This past weekend, Gawker Media was dealt a damaging blow when a group that calls itself Gnosis successfully hacked into Gawker’s servers and thereafter released a torrent which contained Gawker’s source code and a database containing 1.3 million Gawker commenters’ usernames, e-mail addresses, and passwords, about a fifth of which Gnosis decrypted. Considering that many people use the same password for multiple web services, this is bad news; this morning, Twitter said that a wave of acai-related spam had been traced to accounts with emails hit by the Gawker leak. Gnosis also gained access to Gawker’s content management system, publishing a taunting post with a link to the torrent on Pirate Bay. (Both the Gawker post and that particular Pirate Bay torrent have since been removed, although the data is out there now.)
In the wake of the attack, Gawker has promised to “[bring] in an independent security firm to improve security across our entire infrastructure. Additionally, we will continue to work with independent auditors to ensure we maintain a reliable level of security, as well as the processes necessary to ensure we maintain a safe environment for our commenters.” However, the attack has alarmed many of its readers, and should be alarming to most people who have transmitted their personal information over the Web. Perhaps even more alarming than the user database hack is the source code leak: Gawker is built on a proprietary, closed-source framework, which its proprietor Nick Denton says ‘underpins his entire empire to this day.’ Blogger Felix Salmon writes that Gawker Media is in the process of trying to transform into a technology company; this is a hard thing to do when your source code is thoroughly compromised.
Mediaite’s sister site Geekosystem got in touch with members of Gnosis and discussed what the attacks meant for Gawker Media, web publishers, and everyone who shares unsecured information on the Internet:
Geekosystem: I’m sure you all have been following today’s media coverage of the hack. What do you think was most misreported or underreported? What haven’t people been talking about enough with respect to the attacks that you think they should be talking about?
Gnosis: That answer is easy. The source code. I just read a post on Fox News that dealt entirely with the release of the database. While this is understandable because your average joe reader might not understand the full implications that comes with releasing a sites source code I feel that it could be targeted a bit more. I expect though that the initial frenzy is to do with the database and that will slowly fade into people researching the source (Or rather I hope that this will happen).
Just to spell it out releasing a sites source code is one of the worst things that could happen – the source that runs the site is now public and this means anyone can view how it works, meaning exploits can be found for the code. What is worse is that with a large code base the site owners cannot simply refactor and change large portions of it, they are stuck and often have no choice but to continue running the public code base until a newer, private version is created which can take a long time. They also have to consider that most of their code, which they worked hard on, is effectively dust-binned. Unless they take the open source route, of course.
As with any story things spin out of control and people add their own opinions to the mix. The only sites that we released information to were Mediaite and TNW, which means that everything else is pure speculation and/or opinion. People are talking about security, which is good, and I think it has brought to light the security issues that face both users and sites, and I hope that Gawker and other sites can learn from the mistakes that led to this.
Geekosystem: You previously mentioned that Gawker used DES [Data Encryption Standard, an outdated hashing algorithm in which only the first eight characters of a password are necessary for login]. What other mistakes do you think that they made that made your attack easier? Nick Denton said today that Gawker Media will be hiring an outside firm to evaluate their properties’ web security; if they hired Gnosis, what would you tell them to change?
Gnosis: They made several mistakes which contributed to their compromise – leaving passwords literally lying around, using the same password for multiple accounts and services (A lot were weed related, perhaps they had been smoking a bit too much and forgot some basic security principles? (GANJA framework anyone?!)). Unfortunately, I am afraid that until Gawker Media *do* hire us we cannot report fully on any of our findings. Sorry Nick!
Have a tip we should know? [email protected]