Man charged with Palin's Yahoo! hack, raising e-mail security concerns

By SHAUN WATERMAN, UPI Homeland and National Security Editor   |   Oct. 8, 2008 at 5:48 PM

WASHINGTON, Oct. 8 (UPI) -- A 20-year-old man from Tennessee was indicted for hacking into an e-mail account belonging to GOP vice presidential nominee Sarah Palin. The case highlights a situation in which laws forbid officials from using government resources, including e-mail, for political purposes, but security vulnerabilities dog the use of personal accounts, such as Palin's Yahoo! address.

David Kernell, the son of state Democratic Rep. Mike Kernell of Memphis, turned himself in Wednesday after an indictment was unsealed and pleaded not guilty before U.S. Magistrate Judge C. Clifford Shirley, according to local media reports.

He was released on bond, and a trial date was set for Dec. 16. If convicted, he faces a maximum of five years in prison and a fine of up to $250,000.

The Justice Department said a federal grand jury Tuesday had indicted Kernell on a single count of "intentionally accessing without authorization" Palin's e-mail account, after her address was revealed in news reports.

The indictment says that "on or about Sept. 16," Kernell "gained unauthorized access to the e-mail account gov.palin@yahoo.com by resetting the password. ... Specifically, he reset the password to 'popcorn' by researching and correctly answering a series of personal security questions."

The security questions, a feature common to most free Internet e-mail services, are designed to help those who have forgotten their password and do not have access to an alternative e-mail account to which a special password reset code can be sent.

For Yahoo! accounts like Palin's, the questions are date of birth, ZIP code and one other security question settable by the account holder. In Palin's case this was, "Where did you meet your spouse?" according to an account of the hack that was posted -- along with screenshots, personal photos and other details from the account -- on the Internet, allegedly by Kernell.

"It took seriously 45 mins on Wikipedia and Google to find the info," says the posting. "Birthday? Fifteen seconds on Wikipedia; ZIP code? Well she had always been from Wasilla, and it only has 2 ZIP codes (thanks online postal service!)"

The "where did you meet your spouse?" question was "somewhat harder," says the posting. "I found out later through more research that they met at high school, so I did variations of that, high, high school, (and) eventually hit on 'Wasilla High.' I promptly changed the password to 'popcorn' and took a cold shower."

Although the screenshots that the indictment says Kernell posted on the Web show he was using a special anonymizing Internet service to access Palin's e-mail, the account of the hack was posted under an online nickname, or handle, that he had used elsewhere and could be associated with his e-mail address.

"Note to criminals," wrote one commentator on tech news and commentary Web site Slashdot, after bloggers had linked the handle with Kernell's e-mail address, "If you want to get away with something, don't brag about how you did it!"

Palin's personal address was revealed in news accounts after government transparency campaigners in Alaska sued for e-mail records of her aides and found that they were communicating with the governor via her Yahoo! account, rather than her official state one, according to the Anchorage Daily News.

Palin's Alaska state press secretary, Bill McAllister, told the newspaper that she appropriately used her personal account for political activities.

It is common for certain senior officials in the U.S. government to maintain non-governmental e-mail accounts, because a federal law called the Hatch Act prohibits the use of government resources for any political activities.

The House Committee on Oversight and Government Reform said in a report last year that dozens of senior White House officials, including the president's top adviser, Karl Rove, had maintained e-mail accounts provided by the Republican National Committee.

The House committee's investigations, led by Chairman Henry Waxman, D-Calif., have focused on the question of whether those accounts were properly archived if they included material that might be covered by laws requiring the preservation of official records.

But some experts have raised security issues about the arrangements as well.

In a book last year, author and publisher David Gerwitz wrote that RNC e-mail accounts were provided by SMARTech, a 12-person Internet service provider based in Chattanooga, Tenn., and questioned whether they were secure enough to be an appropriate channel for mail that might include sensitive details like the president's whereabouts.

The RNC did not respond to a request for comment Wednesday afternoon.

Follow us on Facebook, Twitter, and Instagram for more news from UPI.com
Related UPI Stories
Trending Stories