Big Breaks in the Palin E-mail Breach Investigation

The odds that the Feds will find the person who broke into Sarah Palin’s e-mail account are considerably better than I had thought they would have been, because someone who claims to have committed the crime has bragged about it to the infamous 4chan image hosting site. (Quick CoOp aside, every day I better appreciate how the paper by new permablogger Danielle Citron–who first introduced me to 4chan–on Cyber Civil Rights will be a must-read in this day of 4chan and Jason Fortuny.) Although the posts have been deleted, Kim Zetter has reproduced them for Wired’s Threat Level blog. First, the user known as “Rubico” bragged about how he had breached the Yahoo account by providing Governor Palin’s supposedly private answers to the questions posed by Yahoo’s password recovery scheme:

it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

Oh, and about Rubico’s screenshots? They apparently reveal the URL bar of Rubico’s browser, which in turn reveals that Rubico had not been browsing Yahoo directly but had instead been using an anonymizing proxy service called Ctunnel. Good idea, right?, because Yahoo no doubt captures and preserves the IP addresses used to recover passwords. But although using Ctunnel may have been a good idea, advertising that fact on a screenshot, it turns out, was not:

Gabriel Ramuglia who operates Ctunnel, the internet anonymizing service the hacker used to post the information from Palin’s account to the 4chan forum, told Threat Level this morning that the FBI had contacted him yesterday to obtain his traffic logs. Ramuglia said he had about 80 gigabytes of logs to process and hadn’t yet looked for the information the FBI was seeking but planned to be in touch with the agents today.

Apparently, providing the screenshot in this case was a particularly dumb move. In another interview Ramuglia notes:

Usually, this sort of thing would be hard to track down because it’s Yahoo email, and a lot of people use my service for that . . . . Since they were dumb enough to post a full screenshot that showed most of the [Ctunnel.com] URL, I should be able to find that in my log.

There are more lessons here than are worth listing. A few, after the jump:


For law enforcement:

  • The pressure is on. Usually, you would be forgiven for failing to track a crime across the Internet, but if Rubico is the person behind the breach (and I bet you know already whether Rubico’s claims match up with information in Yahoo’s logs), you should be able to find the identity of Rubico in pretty short order. Many news outlets are now reporting that Rubico is a 20-year old college student in Tennessee whose father is a Democratic state representative.

For would-be Internet criminals:

  • Don’t brag about your crimes.
  • If you’re going to brag, brag only to people you know.
  • If you’re going to brag, don’t post screenshots that give away important clues which make it easier to track you!
  • Use more than one anonymizing proxy.

For webmail providers:

  • As I said last time, people will be scrutinizing your security closely. After discussing Rubico’s boasts, Ed Felten has concluded that although it is hard for a service to simultaenously give away accounts to any anonymous person who requests one while still maintaining robust password recovery mechanisms, “it’s still surprising that Yahoo’s recovery scheme was so weak.”

For Gabriel Ramuglia, the person who runs Ctunnel.

  • Expect a mixed reaction. On the one hand, many will celebrate your data retention policies for helping the feds get one big step closer to solving this case. On the other hand, other people will consider it a betrayal that you held yourself out as an anonymizing service yet stored this information at all. You don’t endear yourself in the eyes of the latter group by moralizing about how people shouldn’t be using your service to “conduct illegal activities.

For lawmakers:

For the media:

  • Be careful how you report this case. As best as I can tell, the 20-year old who is now having his name dragged through the mud has been linked to the Rubico posts through a series of connections being unearthed by bloggers. Reporters in the MSM seem to be repeating the conclusions of these bloggers without a lot of independent investigation. This guy may, for all I know, be rubico, but I have yet to read a single article that lays out a case airtight enough to justify such widespread dissemintation of the rumor.

You may also like...

2 Responses

  1. While it is ironic that rubico’s bragging made him easier to trace, I’m not convinced that the feds wouldn’t have been able to trace him almost as easily had he not done it. They would have needed to dig through Yahoo’s logs, but that would just have involved finding the first successful password change on the account and then looking at the IP address, which would have led them straight to Ctunnel. Yes, they wouldn’t have had the exact URL, but they would have had the exact time, which would be almost as good for someone with 80 gigs of logs.

  2. Paul Ohm says:

    James,

    You’re right that the advantage to the Feds was probably marginal. Still, at the very least, a smart agent (and trust me, there are plenty of those) could have gone to Ctunnel at the same time he or she went to Yahoo, saving himself or herself a few hours during which Ctunnel’s logs might’ve been deleted.

    Also, what do you make of the second Ramuglia quote? “Usually, this sort of thing would be hard to track down because it’s Yahoo email, and a lot of people use my service for that.” If enough people use his service for Yahoo mail, then his logs might have shown more than one request through Ctunnel to Yahoo at any given date and time.

    Finally, according to other sources, the URL “showed a hash string that identified who the user is.” If true, then not only would this have saved Ramuglia from searching his logs for date strings at all, it would have also been the kind of great identity evidence the prosecutor would love, especially if the same hash value is found in a cache on the ultimate suspect’s computer.