Inside the Gawker Security Mess
Forbes writer Daniel Kennedy has one of the best articles I’ve seen yet on the Gawker security mess, and Gawker Media’s failure to deal with it adequately. Kennedy’s piece supplies a lot more detail about the attack than other articles.
The data breach was not limited to Gawker’s user database; apparently the hackers had root access to Gawker’s entire network for at least a month, during which time they grabbed all kinds of stuff, including credentials for internal systems, access to their statistics, a complete dump of their custom source code, a mock-up of a planned redesign, and even FTP logon credentials for other sites Gawker has worked with. And who knows what kind of back doors, booby traps, or other surprises they left behind. In short, this is a real security disaster for Gawker.
To make things worse, it appears that Gawker employees actually noticed that passwords and usernames were appearing on 4chan — and took no action, because they thought it was just Gawker users who had been compromised. The hackers posted the following screen shot of an internal chat session, in which Gawker’s Hamilton Nolan reacts to the news by writing, “oh, well. unimportant.” Gawker’s Richard Lawson then asks, “just the peasants?”
There are a lot more details in the Forbes article; read the whole thing. Kennedy’s closing paragraphs:
Gawker has written a pretty big check here, compromising the FTP accounts given to them by other companies, as well as any of their users who use the same password on multiple web sites. Since there are plenty of government (including NASA, the social security administration, a UK official, an Australian official, FTC, NARA, USDA, FDA, the Library of Congress, the Senate offices of Olympia Snowe & Bernie Sanders) a number of military, and corporate e-mail addresses in the file dump, further breaches downstream are possible. At the very least a large number of users are going to start receiving new spam e-mail, having had their e-mail address leaked across the Internet.
Besides their users, Gawker has been heavily affected themselves. Gawker Media’s blogs have ceased posting according to an update to Twitter by Jezebel (a Gawker Media blog): “I’d write a post about how we’ve been hacked and can’t publish”. They have lost their source code, leaked an upcoming redesign, had to restore data on at least one server, and have to sweep for any shells the attackers may have left behind. And there is an element of reputation damage in that they experienced a breach of their user’s data.
Despite this, they do not really seem to be acknowledging the scale of what happened. They still try to put some blame back on users, suggesting that if they had a weak password they might be compromised. Well, that really does not make much of a difference when you expose the entire database table and have way too much faith in the 34 year old encryption algorithm reported to be used to safeguard the data. In truth, they had over a month to find this problem but diagnosed the early warning signs in November improperly, were very obviously breached (and told they were breach by others) on Saturday, and it still took until Monday afternoon to say anything to their user base. And in the meantime their representatives were releasing statements via Twitter up until Saturday evening that were either partially or totally incorrect.
Finally, much like the risk equation information security professionals use when deciding what defensive measures to put in place, in essence figuring out if the benefit of a protective measure exceeds its cost (in money, resource time, etc.), attackers are at least subconsciously using a similar mechanism. When people ask how they can be “secure”, experienced information security professionals generally respond there is no way to be one hundred percent secure; that given enough time, expertise, resources, and dedication an attacker can find their way into an environment. Following that, there are a number of examples where antagonizing the population of would be attackers at large can serve as a motivation for them to expend the time necessary to find a way into a system. For example, claiming publicly that something is unhackable is usually a good way to find out that it is. Making unnecessary statements of bravado, statements potentially divorced from reality, changes the equation for an attacker, it suddenly makes compromising your environment worth more of his or her time.
Put another way, thumbing your nose at an entire world’s population of crackers is usually a lousy idea.