Sarah Palin to take the stand in “hacking” trial

  • Article

From the Associated Press:

KNOXVILLE, Tenn. – A former college student charged with hacking Sarah Palin's e-mail account fears some jurors in heavily Republican East Tennessee could be dazzled when the conservative star testifies. A jury of 12 and two alternates was seated Tuesday to hear the case against 22-year-old David Kernell. Prosecutors have not said when Palin will take the stand.

Kernell was a University of Tennessee student majoring in economics when prosecutors say he hacked into the Yahoo! account Palin sometimes used for state business. At the time she was Alaska's governor and the GOP candidate for vice president.

Convictions on all four felony charges — identity theft, wire fraud, intentionally accessing Palin's e-mail account without authorization and obstructing an FBI investigation — could send Kernell to prison for up to 50 years.

He is accused of accessing Palin's Yahoo! e-mail account by answering a series of personal security questions, resetting the password to "popcorn," making screen shots and posting the contents online using the nickname "rubico."

This is an interesting case of hacking because it is an example of low-tech hacking.  All that Kernell did was guess what Sarah Palin’s Yahoo id was after reading that she used it instead of government email addresses to discuss some of her personal (and public?) affairs.  He then went to Yahoo’s page and reset the password.  Like any good web password reset field, Yahoo has some security questions set up.  Unfortunately, because Palin is a public figure, the questions were not actually a secret because someone, given a little bit of time, could do a web search and figure it out.  Something like “Name your best friend from elementary school” is probably a good question, something else like “What is your mother’s maiden name” is not.  That’s what Kernell did.

Unfortunately, he fell into the trap that a lot of amateur hackers fall into – he let his ego get the better of him.  By changing the password and then posting pictures of it using a nickname, he pretty much led investigators on a trail right to him.  This is similar to the owners of the Mariposa botnet earlier this year getting frustrated and logging on to control their botnet directly from their own computer.  Once that happens, investigators can trace the connection back to owner of the computer.  Of course, in all cases it isn’t quite that easy because some people can be behind a shared IP and so while we may be able to narrow it down to a range, we can’t necessarily narrow it down to a particular person.  In addition, because IP addresses are often randomly assigned and refreshed, using IP addresses as a unique identifier works only part of the time and in particular cases.

The professional hackers know better.  They keep their egos in check and hide behind proxies, that is, they take control of another machine and use that to control their botnets.  This proxy machine then relays the information back to the hacker.  Authorities can still trace the hacker but they have to log onto the machine that is acting as the proxy and view the logs on that one to see where it was transmitting data to.  Smarter hackers still might hide behind multiple proxies and even erase their log history afterwards, or worse yet, plant fake ones.  This is all traceable but it takes a lot of time and resources to do it.

Sometimes it is a matter of time before the attacker slips up and makes a mistake.  That’s what the amateurs do.  The professionals don’t; they are careful to hide their identity and they are also cautious to not draw attention to themselves.  In cybercrime, anonymity is what pays… or at least, keeps the police off your trail.  And that, of course, is the real challenge of cybercrime.  This anonymity makes it very difficult to trace offenders back to their source and investigations can end up on rabbit trails.  It’s great for protecting privacy, but not so good at protecting people from others with nefarious intentions.