Monday, December 13, 2010

The troublesome implications of the Gawker hack

Some details from the group who pulled it off (article here)--they aren't willing to disclose exactly how they were able to hack the site, only that they have access to lots of passwords. They also commented at length on the poor security of the site. For instance:

We have had access to all of their emails for a long time as well as most of their infrastructure powering the site. Gawkmedia has possibly the worst security I have ever seen. It is scary how poor it is. Their servers run horribly outdated kernel versions, their site is filled with numerous exploitable code and their database is publicly accessible.

We will be releasing the full source code to their site as well as the full database dump later today or tomorrow, when we get enough press to stir up the release. We will also be releasing a text file describing Gawkers numerous security failings.

The reason this is troubling isn't so much that the Gawker commenter database, with passwords, was compromised. The problem is this: Everywhere you go online, you have to create a new account (with some exceptions, like OpenID or Gravatar-enabled sites). There are so many of these that people naturally tend to reuse passwords at multiple sites. The assumption when doing this is that none of these sites will be compromised. But if one of them is, and you have a password in there which you use multiple times, then you're in trouble, aren't you?

Furthermore, there is no way to know in advance whether a site is going to have problems or not. Gawker apparently was very lax in terms of security, but how was anyone supposed to know that? Furthermore, what other sites have similar problems? There is simply no way to know. (I hope, for example, that Blogger is secure. So far, I've had accounts here for six years and have never had a problem, not even when Google took over. But you never know.)

This fundamental insecurity means better password management is needed, and that is fundamentally a pain in the ass. Avoiding password repetition is virtually impossible.

Theoretically, there should be a point where a reasonable level of safety is reached just by using a manageable number of passwords for all purposes. However, there is still the possibility of making mistakes such as using a password for your Gmail account, then using your Gmail address and the same password as username and password for another site. If someone cracks that other site, they're able to immediately break into your Gmail account. You can have the best password in the world and still be vulnerable to this sort of mistake.

What a pain.

In any case, I just decided to change my Blogger password. ;)



Post a Comment

<< Home