Application security, Breach, Data Security

Palin email “hack” underscores need for stronger authentication

Last week we saw the kind of email hack of a prominent public figure -- vice presidential candidate Sarah Palin -- that many of us in the security industry saw coming for some time. According to media reports, a student in Tennessee allegedly “socially engineered” the password re-set on Palin's personal Yahoo email account by allegedly using Wikipedia to find answers to such questions as: “What is your postal code? What's your birthday? Where did you meet your spouse?”

Half of Wasilla, Alaska knew these answers. And for those outside of that small Alaskan city, anyone with access to a computer and a search engine could have easily found them. This incident should put both government officials and CEOs of public companies on notice: Think twice before conducting official business on Yahoo or Google email accounts. Beyond ethical or policy considerations, you're likely to get hacked.

There are a few important takeaways from the Palin hack that everyone should keep in mind:
  1. Email, even that of the “free” variety that Yahoo offers, is not a toy
  2. User name and password is no longer a viable authentication method
  3. It is time to actually address authentication security. There's an answer to this problem that doesn't involve expensive and proprietary technologies like tokens or smart cards. In fact, it's already deployed and is now reaching critical mass.

Back to the Future

When Yahoo debuted its email system several years back, most users conducted personal business with these accounts. But the Palin hack shows us how difficult it has become to differentiate between the necessary levels of email security for business accounts vs. free accounts, as well as the role that the industry must play in strengthening security. Think of a similar evolution in technology and how it was used in the telecommunications industry. Internet telephony was still in its infancy when a tempest arose when those trying to place 911 calls using Vonage couldn't be traced—a longstanding function with landline phones and one mandated for the public good. Vonage was forced to implement this function. Now that email systems from Yahoo and Google are so widely used, shouldn't these service providers take the next step in shoring up security to protect confidentiality of their users and the information they exchange?

To the second point, we've known for a while that, by its nature, user names and passwords aren't secure, and momentum continues to build across the industry to solve this problem in a manageable way. Sure, there are other authentication solutions such as tokens or smart cards. But the downfall with these is they are expensive and proprietary. Is it reasonable to ask Yahoo or Google to require their email users buy tokens or smart cards? Or for said companies to provide them free of charge? Of course not.

This brings us to the main point of this piece: how we'd advise Yahoo to shore up its email security by implementing better authentication. Today, millions of PCs are shipped every month that have the ability to authenticate to Yahoo mail securely with the Trusted Platform Module (TPM) security chip. Think of the chip—whose standards were set forth by the dozens of technology industry leaders that comprise the Trusted Computing Group—as a tamper resistant storage vault for user credentials. It's hardware authentication native to the motherboard. There are more than 250 million users on the net that have this hardware capability on their PCs today.

It's a solution that is open and vendor neutral, championed by all the members of this organization, which include Intel, Microsoft, IBM, HP, Dell and others. More likely than not, the PC you are reading this entry on has a TPM. The TPM can replace passwords to access email on public systems with industry standard cryptographic methods that are well understood and can be practically implemented by Yahoo engineers. And, frankly, it wouldn't take long to do.

The benefits are numerous: there's no cost for the user to utilize the TPM nor is there any cost for Yahoo to make it an optional authentication means for its email system. The use of a TPM could easily have prevented the Palin attack, as there would be no password and it would not be possible to reset access from a foreign machine. And TPM technology is only going to be even more ubiquitous in the very near future, as Intel has added its functionality of the TPM to the chipset on a number of new motherboards, bringing the cost for any manufacturer close to zero.

But the PC industry can only go so far to promote TPM adoption. Ultimately a service provider needs to support the TPM standard as an option so the user can have a secure account. We suggest Yahoo do this immediately. The potential for 250 million users to have secure access to email from their PC without passwords is big enough for Yahoo to pay attention. As consumers we are—and should be—fed up with the poor tradeoffs have been made by the service providers around security. Here's what we'd like to see:

  1. Announce planned support for Yahoo login to use the TPM
  2. Work with the OEMs, software vendors and customers to implement simple enrollment and use models
  3. Provide optional support for TPM as a global authentication mechanism to Yahoo mail and all other Yahoo services.
  4. Join the Trusted Computing Group to enhance and deploy the standards that are already broadly available.
  5. Its time for secure access to email, and hardware security is the proven solution.

Steven K. Sprague is the president and CEO of Wave Systems Corp., which provides software to help solve critical enterprise PC security challenges.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.