I recently came across this article which talks about an ongoing trial concerning a “hack” in 2008.

Now this “hack” is made especially interesting by the fact that the victim was the, at the time, 2008 Republican vice presidential candidate Sarah Palin. Now you may have noticed I write “hack” instead of hack or security break-in, and the reason for this is actually quite simple: It really wasn’t a hacker attack!

What this kid (David C. Kernell) did, was that he simply used the “Forgot your password?” feature on Yahoo Mail to guess his way in to change Sarah Palins password and gain access to her mails. In the end, he actually gained access by using publicly available information and subsequently reacted by bragging on a discussion board while posting pictures of Sarah Palins e-mails. That’s not hacking! What he did was, at best, correctly estimating Sarah Palin’s knowledge of proper password policy.

Now what would an appropriate reaction be to such an incident? He’s clearly a reckless idiot, so some action should probably be made. Yet, at the same time, he showed Sarah Palin knows very little about basic security, thereby making a quite powerful (and perhaps needed) political point. If she can’t even secure her e-mail against amateurs, how is she going to secure the nation against ruthless psychopaths?

But basically, no matter what the appropriate reaction was, the prosecutors and Sarah Palin went with, for all intents and purposes, ending this person’s life! They went to court and tried to get him convicted for crimes with a combined punishment of up to 21 years and 250000$ in fines. All for guessing a password!

Until now he’s been convicted of felony destruction of records to hamper a federal investigation and of a misdemeanor charge that he unlawfully accessed a protected computer. He was however acquitted of a federal wire fraud charge. What level of punishment he’ll end up getting is hard to guess at, at the moment. But almost no matter what kind of punishment he gets, there’s a high likelihood it’ll be grave overkill.

Let’s face it: This 22 year old man is a moron – he did something enormously stupid. Not so much because he showed a grave lack of security understanding from the possible future vice president, but because he didn’t inform her, or her people, and didn’t give them sufficient time to correct the issue before sending it to the proper media channels. All in all he should have been a lot smarter! But that being said: What harm did this person really do?

Now, I’m all for punishing criminals and putting dangerous people behind bars. However a person like this isn’t really dangerous, he’s just not well-mannered. Had there been a proper, legal and well-documented process for reporting security issues in systems or procedures, then he would most likely have used these to get what he wanted: To show Sarah Palin knew little about security! Bare in mind, almost all IT-security professionals have learned primarily by doing – as in, they’ve tested their methods in more or less moral ways. Personally, I’ve always tried to keep to the moral part, however many others have been somewhat morally challenged – yet are now enormously talented and hard working. In fact, some of the best security professionals I’ve met are former “criminal” hackers to some degree.

So what’s my point with all this? Well basically: A young man/woman who “hacks” into a system and flaunts about it, is a person who lacks a place to be. We have full-fledged university degrees for biochemists, computer scientists, lawyers, politicians, engineers etc., yet we don’t have one for a hacker? We even educate police and military in the tactics of their enemies and how the enemy operates – even to the degree that certain soldiers have to act like the enemy in training in order to simulate combat. Yet we still don’t have any equivalent program to educate military hackers or security experts, even though we know for a fact that hacking has been used to attack a country’s infrastructure.

My five cents here is that David C. Kernell shouldn’t be prosecuted to the fullest extent of the law. He should get a slap on the wrist for handling it stupidly and for publishing/reading the content of Sarah Palin’s e-mails, and should then be thanked for showing the problem and put into a training program for IT and Security somewhere in the US. Even though this “hack” was enormously simple, he might still have some talent that could be used for so much good, instead of just throwing a 22 year old kid in jail and wasting his life.

We’re in a very problematic place in our society if showing the government aren’t doing some task well enough, results in oneself being imprisoned for the majority of one’s adult life.

Such a society is quite surely insecure!

McAfee came out with a blog post on March the 17th concerning a new scam targeted against Facebook users. An attack that had quite a significant success, and therefore clearly shows an issue that still isn’t being sufficiently adressed by private individuals as well as companies.

The original blog-post can be found here: http://www.avertlabs.com/research/blog/index.php/2010/03/17/facebook-suffers-password-reset-scam/

For the people who didn’t feel like going in and reading the original blog-post, I can give a small summary of it here:

Basically what it says is, that McAfee has been tracking a Facebook e-mail scam where users are being sent fake e-mails with the subject “Facebook Password Reset Confirmation! Customer Support.” including a message saying that the user’s password has been changed due to security reasons and that the new password is attached to the e-mail as a .zip file.

The scam is especially interesting because people generally fell for it. Within record time, it skyrocketed to number 6 on the Global Virus Map’s Top 10 list.

What this shows me, is that companies and other organizations still have a huge education task ahead of them with regards to security. Looking at the simple scam e-mail in its entirity, this is what the content says:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.

Thanks,

Your Facebook.

There are several tell-tale signs that this is clear cut scam mail.

First and foremost, Facebook directly warns against any e-mails claiming to be from them, if they include such things as requests for account information or include attachments.  All Facebook’s information on scam prevention can actually be found at: http://www.facebook.com/security?v=app_4949752878 . All companies should consider including this document in their general security training of all personel! Given a few years, Facebook, Twitter and the like will be used by the vast majority of all internet users (even more so than now), including traditionally non-technical users that don’t necessarily have the insight to detect attempts at IT-fraud.

