AT&T 'hacker' punished by myopic legal system

Andrew Auerheimer, the now jailed 'hacker' of an AT&T database, is the latest victim of an over-zealous and myopic  judicial system that is utterly out of touch with the realities of information security.

Auerheimer wrote a bash script to fetch the data of 120,000 AT&T iPad users, which he subsequently leaked to technology news publisher Gawker - without first informing the telco.

I think it was poor form from the Goatse Security hacker - known to his online mates as Weev. He should definitely have contacted AT&T as soon as he discovered the vulnerability.

But for US district judge Susan Wigenton to slap him with a 41-month sentence sets a supremely dangerous precedent.

'Weev' leaked publicly-accessible data. He didn't breach security controls because there were no controls to breach, which was precisely the point he wished to illustrate.

If Auerheimer didn't disclose the flaw one way or another, the data could have easily fallen into the hands of someone truly malicious - and AT&T would have been none the wiser. But it appears that is how the telco would have preferred the situation.

If the US justice system was truly balanced, then some of those folk at AT&T should be tarred and feathered for exposing the data of users.

Auerheimer, like scores of other security researchers, was angry that yet another cashed-up company had paid few dues to locking down security controls. 

AT&T had overlooked one of the most basic prevailing security flaws in existence - an insecure direct object reference.

This flaw meant user data could be accessed by altering a number value within a URL. There were no controls to break.

That precise vulnerability remains number four on the OWASP Top Ten security flaws, and its been that way since 2007.

Security boffins everywhere slap palms to faces when yet another data cache leaks so foolishly.

Speaking of foolish...

Its very possible Auerheimer spurred the ire of AT&T when he tipped off Gawker Media to the vulnerability.

It's risky enough to quietly tip-off a vendor about security holes in their products, let alone putting your name to a press leak.

Just ask Aussie security researcher Patrick Webster. He was slapped with legal threats after he quietly tipped off his superannuation provider, First State Super, about an insecure direct object reference.

Fortunately for Webster, the firm backed off due to the ensuing bad press.

I've made it my business to inform vendors about security flaws before publicising them. I gave Telstra a month to fix hardcoded login credentials in its line of NetComm routers, and gave ANZ Bank three weeks to fix a privacy issue with its online statements. That should be par for the course as a security journalist.

But wherever you sit on the thorny issue of vulnerability disclosure, locking a security researcher in jail for exposing AT&T's woeful disregard for customer privacy is a travesty.

It's this kind of ignorance that is contributing to the security community clamming up when they find bugs.

And that makes the internet less secure for everyone.

Copyright © SC Magazine, Australia