I recently came across this article which talks about an ongoing trial concerning a “hack” in 2008.

Now this “hack” is made especially interesting by the fact that the victim was the, at the time, 2008 Republican vice presidential candidate Sarah Palin. Now you may have noticed I write “hack” instead of hack or security break-in, and the reason for this is actually quite simple: It really wasn’t a hacker attack!

What this kid (David C. Kernell) did, was that he simply used the “Forgot your password?” feature on Yahoo Mail to guess his way in to change Sarah Palins password and gain access to her mails. In the end, he actually gained access by using publicly available information and subsequently reacted by bragging on a discussion board while posting pictures of Sarah Palins e-mails. That’s not hacking! What he did was, at best, correctly estimating Sarah Palin’s knowledge of proper password policy.

Now what would an appropriate reaction be to such an incident? He’s clearly a reckless idiot, so some action should probably be made. Yet, at the same time, he showed Sarah Palin knows very little about basic security, thereby making a quite powerful (and perhaps needed) political point. If she can’t even secure her e-mail against amateurs, how is she going to secure the nation against ruthless psychopaths?

But basically, no matter what the appropriate reaction was, the prosecutors and Sarah Palin went with, for all intents and purposes, ending this person’s life! They went to court and tried to get him convicted for crimes with a combined punishment of up to 21 years and 250000$ in fines. All for guessing a password!

Until now he’s been convicted of felony destruction of records to hamper a federal investigation and of a misdemeanor charge that he unlawfully accessed a protected computer. He was however acquitted of a federal wire fraud charge. What level of punishment he’ll end up getting is hard to guess at, at the moment. But almost no matter what kind of punishment he gets, there’s a high likelihood it’ll be grave overkill.

Let’s face it: This 22 year old man is a moron – he did something enormously stupid. Not so much because he showed a grave lack of security understanding from the possible future vice president, but because he didn’t inform her, or her people, and didn’t give them sufficient time to correct the issue before sending it to the proper media channels. All in all he should have been a lot smarter! But that being said: What harm did this person really do?

Now, I’m all for punishing criminals and putting dangerous people behind bars. However a person like this isn’t really dangerous, he’s just not well-mannered. Had there been a proper, legal and well-documented process for reporting security issues in systems or procedures, then he would most likely have used these to get what he wanted: To show Sarah Palin knew little about security! Bare in mind, almost all IT-security professionals have learned primarily by doing – as in, they’ve tested their methods in more or less moral ways. Personally, I’ve always tried to keep to the moral part, however many others have been somewhat morally challenged – yet are now enormously talented and hard working. In fact, some of the best security professionals I’ve met are former “criminal” hackers to some degree.

So what’s my point with all this? Well basically: A young man/woman who “hacks” into a system and flaunts about it, is a person who lacks a place to be. We have full-fledged university degrees for biochemists, computer scientists, lawyers, politicians, engineers etc., yet we don’t have one for a hacker? We even educate police and military in the tactics of their enemies and how the enemy operates – even to the degree that certain soldiers have to act like the enemy in training in order to simulate combat. Yet we still don’t have any equivalent program to educate military hackers or security experts, even though we know for a fact that hacking has been used to attack a country’s infrastructure.

My five cents here is that David C. Kernell shouldn’t be prosecuted to the fullest extent of the law. He should get a slap on the wrist for handling it stupidly and for publishing/reading the content of Sarah Palin’s e-mails, and should then be thanked for showing the problem and put into a training program for IT and Security somewhere in the US. Even though this “hack” was enormously simple, he might still have some talent that could be used for so much good, instead of just throwing a 22 year old kid in jail and wasting his life.

We’re in a very problematic place in our society if showing the government aren’t doing some task well enough, results in oneself being imprisoned for the majority of one’s adult life.

Such a society is quite surely insecure!

Presenting a new company venture from Aconiac: the mobile security company Hoodgate.

For several years now,  smart phones have increased in popularity and will continue to do so for years to come. We are truly only in the beginning of this development and can expect to see even faster and better systems in the future.

One thing that is however still lacking is effective handling of mobile security for a company with more than a few employees. Most available solutions are monolithic solutions where a company buys a software suite with some number of features (anti-virus, anti-spam, locking mechanism etc.) and then has to manually install this suite onto every single employee’s phone one by one, and subsequently if any additions are made to the software later on, in most cases you’d have to do the same manual reinstall all over again. In the end this can lead to enormous financial costs for a company, simply in shear terms of man-hours used!