But even if Facebook didn’t come out with any general information about what an official e-mail from them would look like (as most companies/organizations don’t), there are still several tell-tale signs:

Looking at the e-mail as it has been sent to most people, here are a list of my observations of scam-like characteristics:

• The e-mail is not recipient specific.
  What I mean by this is that the e-mail doesn’t mention the user specifically, but only refers to this person as “user of facebook”. This is highly unusual for a website so focused on user information. A website that would easily have access to specific information about i.e. your first name. Note however, that the lack of a personalized greeting is not necessarily an indicator of spam. In several situations some companies will probably choose to send out a non-personal greeting, but in such a case it would usually be worded differently and it would definitely not have included any profile information (i.e. a new password as an attachment)
• The presence of an attachment.
  Attachments are almost never used by any company, group or organization. If attachments are used, it will generally be because the recipient requested the given attachment. If you ever receive an attachment you didn’t expect (and I do mean EVER.. no matter who it’s from), be very skeptical! Call the sender up on the phone and ask for confirmation.
• Spelling, grammar and the like.
  Another tell-tale sign is the use of language and wording in a message. Would the real Facebook really refer to themselves as “facebook”, instead of “Facebook”. The lack of correct grammar might be possible for small companies, since they might not have anyone to check such things, but for any large company you can expect, that if there are more than a few simple microscopic typos (i.e. “teh” instead of “the”), it’s most likely a scam. Call the claimed sender on the phone for confirmation.
  Also Facebook would probably not call you their “client”, but instead their “user”.
• The e-mail is in plain text.
  Not all will agree with me on this point, but I do believe that serious individuals (especially companies) will generally send an e-mail in HTML with graphics, tables and layout and not as so called “plain text”, which is just simply characters + punctuation, with no possibility for images, tables, layout, text formating or anything of that sort. This is, as most rules above here, not a general rule and should not be used exclusively to discard an e-mail as a scam.
• Odd sign offs
  Somewhat related to the issue of spelling and language use, would Facebook really end an e-mail with “Thanks, Your Facebook”? Wouldn’t it be more likely they would end an e-mail with something along the lines of “Thanks, The Facebook Team”? Again this is not a clear cut sign of a scam, but this in union with other issues should put up a red flag for you. As always: Call for confirmation if in doubt! Any serious person will not mind that you care about security, they will most likely applaud it!
• Non-authenticated requests
  Whenever an e-mail asks you for any information you wouldn’t shout out in public, then that’s usually not information you should be sending through an e-mail in any way or form. That’s basically why we have encryption and digital signing for e-mails.
  But especially whenever an e-mails asks for account information or claim to include it, you should be skeptical. Normally whenever you access your account on the website (i.e. http://www.facebook.com/) you’ve gone through some form of authentication process, usually by means of simple username and password. You haven’t done this when checking your mail, so the website has no way of knowing it has reached the correct user with the relevant information or information request. A normal request for information will therefore include you having to go to the company or organization’s website and go through a process there – not on e-mail!
  Once again, there are exceptions and some companies don’t care much about the security and therefore do request information through an e-mail. So when in doubt: Call the company and ask for confirmation!
• Sender is wrong
  Obviously there is the option of checking the domain from which the e-mail was sent, but often times most users won’t be able to tell the difference between a correct subdomain and an incorrect one. So for most users this isn’t a viable solution for training.

All in all the real problem is that people are simply not skeptical enough and trust information sent to them over e-mail, social networks and text messages.

As companies and organizations, you need to make a continuous effort to educate your employees in all forms of basic security. Security isn’t only relevant for the IT-staff. All staffers need to have some basic understanding of what a scam might look like, no matter if it comes through an e-mail, a phone call or even physically at the business location.

There are several resources available to help you design an education program for your employees and if you need professional assistance, Aconiac is always available for a consultation.

We have now released a native Microsoft Windows installer for the second release of our application Aconiac Password Generator, release 1.2.
It’s available at our website for download, alongside a cross-platform version for Mac, Linux, BSD etc. We are currently working on releasing a bunch of other native installers for Mac, Ubuntu Linux, Redhat/Fedora and more, however with clients needing to be serviced, it might be a few weeks before these will be finished. If you have experience packaging software for these systems and would like to help, please feel free to contact us.

The download page for Aconiac Password Generator can be found here

NOTE: This news item was originally posted on January 2, 2009

Aconiac Password Generator has, for some time, lacked a proper and easy way of installing the application. We have therefore now released a version with the Java Web Start technology. Java Web Start makes it easy to install the application on any system and even makes automatic updates of the application for the user – ultimately resulting in a more automated and easy process. Download the application by pressing the big green button on the product page.

If, for some reason, you do not want to use the Java Web Start version, it is of course still possible to download the application from SourceForge.net

NOTE: This news item was orignally posted on December 3, 2008

Since our password generator has always been free and is fairly simple software, we have now decided to release the software as open source under the so called 3-clause BSD license.

This means that if you need a password generation feature for your software, you can actually take our code and use it directly in your code without paying us a dime. Just as long as you write publicly that you are using our code.

You can read more about the BSD license on Wikipedia

The code is stored on SourceForge.Net and there is a direct link to the project here on the website

NOTE: The news item was originally posted on May 3, 2008

Aconiac’s tool for generating random passwords has now been released and is free to download from the product page. We encourage everyone to download the tool and generate some secure passwords for the many user accounts an average user has these days.

Right now, the application is only available for Windows XP/Vista, however we expect to have a release for Linux, BSD and Mac within the next few weeks.