Proxy server trail leads FBI to Palin email hacker

Posted by Humphrey Cheung

Anchorage (Alaska) – FBI agents are using proxy server logs to track down the hacker who broke into Sarah Palin’s Yahoo email account.  The hacker gained access to the Republican Vice Presidential candidate’s account by resetting the password.  He then posted details of his adventures up on a popular online forum, but that information is now leading reporters and federal investigators to the suspect – a Tennessee university college student and son of state democratic representative Mike Kernell.

A few days ago, someone going by the name of “Rubico” gloated on 4chan.org that he managed to hack into Sarah Palin’s Yahoo account.  He forced a password reset by answering questions about Palin’s birthdate, zip code and where she met her spouse, Wasilla High School.   Of course, by being the Republican candidate for Vice President, this information is all very easily found on the Internet.  After answering the questions, Rubico reset the password to “popcorn” and read through Palin’s emails.

And it seems he was pretty thorough, saying he read, “ALL OF THEM” on the boards.  He even posted up screenshots of the Yahoo email page, complete with the full URL (we’ll talk about that later). Rubico says he didn’t find anything incriminating and the emails were actually fairly mundane family pictures and correspondence.  But his jubilation turned into horror as he realized that he didn’t take proper precautions in covering his tracks.

Rubico used a proxy server that shields the source IP address from website logging scripts.  While this sounds great, Rubico posted, “Yes I was behind a proxy, only one, if this sh** ever got to the FBI I was FU****”

In his gloating, Rubico posted up screenshots of the Yahoo account complete with the full URL which included the proxy server url (ctunnel.com) appended with a unique identifier.  For example, we used ctunnel.com to surf to YouTube and the URL reads - http://ctunnel.com/index.php/1010110A/58a5cd1e8ab47088982c83282fd768456e... So it doesn’t take a genius to go through the logs and match up the ID to the appropriate IP address and BAM, you got the hacker.

But aren’t proxy servers supposed to anonymize your information?  Yes and no.  Dan Goodin over at The Register talked to Gabriel Ramuglia, the owner of the ctunnel.com proxy server that Rubico allegedly used.  Ramuglia is upset about the ordeal because his service was never meant to be used for illegal activies and says Rubico definitely broke his site’s terms of service.  Ramuglia added that every incoming IP address is logged with the time and destination website.

Ramuglia told Goodin that he hasn’t a chance yet to examine his logs, but added that there is a good chance that it will lead to the hacker.  Since the interview, he’s received a call from the Anchorage Alaska FBI field office and agents there are highly suggesting that he not lose the logs.

But it gets even better.  White hat hackers didn’t even need proxy information to find the culprit because they discovered that the Rubico forum handle was linked to rubico10@yahoo.com.  A few searches on Google and YouTube further links this email address to 20-year-old David Kernell, a student at the University of Tennessee-Knoxville.  His father is Democratic Tennessee state representative Mike Kernell.

As you can expect, the Yahoo account has been frozen and all the incriminating forum posts on 4chan.org have been deleted.  But this didn’t stop Wired.com from printing some of the posts.  Don’t you just love it when hackers brag about the “leet” skills?