Sarah Palin’s Yahoo! email account has been hacked by Anonymous.

It’s bad enough that Sarah Palin is using a private Yahoo! email account to conduct state business to circumvent public records laws, but she also apparently chooses some pretty easy to guess passwords. The group calling itself “Anonymous” managed to hack her email account:

The internet griefers known as Anonymous took credit for the intrusion, and screenshots of e-mail messages and photos belonging to the Alaska governor have been published by WikiLeaks. Threat Level has confirmed the authenticity of at least one of the e-mails.

The cache of stolen data contains five screenshots from Palin’s account, including the text of an e-mail exchange with Alaska Lt. Gov. Sean Parnell about his campaign for Congress.

Another screenshot shows Palin’s inbox and a third shows the text of an e-mail from Amy McCorkell, whom Palin appointed to the Governor’s Advisory Board on Alcoholism and Drug Abuse in 2007.

The e-mail, a message of support to Palin, tells her not to let negative press get to her and asks Palin to pray for McCorkell, who writes that “I need strength to 1. keep employment, 2. not have to choose.”

The Republican Party hasn’t responded to a call for comment, but McCorkell, reached at her office, confirmed that she did send the e-mail to Palin.

Good to know state secrets will be in such good hands if she becomes VP, eh?

If you use Gmail you should enable the SSL feature right now.

The folks over at Wired.com have an entry up on how and why you should enable Gmail’s SSL feature that is worth a read:

Why? Because without it, anyone can easily hack someone’s account and in two weeks it is going to get even easier. Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent. It is urgent, and here’s why.

The reason why is pretty simple. Without the SSL feature turned on Gmail only uses a secure connection for the initial login and then all session data is sent back and forth unencrypted. The problem with that is your session data includes your login information which kinda defeats the point of having it encrypted during the login. Someone sitting with a packet sniffer looking at your network traffic could snatch that info from the data stream and have full access to your account and all the archived emails. By turning on the SSL feature the entire session will be encrypted from beginning to end.

You can tell if your session is encrypted by looking at the address bar of your browser. If you see HTTPS: at the start of the address while reading your email then you’re encrypted. This feature is turned off by default so if you haven’t specifically turned it on then you’ll want to. You can do that by clicking on the SETTINGS link in the upper right corner of the Gmail screen and on the GENERAL tab (which should be the default that comes up) you scroll down to where it says BROWSER CONNECTION and click on the box for “Always use https.” Then just press Save Changes to update your account. You may need to quit and login to Gmail again to make sure it’s working.

You won’t notice anything different about how Gmail works from before, but you’ll be a little better protected.

Has Yahoo! been hacked?

Just got off the phone with my Dad after trying to diagnose a possible virus on his computer. Every time he starts up Firefox it goes nuts saying there’s a virus incoming and to abort the connection. We set up a Remote Assistance so I could see what was going on and indeed every time he tried to go to his homepage he got a virus warning. That homepage just happens to be Yahoo.com. Here’s the popup he was getting:

Seeing that there was something being appended to the end my first stop was to see what his homepage was configured for in his browser. Sometimes when you install malware on your system it’ll change the default webpage of your browser so it can install even more junk, but pulling up the options screen it was clear that last bit wasn’t part of the URL. That seemed odd so on a lark I tried to pull up Yahoo myself and, sure enough, my Avast went nuts warning me of a virus and showing the same URL. I’m pretty sure both our PCs aren’t unknowingly infected with the same virus so the only logical conclusion is that it must be coming from Yahoo! directly. Either they’re trying to pull something over on their users or their servers have been hacked.

Anyone else experiencing the same thing at the moment? Dad says it was fine earlier today and there’s nothing on any of the tech sites I frequent about it so it must be something that’s happened only recently.

Update: It appears that it’s a false positive with Avast. Manually telling it to update the .dat files cleared up the issue.

Grafiti artist hacks digital billboard in Los Angeles.

So have you seen them fancy LED lit digital billboards in your neck of the woods as of yet? They started popping up around the Detroit area over the past year or so and as of today there’s at least four of them that I know about. They’re basically really big computer monitors and they rotate ads once every couple of seconds and can be seen a mile or so away. Apparently it’s also possible to update them in real time as one of the ads was for a local radio station in which it listed the song playing on that station at that very moment

This got me to wondering if the boards use a wireless or wired connection for the updates and how long it would be before someone got around to hacking one of them. Apparently I wasn’t the only person to have this thought cross his mind:

An entity simply known as Skullphone has been altering Clear Channel digital billboards in Los Angeles, by hacking into the computer that runs the billboards and inserting the Skullphone images between the ads.


Click to embiggen!

You just know as soon as something goes digital that someone else will find a way to hack it. What’ll be interesting to see is what happens if this sort of hack ends up being easy to replicate. If anyone manages to hack any of the boards I see regularly here in Michigan I’ll be sure to grab a picture of it.

Interesting article: “The Pirates Can’t Be Stopped”

The folks at Portfolio.com have an interesting article on the ongoing war between media companies and the legions of file sharers. It focuses on how Media Defenders, a company that promises Hollywood that they’ll disrupt file sharing on P2P networks, was hacked by a long high school kid who exposed the company’s inner workings for all to see:

A teenager hacked into the outfit charged with protecting companies like Sony, Universal, and Activision from online piracy—the most daring exploit yet in the escalating war between fans and corporate giants. Guess which side is winning.

The first time Ethan broke into MediaDefender, he had no idea what he had found. It was his Christmas break, and the high schooler was hunkered down in the basement office of his family’s suburban home. The place was, as usual, a mess. Papers and electrical cords covered the floor and crowded the desk near his father’s Macs and his own five-year-old Hewlett-Packard desktop. While his family slept, Ethan would take over the office, and soon enough he’d start taking over the computer networks of companies around the world. Exploiting a weakness in MediaDefender’s firewall, he started poking around on the company’s servers. He found folder after folder labeled with the names of some of the largest media companies on the planet: News Corp., Time Warner, Universal.

[…] Ethan and I had first started talking over an untraceable prepaid phone that he carried with him. He eventually agrees to speak in person, as long as I protect his identity. (Ethan is a pseudonym.) We meet after school, in a bookstore that he says is near his house. He hands me a flash drive containing documents that I was later able to independently verify as internal, unpublished information belonging to MediaDefender. He also pulls out a well-creased sheet of paper bearing my name, the first five digits of my Social Security number, a few pictures of me, and addresses going back 10 years. “I had to check,” he says. Then he asks me about another Roth he has been researching; it turns out to be my brother. “I was just starting to dig in to him,” he says. “There’s a lot there.” Ethan is a handsome kid, with broad shoulders and a preppy style, and is unfailingly polite, cleaning up the table after I buy him a coffee and patiently walking me through the intricate details of Microsoft security procedures.

[…] In the spring, however, he decided to explore the company again. Over the next few months, Ethan says, he figured out how to read MediaDefender’s email, listen to its phone calls, and access just about any of the company’s computers he wanted to browse. He uncovered the salaries of the top engineers as well as names and contact information kept by C.E.O. and co-founder Randy Saaf (with notations of who in the videogame industry is an “asshole” and which venture capitalists didn’t come through with financing). Ethan also figured out how the firm’s pirate-fighting software works. He passed on his expertise to a fellow hacker, who broke into one of MediaDefender’s servers and commandeered it so that it could be used for denial-of-service attacks.

The kid has a future in IT Security if he doesn’t end up getting busted for some of the hacking he’s done in the past. This was all done by a single high school kid in his spare time over the course of months and he’s only one of hundreds, if not thousands, of pirates who are fighting an arms race against the companies who would be Hollywood’s gate keepers. Reading the full seven page article it quickly becomes clear that the pirates are winning and the best hope that the entertainment industry has is to change its business models to accommodate what people really want, but that’s not likely to happen anytime soon. The most telling example of this conflict comes from an account in the article about a small indie film that benefited greatly from being pirated:

A new independent movie called Jerome Bixby’s The Man From Earth showed up on one of the file-sharing sites in November. The film’s producers had no idea it had even been pirated; all they knew was that suddenly its popularity was skyrocketing. Their websites received 23,000 hits in less than two weeks, and the film’s ranking among the most-searched-for movies on the internet movie-tracking site IMDB went from 11,235 to 15. Eric Wilkinson, the film’s co-producer, wrote a fan letter to the site responsible for driving traffic to the pirated film: “Our independent movie had next to no advertising budget and very little going for it until somebody ripped one of the DVD screeners and put the movie online for all to download…. People like our movie and are talking about it, all thanks to piracy on the Net!” He requested that fans buy the DVD as well and added, “In the future, I will not complain about file sharing. you have helped put this little movie on the map!!!! When I make my next picture, I just may upload the movie on the Net myself!”

When I try reaching Wilkinson, though, I’m told that the producer is not available. Instead, the movie’s director, Richard Schenkman, returns the call. “Eric was clearly being sarcastic,” Schenkman says about the offer to upload the film. “That’s why he put in the exclamation points.” I tell him his partner certainly sounded enthusiastic about file sharing. “Look, I have mixed feelings about this,” Schenkman replies. “As a filmmaker, I love that people love the movie and have seen the movie. But as a person who literally has a hunk of his own life savings in the movie, I don’t want to be ripped off by people illegally downloading the movie. Some of these downloaders want to believe they’re fighting the man. But we’re all just people who work for a living.” He acknowledges, however, that DVD sales of the film increased after the leak, and that people have even been pledging money on a site the filmmaker set up to accept donations in markets where the DVD isn’t for sale. “I’m not saying I have the answers,” Schenkman says.

If anyone had the answers the problem would already be solved. What the industry needs to do is more experimentation to see what works, but they’d rather just sure their customers thinking that it’ll scare everyone else straight. A tactic that clearly doesn’t work as file sharing has grown in leaps and bounds year after year in spite of all the lawsuits.

Easiest way to hack into the IRS? Just ask for their password.

A lot of people have bought into the Hollywood mythology of a hacker as someone who sits at a keyboard typing randomly until he magically manages to break into a secure computer system solely by the power of his superior understanding of computers and programming, but the truth is you don’t have to be a Super Genius™ to successfully invade a computer network. You just have to know how to ask nicely:

Inspector general finds lax computer security by IRS employees – SignOnSanDiego.com

WASHINGTON – IRS employees ignored security rules and turned over sensitive computer information to a caller posing as a technical support person, according to a government study.

Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service.

All it takes to be a successful hacker is a little knowledge of social engineering.