Memo Details Gawker Security Strategy

Trailrunner7 writes "After a hack of systems belonging to online publishing giant Gawker Media that yielded more than one million passwords, the online media company's chief technology officer has announced new defense strategies aimed at placating their users and preventing further humiliating data breaches. Thomas Plunkett issued a company-wide memo on Friday that lays out the new security measures and suggests the company overlooked security concerns in the rush to develop new features."

Not gonna work..

I read it, but nowhere it mentions not being douchebags. Not gonna work.

Re:Not gonna work..

[PatPending]

Plunkett should be sacked because he is ultimately responsible for his team.

Re:Not gonna work..

[BrowserCapsGuy]

Plunkett should be sacked because he is ultimately responsible for his team.

Right now Gawker needs him because he (probably) knows more about their systems than anyone. I'm sure in time there will be an announcement that he's decided to resign to spend more time with his family.

Re:Not gonna work..

[E+IS+mC(Square)]

* That douchbag Prank at CES (http://gizmodo.com/343348/confessions-the-meanest-thing-gizmodo-did-at-ces)
* Then Brian Lam being complete ass (http://gizmodo.com/303223/halo-3-swag-rebagging-plus-apology)
* Classy!! "if you're a twerpy little internet chump", " Especially not when we own the fucking podium." - (http://gizmodo.com/5687692/you-write-bias-journalism-and-i-read-derp)
* Adam Frucci's post on telling off all Apple haters to go fuck themselves - can't find the origina post (which was modified few times when it backfired)
* Banning any critical commentator (http://gizmodo.com/tag/phantomzone)
* Being complete douch for the iphone prototype thingy and getting banged in the ass by Jesus Steve Jobs himself
* Too much hurt? Wow! (http://gizmodo.com/5461485/ipad-snivelers-put-up-or-shut-up)
* Banning users, creating fake ones, deliberately dissing Nokia and it's users (http://play-this.org/2010/10/nokia-uses-social-pr-tactics-to-battle-gizmodo/)

The list is endless..

Re:Not gonna work..

[Reaperducer]

Wow. I may be in the minority, but I'm certainly glad I've never heard of Gawker. Though it takes the joy out of deliberately avoiding the web site.

Re:Not gonna work..

On the other hand, Kotaku is at least mildly interesting and not too controversial. Plus they sometimes post pictures of hawt hawt cosplaying Asian chicks.

Re:Not gonna work..

Right now Gawker needs him because he (probably) knows more about their systems than anyone. I'm sure in time there will be an announcement that he's decided to resign to spend more time with his family.

Gawker staffers have families?

Re:Not gonna work..

[c0lo]

Plunkett should be sacked because he is ultimately responsible for his team.

Right now Gawker needs him because he (probably) knows more about their systems than anyone.

Based only on the info published by the memo, he doesn't know too much... but is still only a memo.

Re:Not gonna work..

[Cheech+Wizard]

Gawker is sorta like "The National Enquirer" except it's on the internet rather than on grocery store shelves at the check out lane.

Re:Not gonna work..

[Mashiki]

I always likened it to the place where all the douchebags of the internet liked to congregate. 4chan has it's moments, but even they have some semblance of class.

Re:Not gonna work..

[BrowserCapsGuy]

Yep, I agree. That's why I qualified my statement.

Re:Not gonna work..

1. Get new horses
2. Close barn door
3. Profit!

Re:Not gonna work..

[beakerMeep]

http://www.nytimes.com/2008/05/25/magazine/25internet-t.html

Re:Not gonna work..

only reason I ever registered with any of their sites was because I couldn't help myself shoot down a lot of stupidity time to time. And because of that my email and pass was leaked, although it will take years for someone to be able to brute force it.

Re:Not gonna work..

Hey - I'm the author of the last post on Play This. I can't even begin to tell you what a garbage media outlet Gawker is. On the other hand, because I was banned, my account information wasn't compromised :)

Re:Not gonna work..

[E+IS+mC(Square)]

Well played, sir.

Why

Why were the original passwords even stored in the clear like that?

That's just stupid... And something we've known NOT to do for decades.

Re:Why

Why were the original passwords even stored in the clear like that?

That's just stupid... And something we've known NOT to do for decades.

Your comment just shows why. You didn't figure out through reading that they were encrypted, but poorly. At this level of understanding, no progress is made.

Re:Why

[Darkness404]

Oddly enough, I don't want comments to be tied to either my Google or Facebook account. And I really don't think I'm in the minority.

Re:Why

Oddly enough, there are dozens of other top OpenID providers, as well as most websites which use it. And I really do think you're in the insignificant minority.

Re:Why

[perryizgr8]

poor encryption==stored in the clear

Re:Why

[arth1]

Actually, they weren't stored encrypted either - a hash to the password was stored.

The problem with using the hash method and length used (the old default for Unix, Unix-like systems and Apache) is that it's vulnerable against rainbow tables -- someone with LOTS of disk space and 4096 rainbow table databases (one for each possible salt) could quickly find a usable password for every hash.

But against dictionary attacks, permutations of known data, and brute force, it doesn't matter how strong the hash is. And that's what the crackers used.

One item

Norton 2011.

We can all sleep soundly now.

Re:One item

[Auroch]

Norton 2011.

We can all sleep soundly now.

Yup. Since we'll be unable to use our computers ...

Re:One item

[c0lo]

Norton 2011.

We can all sleep soundly now.

Yup. Since we'll be unable to use our computers ...

Nor the malware... scorched earth strategy... effective protection by starving the medium of any "nutrients" (CPU cycles, IO and RAM). A better scheme... combine it with "fruit poisoning" (e.g. BSOD at any attempt to start any process). Hang on, that's Microsoft's job though.

Absolutely fascinating!

[BitHive]

I've been dying to know whether the no-name CTO of some joke of a blog franchise has had any thoughts since his incompetence was made public.

I, for one, will be eagerly perusing his recommendations to see if there's anything I've missed.

First rule of Gawker Media Strategy...

[Crash+McBang]

...Don't talk about the Gawker Media Strategy...

Re:First rule of Gawker Media Strategy...

[Crash+McBang]

gaah, s/Media/Security/

rediculous

What a waste of resources and energy. Leaked my ass. Release is the correct word. I wonder how many other press releases are going to marked as "leaked" now to provide instant cred. I'm sick of the lip service. basically their only plan is to stop aggregating personal data so the next time this happens they wont have bad press. And it will happen again despite all their new "precautions". Asinine steps that will last a few months until some wig with a huge ego starts shouting entitlement and that they have a special need.

Users

[MrQuacker]

Their whole strategy so far has been to blame the users: "Its not Gawkers fault your passwords are so weak."

Re:Users

[vain+gloria]

Their whole strategy so far has been to blame the users: "Its not Gawkers fault your passwords are so weak."

Which is both reprehensible of them and false. Their poor choice of algorithm literally truncated my sixteen character password to an eight character one. When I logged in to change mine I did so with just the front half.

Re:Users

[MrQuacker]

Both Lifehacker and Gizmodo have been running nothing but security stories since this happened. And they all have the theme of blaming users for having weak passwords.

Re:Users

[tpstigers]

While Gawker has thus far avoided accepting any real responsibility for the incident (not so much as an apology yet), they haven't actually been blaming users. Lifehacker has run a succession of posts on good password practices, but they haven't been criticizing anyone. And they certainly haven't reprimanded their users for 'weak' passwords. The truth of the matter is that users who had passwords that were unique to their Gawker account (a practice we all know is the smart way to go, right?) only had to fear for their Gawker account. Which means that all someone could do with their data would be to post comments on Gawker sites. Hardly a big problem.

What Gawker users have learned here (and Lifehacker, at least, has been driving home) is the inadvisability of having a global password (a frighteningly common practice).

Re:Users

"The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack" -- in a way that is not a lie and not critizing their users, but it does give the impression that the users actually had a choice to secure their account. Reality is that with gawkers password scheme that was not possible.

Re:Users

[Jawnn]

While Gawker has thus far avoided accepting any real responsibility for the incident (not so much as an apology yet), they haven't actually been blaming users. Lifehacker has run a succession of posts on good password practices, but they haven't been criticizing anyone.

This is the same bullshit, "We can't actually say this, but we will hint at, imply, and suggest it in every possible way until you believe it" strategy that Fox News has mastered so well. The plain fact, of course, is that Gawker is to blame for the breach of their users' passwords, weak and strong alike. They want desperately to have those users start thinking along different lines and sadly, it appears to be working.

Re:Users

The problem with Gawker, slashdot and countless other sites is the requirements to 'log in' to simply post comments on stories. What is so secure about this forum that I need an actual username and password just to post a comment. Are hackers really out there waiting to 'log in' as me and post evil comments??

Of course my passwords for forum sites are going to be short and stupid, because I really don't care, and I'm getting annoyed at the fact that I have literally hundreds of usernames and passwords out there just for forum sites. I have proper secure passwords for my bank and credit card, (I'm not a complete fool). But for posting comments on gawker or slashdot or my local newspaper - why should I really have anything more complicated than a 'qwerty' password?

Re:Users

[cprincipe]

Except for the fact that many of the other sites/services for which I use my email address have gone into the leaked torrent, found my email address, and locked my account and forced me to change my password, even though I haven't used the same password amongst the sites. I've spent the last week getting locked out of various places and having to come up with all new passwords

"The online publishing giant"...

