Wednesday, December 15, 2010

Gawker Security Breach Shows Password Security Remains Huge Concern

A computer system is only as secure as its least secure access point. Password systems are the main defense, and frequently users pick passwords that are so ridiculously easy to break that hackers don't even have to break a sweat.

Of course, that assumes that the systems being defended are up to snuff. Gawker's system was not. Hackers not only broke into the Gawker systems and stole all manner of password data and other confidential materials that Gawker stored on its servers, but an analysis of what the hackers posted online shows just how badly people deal with password protection.
Analysis of almost 200,000 of the stolen passwords shows that the most common were “123456” and “password”. These passwords are easy for hackers to guess and they also pose a wider security risk because many people use the same password for every website they visit. Soon after the data was hacked, thousands of Gawker users - visitors to sites like gadget blog Gizmodo and video game website Kotaku - had their Twitter accounts hijacked because they had used the same password there.

Around one third of people use the same password for every website they visit, according to research by security analysts Sophos. Graham Cluley, senior technology consultant at Sophos, said: “You should use a different password on every website.”
Using different passwords on different sites makes a lot of sense, but people have a hard time remembering passwords, which is why they resort to easily cracked passwords like 123456 or password.

Gawker's "security" was so poor so as to be nonexistent. It used an outdated encryption system that was easily broken using widely available tools. Moreover, it knew about the intrusion but didn't alert users for weeks. Gawker is now in damage control mode and its commenting system is requiring all users to provide new passwords. You can check to see if your email is among those hacked via Slate.

Heads should roll at Gawker. It looks like everything Gawker has worked on is potentially in the hands of the hackers who broke into the site. Gawker's security experts are likely in for a real rude awakening (if they even have security experts on staff) - and I wouldn't be surprised if a bunch get fired for their incompetence/failure to contain the problems.

Nick Denton and everyone else involved should also be held responsible. Email transcripts among personnel trying to wrap their heads around the security breach show a complete lack of understanding of the situation and a disregard for the commenters - the very people that give Gawker its value to advertisers. I wont be surprised when the lawsuits start rolling in demanding compensation for any economic damage done to users who had their information stolen in the hack.

It also raises additional questions about their security and confidentiality of information shared with third party sites. If they care so little about their customers personal data knowing that a hack is underway, what makes anyone think that their data protection on day to day ops is any better?

Gawker may have financial liabilities if the work being done on other contracted sites gets out in violation of confidentiality agreements. Gawker (the entire company, not just the singular website) is in for a world of hurt. And justly deserved.

In sum, it's a huge mess for the Gawker organization and those emails show a disregard for the customer security.

At the same time, it should raise further questions about the security at other sites, including Facebook. Facebook just asked users to provide still more information, including phone numbers. I'm sorry, but there's absolutely no reason that Facebook needs that kind of information and if hackers manage to access Facebook to cull personal information, the fallout could be severe, no matter if Time calls Facebook founder Mark Zuckerberg its person of the year.

Since users frequently use one password across multiple sites, tracing users across to other widely used sites will give hackers the ability to break into other accounts - and potentially exploit holes in security around the Internet. It's a ripple effect.

UPDATE:
Amazon has reset its users' passwords because people frequently reuse passwords across multiple sites and that this protects the company and user from unauthorized access.

Meanwhile, Gawker's internal emails, which were hacked along with all that password information, may turn into a mini-wikileaks as Gawker's confidential sources and other information may soon be outed.

No comments: