Security experts speculating how Sarah Palin's Yahoo email account had been hacked put forward several theories, with some sceptical that the access was gained by a simple password reset.

Security experts speculating how Sarah Palin's Yahoo email account had been hacked put forward several theories, with some sceptical that the access was gained by a simple password reset.

A Yahoo spokeswoman would not comment on the Palin hack or answer questions about the service's password reset feature. "In general, Yahoo doesn't comment on security policies," said Kelley Benander.

One or more hackers broke into Palin's account early on Tuesday, then sent copies of several of its messages to news organisations and to WikiLeaks, a site known for publishing confidential and leaked documents. Among the leaked messages was one between Palin, the Republican nominee for vice president, and Alaska's current Lt. Gov, Sean Parnell, who is running for the state's lone congressional seat, and another with a former private investigator that Palin appointed to the Governor's Advisory Board on Alcoholism and Drug Abuse in October 2007.

On Wednesday, the McCain-Palin campaign acknowledged the hack. "This is a shocking invasion of the Governor's privacy and a violation of law," the campaign said in a statement. "The matter has been turned over to the appropriate authorities."

Although it is unclear how Palin's account was accessed, at least one person has stepped forward to claim the hack. In a message posted to's "Random" message board -- the site's most popular, which also goes by "/b/" -- but since deleted, someone identified only as "Rubico" claimed to have gotten Palin's password by using Yahoo's own password reset mechanism.

Some security experts found that hard to believe.

"The whole password reset sounds dubious," said Paul Ferguson, a network architect at antivirus vendor Trend Micro Inc. "Yahoo! sends a password reset to a secondary e-mail account, so it sounds far-fetched to me that it would be that easy."

Yahoo users who ask the service to remind them of their password are asked for just a few personal details -- such as birth date, country of residence and postal code -- but assuming those are entered correctly, the password is e-mailed to an alternate account, which has had to be entered previously.

Computerworld 's tests today, which involved several accounts and used various combinations of password reset queries, always resulted in the Yahoo password or username being sent to an alternate address. However, if a user says his or her alternate e-mail address is unavailable, the password can be reset.

Other researchers, however, thought that the password reset method might make sense. "It's plausible," admitted Adam O'Donnell, director of emerging technologies at message security vendor Cloudmark Inc. "That's a pretty accurate description on how to break into a system," he added, referring to Rubico's description of the attack.

"It's either a password reset or a brute force attack," O'Donnell continued. A brute force attack is one where the hacker simply tries the most likely passwords.

Ferguson had other ideas. "It could have been a sidejack," he said. Shorthand for session hijacking, the tactic takes advantage of session cookies that are sent in the clear by some Web services, including Yahoo! Mail and Microsoft's Hotmail. "There's all that traffic flying in the clear," said Ferguson, "and there are tools now that let you steal someone's cookie in mid-session."

Access to the cookie would provide access to, in this case, a Yahoo! Mail account, Ferguson said. "This has happened to a couple of white hat hackers whose accounts were hacked," he said. "So it all goes back to the attacker thinking, 'Is it worth the effort?'

Palin could have been victimized by a previous, and until now unknown, attack, too, said Ferguson and other researchers. "She could have gotten a keylogger," Ferguson said. "She's on the road all the time, and she could have been using a laptop on the road to access her Yahoo! mail across hotel wireless networks."

Public Wi-Fi networks, such as those commonly found in most hotels, are rarely if ever locked down with encryption, since that would require users to enter passwords to connect to the Internet. For that reason, so-called "man-in-the-middle" attacks are most lucrative at unsecured hotspots.

"What with the recent discoveries like the DNS flaws, it's not unthinkable that Palin's e-mail could be intercepted," theorized Randy Abrams, director of technical education at security company ESET LCC. "But with just one person, a social engineering is much more plausible."

A spear-phishing attack -- an attempt at identity theft that's aimed at just one person, or at a small group -- made more sense to Abrams than a password reset hack. "For all we know, it could have been a hack on Yahoo's infrastructure."

The bottom line, said all three researchers, is that Web mail security leaves a lot to be desired. "The underlying issue here is that regardless how Palin's account was hacked, Web mail platforms just don't have proper security for their users, whether it's a governor, who shouldn't be using one to begin with, or you or me," said Ferguson.

"This is the dark side of the cloud in cloud computing," said Abrams. "The inherent danger of cloud computing is that cloud dissipating. When you leave data somewhere where you don't control, it's potentially vulnerable."

The Yahoo executive in charge of Yahoo Mail today urged users to stiffen their passwords. In a post to a company blog, John Kremer, the vice president who oversees the mail service, recommended using long passwords that contained combinations of numbers and letters.

"In order to protect the privacy of our users, we can't get into specific details of any of our users' accounts," Kremer said in the post.