While interesting political news, you may be wondering what specific lessons to take from the alleged Palin e-mail hack from a computer security perspective. I think there are two. First, although the details are still sketchy, it appears that the Palin e-mail hack involved someone using the password recovery feature in order to reset the password on the email account. This is similar to what we saw in 2006, where hackers would pretend to be a cell phone user who had misplaced their bill in order to get call detail records. In both instances, the key to success relates to the ability of the hacker to pass himself off as the actual account user, based on information that the account user is presumed to know. While telecommunications carriers are now required to have certain authentication systems in place, these same guidelines do not apply to the majority of corporate America. Therefore, it would be a good time to reevaluate any password recovery, or remote access features that are being used in your corporate environment by asking yourself, what is your corporate email policy when someone calls the helpdesk and says that his remote access password or key fob is unavailable? Can that person get the helpdesk to reset his password or issue an new token? Can he get immediate access to the account? What forms of authentication are required? High-profile events like this often provide an opportunity for organizations to get the resources necessary to better secure their systems.
The second, and perhaps more obvious, lesson, is to make sure users are using systems the way they are designed. Corporate systems are built to help manage and protect valuable corporate documents, and often include audit features and backup protection. Free email accounts may not work as well for these purposes. Widespread use of free email accounts during the corporate workday could be inadvertent, but nevertheless result in a degradation of system protection, or it could be a signal that users are intentionally trying to circumvent the systematic protections in place. Either way, such use may require some attention.