Cracking a Gmail Account
Who is the real identity behind that Gmail account? While finding out may not be as easy as knowing who is behind firstname.lastname@example.org (Homer Simpson, for the curious), it apparently isn't much harder.
Yahoo might have recently attracted attention for the public compromise of one of US Vice Presidential nominee Sarah Palin's accounts, but there are people looking at all providers for weaknesses in account creation (spammers), account recovery (hackers), or other account management functions, such as the identity behind the address.
There are varying levels of success in each area, with many security people who pay attention to the latest developments in CAPTCHA-breaking believing that the major webmail providers have been compromised to a level where it is viable for automated spamming.
In the area of account recovery, anyone who watches the Full Disclosure mailing list will note from time to time claims of malfeasance from various unheard-of groups who claim to have the full webmail mail file of one or more security identities. The Sarah Palin case has publicly demonstrated for everyone else the many problems that can be associated with not selecting secure enough security questions (and the problem of determining what is secure in the first place).
There isn't as much focus on finding the identity behind a random webmail account, but Google apparently seems to have several (unintentional) methods to recover the registered first and last names associated with an account. In a demonstration of why it is always polite to acknowledge security issues, Google was previously notified of a similar issue, by the same researcher, but they silently fixed it. Not happy with the approach taken last time, the researcher publicly disclosed enough of their rediscovered issue for many who had discovered equivalent problems to come forward with their own examples.
Information that can be recovered is only as good as the information that was originally supplied, but who really signs up to a webmail provider with a fake name? If you were already taking steps to blur your online identity, then it probably isn't going to work against you. Rather, it is the majority of users, who take no real effort to hide their identity when using online services, who can have their details rapidly recovered.
With spammers who have managed to automatically create a number of spam accounts, this allows them to send highly personalized spam to their targets and improve the chances of having it slip past the Gmail filters. Spear phishers might already know who owns an account, but this might help gain leverage on co-workers or add extra legitimacy by identifying others who the target would already know about but who the phisher wouldn't directly know.
Highly personalized spam might be an annoyance, and it might be unsettling to be the target of a Spear Phisher (if you even pick up on the attempt). It will certainly be annoying for your Information Security people, but what of the biggest risk, account hijacking?
Let's say you set out to hijack a random someone's Gmail account. Using one of the different methods freely available, you manage to recover your target's first and last name. If you're not being picky, you spread your efforts over a range of addresses in order to build a range of options for the next step. Using the likelihood that someone from the list of names gathered has linked their Gmail account to one at MySpace, FaceBook, LinkedIn, or some other networking site you then dig your way through the list compiling a basic profile on each person who has done so and then use account recovery procedures to reset passwords or directly gain access to your victim's account.
Sure, you could always establish a fake Gmail account and do whatever it is you want from there, but there is always the chance that you will be traced, hence the use of an account that is not yours. It is like using someone else's open wireless access point without their knowledge. If you do something malicious, the investigation will target them first, but eventually when you are tracked down, it will be all the worse for you.
Proving that a malicious email didn't come from you might be a little harder than proving that someone accessed your network without permission, but an email account hijack is certainly a technical feasibility. It will be difficult to prove that it did happen, and it can be difficult to prove that it didn't.
Investigators and security personnel need to be aware that it can happen, and that it can happen quite easily. Users need to be aware that it can happen, and to contact their webmail service provider in the first instance if they believe something has happened.