Hoodgate is adopting another solution to the problem! Hoodgate will be offering a service where you, as a customer, can handle all your employee’s phones through a central control panel. Through this control panel you can then create a “Mobile Security Policy” for your company.

A “Mobile Security Policy” is basically the features you want to have, e.g. the ability to find a given phone through GPS, encrypted e-mails, remote lock of the phone (in case of theft), voice logging, and much more. Once you have a customer profile you can easily buy new features, remove old or order specially developed ones, and all these changes to your “Mobile Security Policy” are automatically sent to all your employee’s phones, ultimately making management of security for your mobile workforce much easier and cheaper. It is then the Hoodgate software on these phones that take in updates and synchronizes with the company “Mobile Security Policy” stored with Hoodgate online, rather than your system administrators having to do it manually.

Hoodgate is just starting up now, and does not at the moment have a finished product. We will however be making regular updates on how the development is going, and try to continually involve future customers in the development, in order to make as good a product as humanly possible.

The platforms we intend to support are the following:

With development prioritizes more or less in that order, so that the primary platform is Android.

All the plans above are of course still preliminary and open for change, and you can easily have a say in those changes and speak your mind to us. All you have to do is comment on this blog post, contact us directly or on one of the social networks we’re on (links are farther down). We’re very curious to hear what you think, even if you’re the type of guy/girl who loves to point out flaws in plans or designs – a real hacker type person! Feel free to contact us and point out what we’ve done wrong or haven’t thought about. In the end your opinions might very well result in an even better final product.

The company website can be found at http://www.hoodgate.com/ although it’s still very preliminary. As we state several times on the page: We’d rather use our time developing the software you need rather than worry about website details at the moment. The short comings on the site will however be handled within the near future.

You can also find us at other places on the web. We invite you to get involved and get your voice heard. We’re listening!:

As we’ve covered in an earlier blogpost (http://blog.aconiac.com/2009/07/29/ruby-on-rails-security-guide/) OWASP is an organization working to improve web application security in the entire world, by means of a whole bunch of different free projects for developers, security professionals and end users.

A few weeks ago, OWASP released a guide/article with the title “Secure Application Development on Facebook”,  basically giving an outline of the security concerns involved in Facebook App development and how to make sure your application is sufficiently secure.

The guide/article can be found here: http://www.owasp.org/index.php/Facebook. The document is mainly designed for Facebook App developers, but can also be useful for decision makers wanting to understand the security architecture on Facebook (however certain sections should probably be skipped).

We highly recommend any company interested in Facebook Apps to read the guide from start to finish, and make it mandatory training for all Facebook related developers.

This is just one of many wonderful OWASP projects and in future blog posts we will look at some of the other great tools that are available to you, completely free of charge. If for some reason you don’t want to wait for these future blog posts, you can also just take a peak the the available projects straight away at: http://www.owasp.org/index.php/Category:OWASP_Project

As is sadly often the case, well-meaning newcomers to programming take on the newest and/or most popular programming language/framework available. And as you might suspect, they usually get it wrong and make every design and security mistake possible along the way!

This is a trend that we’ve seen with pretty much every popular programming language out there – like for example PHP, which sadly still holds the record for most insecure websites written in the language.

One very popular web framework these days is Ruby on Rails, created by the very talented 29 year old Danish guy David Heinemeier Hansson. It uses a Model-View-Controller construction and emphasizes good design by such principles as DRY (Don’t Repeat Yourself). By all means it’s a very good web framework! But as with PHP, a lot of newcomers get it wrong. Either by not following the Ruby on Rails conventions or by ignoring security!

Now, we’re not here to teach you about design. If you want to learn more about proper software design, a good place to start is simply your local library. Look for books on topics like Design Patterns, Software Engineering, Extreme Programming, Test Driven Development and Agile Software Development.

However what we do want to teach you about, is proper security in Ruby on Rails! Luckily, we don’t have to take out extreme amounts of time from the work we need to do, to get you trained in RoR security – instead we can simply refer to the work already done by the OWASP organization. OWASP is an organization working to improve web application security in the entire world, by means of a whole bunch of different projects for developers, security professionals and end users. One of these projects is the Ruby on Rails Security Guide V2 project which includes a PDF file detailing the different security concerns and solutions concerning Ruby on Rails development.

