Sarah Palin campaigns in Colorado, 15 Sept

Sarah Palin has been campaigning for Republican running mate John McCain

Hackers have broken in to the e-mail of the US Republican vice-presidential candidate, Alaska Governor Sarah Palin.

The hackers, who targeted a personal Yahoo account, posted several messages and family photos from her inbox.

The campaign of running mate John McCain condemned their action as “a shocking invasion of the governor’s privacy and a violation of the law”.

The hacking comes amid questions about whether Mrs Palin used personal e-mail to conduct state business.

According to law, all e-mails relating to the official business of government must be archived and not destroyed. However, personal e-mails can be deleted.

Mrs Palin is currently under investigation in Alaska for alleged abuse of power while governor.

‘Destroy them’

A group called Anonymous has claimed responsibility for the hacking of Mrs Palin’s Yahoo e-mail.

It posted five screenshots, two digital photos of Mrs Palin’s family and an address book to the whistle-blowing Wikileaks website. The information was taken from Ms Palin’s gov.palin@yahoo.com e-mail account.

One message exposed is apparently an exchange between Mrs Palin and the deputy governor of Alaska, Sean Parnell, who is seeking election to Congress.

Another is between Mrs Palin and friend Amy McCorkell, in which the latter says she is praying for the governor and adds: “Don’t let the negative press get you down!”

The family photographs of the Palins posted on Wikileaks are not thought to have previously been in the public domain.

“The matter has been turned over the the appropriate authorities and we hope that anyone in possession of these e-mails will destroy them,” the McCain campaign said in a statement.

Subsequent investigation has shown that the gov.palin@yahoo.com account has been shut down along with another, gov.sarah@yahoo.com, also owned by Mrs Palin.

It is not clear yet what methods the hacking group used to access to the e-mail account. The screenshots posted by the hackers reveal that they carried out the attack via a so-called proxy service to hide their tracks and limit the chance that they would be traced.

Earlier in 2008 the Anonymous group launched several online assaults against the Church of Scientology.

Mrs Palin has been on the campaign trail for Mr McCain this week, appearing at events in Colorado, Ohio and Michigan. The pair are due to hold an airport rally in Iowa on Thursday.

Advertisements

August 7, 2008

Net address bug worse than feared

Net address bug worse than feared

Courtesy BBC

Computer keyboard, BBC

Attackers could use the loophole to redirect web users to fake sites

A recently found flaw in the internet’s addressing system is worse than first feared, says the man who found it.

Dan Kaminsky made his comments when speaking publicly for the first time about his discovery at the Black Hat conference in Las Vegas.

He said fixes for the flaw in the net’s Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways.

“Every network is at risk,” he said. “That’s what this flaw has shown.”

The DNS acts as the internet’s address books and helps computers translate the website names people prefer (such as bbc.co.uk) into the numbers computers use (212.58.224.131).

Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website.

In his talk Mr Kaminsky detailed 15 other ways for the flaw to be exploited.

Via the flaw hi-tech criminals or pranksters could target FTP services, mail servers, spam filters, Telnet and the Secure Socket Layer (SSL) that helps to make web-based transactions more secure.

“There are a ton of different paths that lead to doom,” he said.

‘Hype’

But the DNS threat was played down by net giant VeriSign which issues many of the security certificates used in SSL. It told BBC News its system was “not vulnerable”.

The Silicon Valley company looks after two of the net’s 13 DNS root servers. It also controls the computers that contain the master list of domain name suffixes such as .com and .net

Ken Silva, CTO VeriSign

“If there is a silver lining in all of this, it’s that users will become more aware and more consious of who they do business with.”

Ken Silva, chief technology officer at Verisign, said: “We have anticipated these flaws in DNS for many years and we have basically engineered around them.”

He believed there had been “some hype” around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained.

Mr Silva said he was concerned that people would read too much into the doom and gloom headlines that have surrounded the discovery of the DNS flaw.

“It’s been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site.

“The fact of the matter is that there have been many ways like phishing attacks to misdirect them for a long time and this is just yet another of those ways that will be surgically exploited.”

Security gap

Mr Kaminsky kept news of the flaw out of the public domain for months after its discovery to give companies time to patch servers.

Mr Kaminsky said that 75% of Fortune 500 companies have fixed the problem while around 15% have done nothing.

Major vendors like Microsoft, Cisco, Sun Microsystems and others have issued patches to close the security hole.

“The industry has rallied like we’ve never seen the industry rally before,” said Mr Kaminsky.

Student using laptop, BBC

Computer users need to be educated to surf the superhighway more safely

DNS attacks are not new but Mr Kaminsky is credited with discovering a way to link some widely known weaknesses in the system so that the attack now takes seconds instead of days or hours.

“Quite frankly, all the pieces of this have been staring us in the face for decades,” said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world’s DNS servers.

Mr Silva at VeriSign said even though patches have been put in place, this doesn’t mean users can sit back and relax.

“The biggest gap in security rests between the keyboard and the back of the chair,” he said.

“The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly.”

Mr Silva said education is fundamental in making the net a safer place.

“We have been trained since we were young to lock the door to our house, our car. We take these sensible security measures in the environment we are functioning in.

“Yet when it comes to computer safety we forget to look both ways before crossing the internet highway.”

Blog at WordPress.com.