Attacks/Breaches
6/6/2012
09:14 AM
Connect Directly
RSS
E-Mail
50%
50%

Romney Campaign Investigates Hotmail Account Hack

Attacker claims one-off access of Romney's Hotmail and Dropbox accounts was accomplished by guessing the name of a favorite pet.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Memo to presidential contenders: Lose the free Webmail accounts.

A hacker Tuesday claimed to have infiltrated the personal Hotmail account--mittromney@hotmail.com--and Dropbox account of Republican presidential candidate Mitt Romney, after guessing his "favorite pet" security question to change the password. Gawker broke the story after receiving an email from the hacker, who said he--or she--had gleaned Romney's Hotmail address from a recent news story, although Gawker redacted the supplied password.

"I hacked in after finding the answer to the security question, 'What is your favorite pet?' It is [redacted] by the way. The password is now [redacted] ... This is also the password for the Dropbox account," said the hacker's email. "This is all I have gotten into. I have nothing to do with Anonymous and have never done something like this before. Goodbye."

"The tipster didn't include any screenshots or evidence of what the accounts contained as proof," noted Gawker, which said that for legal reasons, it didn't test to see whether the proffered password for Romney's accounts worked. But the breach suggests that Romney--or his aides--used the same password across multiple Web services.

[ Hackers are finding security holes in many places. Read Google Apps Security Beat By CloudFlare Hackers. ]

The Romney campaign, meanwhile, confirmed that a related investigation is underway, but didn't detail which accounts may have been hacked, or whether they were used by Romney for personal communications. "Proper authorities are investigating this crime and we will have no further comment on it," according to a statement released by Gail Gitcho, Romney's campaign communications director.

The hack of Romney's "favorite pet" question is ironic, given his complicated history with animals. Or as The New Yorker recently put it, "We know about Seamus the dog, how Romney put him in a crate and strapped it to the roof of the family station wagon for hours of driving."

The unauthorized email access recalls a similar incident in 2008 involving Republican candidate for vice president Sarah Palin, after 4Chan aficionado David C. Kernell, then 22, guessed her Yahoo Mail password--"popcorn"--and leaked screenshots and text files to WikiLeaks. In April 2010, a federal jury convicted Kernell of obstruction of justice and unauthorized access to a computer.

In 2008, WikiLeaks justified releasing the Palin information by noting that "Governor Palin has come under criticism for using private email accounts to conduct government business and in the process avoid transparency laws."

Similar questions have been dogging Romney. Notably, The Wall Street Journal Tuesday published what it said is "believed to be the most complete set of the internal emails to date, including attachments to some of the messages" from Romney's tenure as governor of Massachusetts, from 2003 to 2007.

That feat was made possible by a public records request, which turned up "a small cache of emails," but it evidently took some digging. "When Mitt Romney left office as Massachusetts governor, his aides removed all emails from a server computer in the governor's office, and purchased and carted off hard drives from 17 state-owned personal computers," reported the Journal.

Earlier this year, the Associated Press reported that Romney had used a free Microsoft Hotmail account and private email address to conduct state business. The AP noted that copies of the emails--which it obtained under Massachusetts Public Records Law and which spanned a four-month period--were not included in boxes of archived materials that it was allowed to examine from Romney's time as governor.

The rise of Webmail has led to questions over the degree to which government communications--long a matter if not of public record, then at least national archiving--are being captured for posterity. Government watchdogs in particular have warned that official business conducted via private email addresses raise transparency questions, while security experts have long warned that such communications are more liable to being intercepted by hackers or intelligence agencies.

On a related note, the White House instituted a new email archiving program in 2010, including controls to prevent unauthorized deletions, after settling a suit filed by the National Security Archive and Citizens for Reform and Ethics in Washington in 2007. The two groups sued the White House in response to reports that millions of White House emails had gone missing after the Bush administration, which moved from Lotus Notes to Microsoft Exchange, abandoned an email archiving system that had been installed during the Clinton Administration.

Members of the Bush Administration--including then White House Deputy Chief of Staff Karl Rove--also came under fire for not using the White House email system for official communications. Rove said he'd avoided using the White House system for the majority of his communications because it wouldn't work with his BlackBerry.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
beauwoods
50%
50%
beauwoods,
User Rank: Apprentice
6/13/2012 | 11:06:53 AM
re: Romney Campaign Investigates Hotmail Account Hack
We can't make any inferences about password reuse from what we have in the story. Instead what probably happened was that the attacker reset the password for the Hotmail account, which was linked to Dropbox and allowed him to reset that password as well. It's doubtful the person discovered the original passwords.
GR8Day
50%
50%
GR8Day,
User Rank: Apprentice
6/7/2012 | 4:00:57 PM
re: Romney Campaign Investigates Hotmail Account Hack
People in such positions need to use more caution in these areas, but the these email providers need to take some responsibility and steps to secure there users accounts. But from what I can see they want to be hacked, spammed and viewed as not being secure? And they will continue to be hacked and defrauded until they pull their heads out of the sand and implement some form of 2FA (two-factor authentication) where you can safely telesign into your account by entering a one-time PIN code.
Zaga
50%
50%
Zaga,
User Rank: Apprentice
6/6/2012 | 5:48:57 PM
re: Romney Campaign Investigates Hotmail Account Hack
We users are very naive to believe our information is safe online when is password protected GÇö passwords, and challenge questions and captcha are a thing of the past. The only safe online sites are those who allow us to telesign in. It doesn't matter if you are purchasing, using email, paying a bill..If it doesn't let you telesign in, browse away!
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.