What hasn’t been said about the Palin email hack

I don’t blog about politics, although sometimes I blog about things that are intertwined with politics. The Palin email hack is one of those things that are fascinating on technical and social levels. Socially, as a libertarian with no party affiliation, I find it interesting to watch the outrage of the normally surveillance happy right wing paired with the non-caring of the normally privacy fanatical left.

Technically a lot of good summaries have been written about how the hack shows the weakness of knowledge based authentication. Mark Diodotti of Burton has particularly well written piece about it here. But there are several aspects of this that haven’t, so far as I am aware, been brought up.

First, this is usually described as a hack into Palin’s email account. That is true, but understates the depth of the problem. What was actually hacked was Palin’s Yahoo account which grants access to a number of Yahoo services including email. Another service is OpenID. The hacker would not only have obtained access to Palin’s email, but also every OpenID enabled account for which Palin had used Yahoo as the identity provider. In fairness this is no different that if an IdP password is compromised for SAML or  InfoCard (except self-issued cards), but is does point out the down side to federation.

Second, the vulnerability was not in the primary means of authentication (password), but in the secondary means of authentication (forgot password). The lesson here is that security is chain that is only as strong as its weakest link. If the secondary means of authentication was made stronger you might still need to worry about the tertiary means, which in many systems involves calling a support number and convincing them you are the right person. In many cases that’s not a terribly difficult process if you have enough personal information about someone.

Third, security has to match expected use. That is really the story here. I have a Yahoo email account, but there is no reason to expect anyone to attempt to compromise using the same methods because there is no value to it. Security not through obscurity but lack of motivation. Palin elevated the value of hacking Yahoo by using it for official business (or at least appearing to).  That’s not so say she wouldn’t have been a target, like many celebrities are, even if she had only an obviously personal email address, but she unwisely made a very inviting target.

So what are the lessons here?

In federation the security of all the relying parties is only secure as the least secure alternate means of authentication at the identity provider.

As a consumer we must be cautious of elevating the value of an identity provider beyond what is was designed for. This can happen because of social factors (as in Palin’s case) or by using it as a federated identity provider for a higher value relying party.


5 responses to “What hasn’t been said about the Palin email hack

  1. Palin did not elevate the value of her account by using it for official business — until she was hacked, nobody could have known that she used it for official business.

    Every one of Palin’s accounts now have elevated value. She is a target, and as such, she needs to reevaluate every account she has online. Too bad we all don’t have that attitude from the get-go.

  2. A very good point. I whish I knew what the answers is to this kind of problem. But I believe that it’s too much to expect the average person, or even the above average person, to become a security expert.

  3. Nice article, and excellent point about OpenID.

  4. InfoSec 101 – “An asset must be protected to a degree consistent with its value.”

    IF the nature of the information you wish to share with others is of a confidential nature, why use free low-security-assurance email systems to begin with?

  5. Actually you shouldn’t. But what I was pointing out it is very easy for what starts out as a low value usage appropriate with the level of security can become elevated in value and innappropriate.

    Expect the average user to understand the ramifications of this, even at the InfoSec 101 level, is not realistic.

    The average user is very poor at assessing the level of security for a service.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s