If you are going to develop Ruby on Rails applications (or if you’re simply curious) please download the Ruby on Rails Security Guide from OWASP and read it before doing any production deployment of applications.

Note: If you’re too busy to go to the project page on OWASP and find the download link, then here’s a direct download link instead: Download the Security Guide

Of all the trade fairs in the world, none quite rivals CeBIT when it comes to sheer size. With over 20 years of experience, it is still the world’s largest trade fair and showcases some of the up-and-coming home and office solutions in IT and Telecommunications.

Coming up to the CeBIT entrance

Sadly however, CeBIT has been experiencing decreased visitor numbers for the last few years and this year was obviously no exception – especially not given the economic circumstances of these times. None the less, Aconiac decided to attend the conference as a visitor and see what other companies have come up with these days.

For all you readers that happen to not know, CeBIT consists of a number of halls, where every hall has a few different fields of interest. There are halls with Server Technologies, Business Storage, Virtualization etc, and there are other halls with e.g. Telematics & Navigation, Automotive Solutions, Transport & Logistics, Satelite Navigation etc. etc. All in all there are a total of 26 different halls, sporting over 100 different subjects – so there should be something for almost any interest! On top of this there is an abundance of kiosks, bistros and the like, so you have to actively try to avoid eating in order to go hungry all day! A whole day is by the way also basically how long it takes to get around to every hall!

The new CeBIT Security World exhibit.

One hall was especially interesting for us, since it was CeBIT’s new Security World hall. According to the plan, this should include Anti-Malware Solutions, Security Tools & Services, Biometrics, Card Technologies, Network Security, Video Surveillance and more. But we’ll get back to that specific hall later. Let’s first take a look at what was interesting at CeBIT this year!

Now obviously, the economic crisis has effectively removed many of the fun things from the fair, but curtain things have however remained. And there were a few items we found especially cool this year.

Two of these items came from Asus, whom have gained extended world-wide focus after the release of the first Asus Eee computers and subsequent popularity increases of such products. They’ve now come up with a couple of completely new computers. Both of which change the way we do personal computing, if they ever gain extensive popularity.

Asus' cool book laptop

The first, and probably most interesting, is this Asus book-like laptop. What makes this interesting is the fact that the laptop actually doesn’t have a keyboard of any kind – it instead has two screens! What this does is that software on the laptop can activate the bottom screen, which is actually a touchscreen, and put up a virtual keyboard on that screen. This way, you will be able to use the laptop just like any other laptop (We however weren’t allowed to touch it, so I’m not sure if the virtual keyboard is even a feasible tool to use for anything serious).

Asus' book laptop - flipped

But not only can you use it as a normal laptop, it also makes a new and unique operation possible – It can function as a book!
If you turn the laptop around, an accelerometer in the laptop detects this and immediately turns the virtual keyboard into an actual screen, so that you can use it to open .pdf files (and the like) and simply start reading! Products like this might very well be the early products that end up replacing printed media completely, even though that’s probably still quite some time in the future.

But again: We weren’t allowed to touch it, so it’s very hard to know how easy it actually was to use. Whether or not it is a product one would actually use is quite difficult to answer, so please don’t just go out and buy it just because we said it was cool! It might be a very good product and it might also not at all be!

Another cool product from Asus was this keyboard computer. So what do I mean by keyboard computer? Well, it’s actually quite literal! A computer stuffed completely into a small keyboard, so that you only have to bring the keyboard, find a big screen and plug yourself in to that screen, and you’re ready to go!

Keyboard as an entire computer

Whether or not this product is just a weird idea or it’s the future of laptops – well who knows? Personally I don’t believe this will be a hit, simply because the screen is missing. If you don’t have a big screen anywhere near you, you have to use the small screen in the right bottom corner – Not really a fantastic solution, because how often do you actually have a spare screen with you everywhere? The keyboard computer will probably only function as a replacement for large home computer systems, where computing power is not of much concern to the family members.

So all in all this exact product is probably not going to make much of a change! And sadly there weren’t much else innovative at CeBIT this year. It seems the financial crisis has taken away much of the interesting stuff and kept all the, at times, irritating sales personnel that’s scattered all over the place to try and sell you one electronic product after another!

