Sarah Palin email hack raises new security concerns

Social networking profiles can yield answers to security questions, as Sarah Palin found to her cost

The volume of personal information on the internet is making the use of personal security questions a far less effective protection method, according to one expert.

Gary Warner, director of computer forensics research at the University of Alabama, Birmingham, outlined new risks which had surfaced in the aftermath of the Sarah Palin email attack.

Warner said in a blog posting that the attack shows just how simple it can be to obtain information to foil the 'personal information' questions used by many web services.

The questions are intended to ensure that only the intended user can reset an account password. Users are asked information that a stranger would not know, such as zip code or pet's name.

As users put more of their lives online through the use of social networking and personal sites, however, more of that once-personal information is becoming publically available.

Warner pointed out that the information used by suspected hacker David Kernell to access the Yahoo mail account of Alaska governor and vice-presidential candidate Sarah Palin was found through a few Google searches.

Authorities have since tracked down Kernell's surfing history in performing the attack and recently raided his apartment.

Kernell was able to obtain Palin's zip code and birth date through a search, and figured out where she met her husband through online biographical information.

Those three pieces of information were then used to reset Palin's password and access her account.

"Of course, it's worse if you are a celebrity," Warner noted. "Governor Palin, after all, has a biography written that will answer most of these questions."

Warner pointed out, however, that with a little additional effort, information on regular people can be found on social networking sites.

An attacker could pick up a targeted user's personal information and employment history from sites such as LinkedIn and Facebook, while personal and family history information can be obtained from directory sites such as Classmates.com or genealogy sites.

To remedy the problem, Warner suggests a healthy dose of dishonesty. Users should enter false information when asked about personal history.

"Lie. Be dishonest. Do not tell the truth. And then write down your security questions and put them wherever you keep your birth certificate and passport," wrote Warner.

"They force you to have a security question, but don't make it something the rest of the world can find out with a Google search."