I recently came across this article which talks about an ongoing trial concerning a “hack” in 2008.

Now this “hack” is made especially interesting by the fact that the victim was the, at the time, 2008 Republican vice presidential candidate Sarah Palin. Now you may have noticed I write “hack” instead of hack or security break-in, and the reason for this is actually quite simple: It really wasn’t a hacker attack!

What this kid (David C. Kernell) did, was that he simply used the “Forgot your password?” feature on Yahoo Mail to guess his way in to change Sarah Palins password and gain access to her mails. In the end, he actually gained access by using publicly available information and subsequently reacted by bragging on a discussion board while posting pictures of Sarah Palins e-mails. That’s not hacking! What he did was, at best, correctly estimating Sarah Palin’s knowledge of proper password policy.

Now what would an appropriate reaction be to such an incident? He’s clearly a reckless idiot, so some action should probably be made. Yet, at the same time, he showed Sarah Palin knows very little about basic security, thereby making a quite powerful (and perhaps needed) political point. If she can’t even secure her e-mail against amateurs, how is she going to secure the nation against ruthless psychopaths?

But basically, no matter what the appropriate reaction was, the prosecutors and Sarah Palin went with, for all intents and purposes, ending this person’s life! They went to court and tried to get him convicted for crimes with a combined punishment of up to 21 years and 250000$ in fines. All for guessing a password!

Until now he’s been convicted of felony destruction of records to hamper a federal investigation and of a misdemeanor charge that he unlawfully accessed a protected computer. He was however acquitted of a federal wire fraud charge. What level of punishment he’ll end up getting is hard to guess at, at the moment. But almost no matter what kind of punishment he gets, there’s a high likelihood it’ll be grave overkill.

Let’s face it: This 22 year old man is a moron – he did something enormously stupid. Not so much because he showed a grave lack of security understanding from the possible future vice president, but because he didn’t inform her, or her people, and didn’t give them sufficient time to correct the issue before sending it to the proper media channels. All in all he should have been a lot smarter! But that being said: What harm did this person really do?

Now, I’m all for punishing criminals and putting dangerous people behind bars. However a person like this isn’t really dangerous, he’s just not well-mannered. Had there been a proper, legal and well-documented process for reporting security issues in systems or procedures, then he would most likely have used these to get what he wanted: To show Sarah Palin knew little about security! Bare in mind, almost all IT-security professionals have learned primarily by doing – as in, they’ve tested their methods in more or less moral ways. Personally, I’ve always tried to keep to the moral part, however many others have been somewhat morally challenged – yet are now enormously talented and hard working. In fact, some of the best security professionals I’ve met are former “criminal” hackers to some degree.

So what’s my point with all this? Well basically: A young man/woman who “hacks” into a system and flaunts about it, is a person who lacks a place to be. We have full-fledged university degrees for biochemists, computer scientists, lawyers, politicians, engineers etc., yet we don’t have one for a hacker? We even educate police and military in the tactics of their enemies and how the enemy operates – even to the degree that certain soldiers have to act like the enemy in training in order to simulate combat. Yet we still don’t have any equivalent program to educate military hackers or security experts, even though we know for a fact that hacking has been used to attack a country’s infrastructure.

My five cents here is that David C. Kernell shouldn’t be prosecuted to the fullest extent of the law. He should get a slap on the wrist for handling it stupidly and for publishing/reading the content of Sarah Palin’s e-mails, and should then be thanked for showing the problem and put into a training program for IT and Security somewhere in the US. Even though this “hack” was enormously simple, he might still have some talent that could be used for so much good, instead of just throwing a 22 year old kid in jail and wasting his life.

We’re in a very problematic place in our society if showing the government aren’t doing some task well enough, results in oneself being imprisoned for the majority of one’s adult life.

Such a society is quite surely insecure!

As we have stated several times before (New OWASP guide: Secure Application Development on Facebook and Ruby on Rails Security Guide) OWASP, The Open Web Application Security Project, is a great organization tasked with providing comprehensive security knowledge for companies, individuals, organizations and developers.

This week they came out with a new finished OWASP Project: The Top 10 Security Threats of 2010.

The project website is located here and the full 22 page report can be found here: OWASP Top 10 for 2010 (pdf)

Basically what this is, is a break down of the most severe security issues in web applications for the year 2010. What’s especially scary about it is however, that these 10 security issues have stayed largely unchanged since the Top 10 of 2007. In fact only two issues have been replaced on the list, making the OWASP top 10 security threats of 2010 (the new ones are bold):

1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards

What this shows us is that despite the efforts of OWASP, Aconiac and similar organizations, the security field has stayed largely unchanged and developers are still making the same mistakes in their designs and code. It might very well not be entirely possible to change this fact in general, even given 10 years from now.

But while companies in general may be making these mistakes, you don’t have to! The OWASP report includes several pages describing the security issues in detail, including an analysis of the risk it imposes on your business and what impact a breach might result in. We encourage you to download and read the entire 22 page PDF and make it mandatory reading for every developer and designer in your organization.

NOTE: This news item was originally posted on December 30, 2008

2008 will soon be over and a new and exciting year lies in front of us. 2008 was an interesting year for computer security. We saw, once again, escalating threats towards companies from almost all fronts. Especially the leaks of unencrypted data in England, the automated SQL injection mass-attacks and the attacks on social network services were some of the big public problems in 2008.
But then how will 2009 be? Now, it’s obviously very hard to predict the future in such a dynamic world, however we have made an effort to come up with our ideas for what might be, the 10 biggest security threats in 2009: