Dan Kaminsky, the director of penetration testing at IOActive, is the world’s most famous security hacker this summer. He found the flaw in DNS server technology that threatened to compromise the entire Internet and managed to get a patch out to protect everybody. In his talk at the recent Black Hat conference, he talked about how the DNS flaw had exposed weaknesses in the “forgot my password” feature on most login-based web sites. It so happens that the “forgot my password” function was the tool that hackers used to break into vice presidential candidate Sarah Palin’s email this week. This morning, news reports say that FoxNews commentator Bill O’Reilly also had his webmail hacked. [update: In the Palin case, authorities say they are questioning a suspect, David Kernell, the son of Tennesee Democrat State Representative Mike Kernell]
Kaminsky sent me this reply in response to my question about this kind of attack:
My observation then was that the unifying theme of the bugs of 2008 has been a complete failure to authenticate.
I have to admit, I’m a little surprised to see the theme infecting the election. But, there it is. Webmail providers have a particularly tricky problem with “Forgot My Password” links: They can’t presume you have some mail address to send a password or a reset link to, because they *are* your mail address. With nothing else they can go on, they end up trying personal entropy — secrets like when you were born, where you went to school, etc.
In an increasingly less private society, “secrets” like your birthday are easier and easier to acquire from just normal people — let alone massively visible Vice Presedential nominees like Sarah Palin. So personal entropy is now struggling even more as a mechanism to authenticate.
People have suggested — why not use the telephone system? Everyone has SMS (text messaging). From one perspective, this is completely true. From another, in this increasingly less private society, a decent number of people are specifically averse to having to permanently identify themselves to websites. (Skip a few chapters, and you can watch SMS spam explode as every website collects those numbers ‘in case you forget your password’.) And so we end up at OpenID and its ilk, which attempt to solve the problem of password forgetting by having all sites (effectively) share the same password, or at least authentication technology (since you might use a key fob to log into your OpenID provider). This has some downsides, but isn’t necessarily bad.
One quirky thing, given the election, is how electronic voting and the latest Forgot My Password hack play into one another. People want to vote, but they want their vote to be secret, but they want to be able to detect fraud, which normally requires validating the voter to their vote. People also want to log into their websites, but they want their real identity to be obscured, but they want to still be able to get in if they forget their password, which normally requires validating the real identity to the account. We can say this is ridiculous all day, but there are many people who won’t vote if their ballot isn’t perceived as secret, and there are many people who won’t use the web if their personal identity isn’t perceived as secret.
Notice how the big new feature in all the new browsers is secret (read: porn) browsing. Funky times we live in, eh?