So bummed out due to the lack of interesting products, we tried to figure out what to do next. After a bit of food and a small beer, we decided to take a look at the new and “fantastic” Security World hall.

Kaspersky Labs

Sadly however, our hopes of interesting exhibitors and good products was kinda beat down. There wasn’t really anything fantastic or innovating in the entire hall and most exhibitors were also quite unknown to us. Not that being unknown is necessarily a bad thing, but if you’re a anti-virus company and you’re completely unknown, you’ve also never been critically evaluated in international tests and therefore never had your products tested up against its competitors. This is by all means a bad thing! However, in regards to anti-virus, the master was however still there – Kaspersky!

Even kids can do surveillance! ..

One thing that was kinda interesting though, was the surveillance part of the hall. Here you could get any form of spy equipment, cameras, microphones etc. Even kids could apparently use this stuff, as was apparent from the little guy playing around with the 10-20 cameras mounted all over this exhibit! I really like that picture actually! It quite effectively shows where we’re going in our society if people don’t soon get up off of there asses and start fighting the extreme surveillance trend that has been going on since 2001.

So all in all the Security World exhibit was kinda disappointing. Not only were there not really any innovative products, many of the things you would expect, wasn’t there either. Why wasn’t e.g. HP there with WebInspect and DevInspect? Or RSA? Or Tennable Security? Or, in more of a open source direction, OpenBSD? Many of the relevant groups and companies where not represented. (To be fair, BSD was in another hall, but in another capacity)

We care!

After the day went to an end, we drifted over to Munchenhalle, which is basically a classical German Tyrolean restaurant thing where people go after CeBIT to eat and .. well.. get stinking drunk! So we did exactly that and got to do a bunch of stuff like dance the bogey bogey, buy a Tyrolean hat for 20 Euros, spoke Danish with a Vietnamese guy and even sang happy birthday to a Chinese guy.. So no matter how good CeBIT is during the day, it usually always ends well

But in all seriousness again! Sadly I’m afraid the economic crisis scared some of the biggest companies away, which inevitably lowered the relevance of many of the halls. Now, to be fair, CeBIT usually has an over representation of companies selling their normal products, compared to companies showing off their new innovative products. However before it’s been somewhat of another ratio! Basically, we decided a good characterization is this: CeBIT usually consists of a turd covered in sprinkles.. in order to get the sprinkles you need to get a bit of the turd! However now CeBIT is more like a turd consisting of 10% embedded sprinkles.. now you actually have to eat the entire turd to get the damn sprinkles.. and even then, there are way to few sprinkles

See you next year at CeBIT

So with that disgusting analogy, I leave you with whatever you were doing and will simply say:

Cheers, hopefully we’ll see you next year at CeBIT!

NOTE: This is a technical post regarding Apache on Linux with support for Ruby on Rails. Basic understanding of these concepts is necessary!

Normally you want to make sure your server doesn’t give out any information about service versions, however mod_rails doesn’t provide any easy way of doing this within the module itself. There is however a fairly easy solution. Simply use mod_headers to remove the headers in Apache.

So how is it done? Very simple, just enable the module mod_headers and add the snippet below to httpd.conf or another included configuration file in Apache. Both actions have to be done as root of course.

Enable the mod_headers module (This example is Linux Debian – it might be different for your system)

# cd /etc/apache2/mods-available/
# a2enmod headers

Add these lines to httpd.conf

Header always unset "X-Powered-By"
Header always unset "X-Runtime"

Restart the Apache server (Again – this is Debian! It might be different for you)

# apache2ctl restart

And there you go. Try making e.g. a Nikto scan on the server and see if the headers aren’t there any more.

NOTE: This news item was originally posted on December 30, 2008

2008 will soon be over and a new and exciting year lies in front of us. 2008 was an interesting year for computer security. We saw, once again, escalating threats towards companies from almost all fronts. Especially the leaks of unencrypted data in England, the automated SQL injection mass-attacks and the attacks on social network services were some of the big public problems in 2008.
But then how will 2009 be? Now, it’s obviously very hard to predict the future in such a dynamic world, however we have made an effort to come up with our ideas for what might be, the 10 biggest security threats in 2009: