Palin Email Hacker Caught Red Handed
In a stunning turn of events, hackers have broken into vice-presidential candidate Sarah Palin's Yahoo email account, brazenly publishing several critical messages.
The chaos isn't just limited to the Republican party, however; according to reports, the son of a prominent Democrat is under suspicion following an FBI raid.
Serious questions are being raised this morning about the security of Palin's account, and whether the Alaskan senator should admit some responsibility for using Yahoo Mail for official business.
The hacker, from a group calling itself Anonymous, published some of the stolen material at Wikileaks, a site that allows anyone to published leaked information. It's no connection to Wikipedia -- the term 'wiki' refers to sites which can be edited by users.
The posted material included five emails, two photographs and an address book. The emails include an exchange with Alaska deputy-governor Sean Parnell discussing radio host Dan Fagan. There was also a listing of her inbox showing many subject lines which appeared to involve government business.
Palin and her camp have yet to comment, other than to confirm the account, email@example.com, has now been closed down. However, the BBC quotes John McCain's campaign as calling the incident "a shocking invasion of the governor's privacy and a violation of the law." (Source: bbc.co.uk)
Critics have already slammed Palin for using a personal and free email account for official business: not only for the security implication, but over concerns she may have been trying to evade laws on public records. Adam O'Donnell of email security firm Cloudmark says "Using private accounts for government or business use is incredibly dangerous. There's a reason why you have an official account. It's so that you can apply proper security management to the account." (Source: computerworld.com)
An unconfirmed message board posting from somebody claiming to be the hacker says it took just 45 minutes to hack into the account. The post claims the attack involved asking Yahoo to reset the account's password, supplying Palin's date of birth and zip code, and answering the security question "Where did you meet your spouse?" The alleged answer was 'Wasilia high', a reference to Palin's school. (Source: arstechnica.com)
Ironically the suspected hacker, David Kernell, appears to have made it equally simple to catch him out thanks to a Yahoo account. The boastful post was made under the user name 'Rubico' which other message board posters quickly linked to firstname.lastname@example.org, an address Kernell had used on a YouTube account.
Meanwhile the hacker had made a major blunder by leaving their website address bar in the screenshots of Palin's emails. That gave away that they had used Ctunnel, a service for 'anonymous' web browsing.
With Kernell already in the frame, the FBI was able to cross-reference the details of the attack with Ctunnel's data logs ('anonymous' surfing soon loses its secrecy when the Feds come knocking) and confirm that the hacker used an IP address originating in Kernell's Knoxville apartment block. That's now been raided, though there's no public word of any charges being filed.
Kernell is the son of David Kernell, a Democrat state representative in Tennessee. He's denied any knowledge of, or involvement in, the hacking.