[pongo000]

...no one has heard of!

Seriously, was Gawker on anyone /.ers' radar before this news broke? Or am I the only one who never leaves the cave?

Re:"The online publishing giant"...

Posting anonymously because my email was in the leaked info.

Lifehacker has some useful tips; Linux, Mac and Windows. Including their mobile variants and smartphones.

Gizmodo is another, which I used to read often but I got sick of reading so many commercials (that's the idea of the site, they didn't do anything wrong).

Give them a look over. At the bottom of Lifehacker.com pages there are links to the other sites (fleshbot.com is missing, maybe because it's NSFW).

Re:"The online publishing giant"...

[MoonBuggy]

They are a giant precisely because they are the force behind a fairly diverse range of sites, all of which are big names in their respective fields. You may not have heard the name 'Gawker Media', and I don't expect valleywag or Jezebel to come up on most Slashdotters' daily rotation, but Gizmodo gets linked here (either in stories or comments) fairly regularly.

Re:"The online publishing giant"...

[PhrostyMcByte]

There's a good chance you've been to one of their sites before. Gizmodo, Kotaku, Lifehacker, and io9 are their bigger ones I can recall -- I'm sure there are others. I personally read Gizmodo and io9 quite often, though I've never made an account with them.

Re:"The online publishing giant"...

[perryizgr8]

imo, engadget is much better than gizmodo. though i do find useful lifehacker page when searching for specific software.

Re:"The online publishing giant"...

These blogs are aggregations of content posted elsewhere.
We can all do without the snarky commenters,
what does it ever add to a discussion?

Features prioritized over bugs

[Stiletto]

You don't say!

Our development efforts have been focused on new product while committing relatively little time to reviewing past work.

Software engineers, stop me if you've heard this one: "Don't worry about bugs or security holes! Just keep shoveling features in and ship! Audits? Code reviews?? Don't have time--gotta ship ship ship!"

Re:Features prioritized over bugs

[Phopojijo]

Whoa whoa whoa whoa, I did hear that one before.

Hash...

Does the memo include the obvious, "store a hash rather than the actual password"?

They still don't get it.

[140Mandak262Jamuna]

In recent weeks, intruders were able to gain access to our web servers by exploiting a vulnerability in our source code, allowing them to gain access to user data and passwords.

They are still blaming bugs in code. Pretending to be mistakes made by low level programming flunkies. The problem was using an unsalted hash that allowed them to do a simple dictionary attack. Further even the top guys were using very simple passwords. Used the same password for multiple accounts. Continued to leave other accounts and usernames unlocked even after knowing one account using that password has been compromised.

No. The real problem was that the managers and the top dogs drawing top salaries were clueless idiots. Pretending that it was some kind of stupid bug left in code by some low level programmer shows how disconnected these bozos are from reality.

Re:They still don't get it.

[OnePumpChump]

Did you read the readmes in the torrent? The attackers claim that they took DAYS to download those passwords. That traffic didn't look unusual to anyone? Should any system anywhere that isn't either migrating that database or backing it up be looking at more than a couple of passwords in any short span of time? Regardless, this didn't draw any attention. Bug or not, there's not really any excuse here.

Re:They still don't get it.

[PhrostyMcByte]

If their claims to be consulting an "independent security firm" are true, then it appears they also realize they're incompetent and are bringing in outside help to school them on proper security.

We've learned many lessons from this experience, both as a tech team, as a company, and as individuals. If there's one lesson nearly all of us learned, it's that we can and must be smarter with passwords. Lifehacker is a great resource for password advice (and there are many others). I suggest you start here: http://lifehacker.com/184773/geek-to-live-choose-and-remember-great-passwords.

It seems they're at least beginning to learn, though.

They also mention that they're going to let users use OAuth to log in. It's not clear if they'll be moving all accounts to OAuth, or if they're going to keep using unsalted crypt() for users who want to keep their account local.

Re:They still don't get it.

[Dhalka226]

I'm not disagreeing with you that there were multiple failures at multiple levels of the management chain.

But wouldn't using an unsalted hash vulnerable to dictionary attacks be the mistake of "low-level programming flunkies?" Why should any management-level people know what the hell a hash or a salt is, much less be micromanaging their programmers to that extent? Isn't that why you hire coders in the first place -- for their expertise in doing things the right way?

Re:They still don't get it.

[magamiako1]

The problem usually comes down to this:

A) Pay a decent, well reputable, knowledgeable coder $$$$ for his time to develop a website.

or

B) Pay some outsourced company $$ for their time to develop a website.

Most management usually goes for B. It generally makes them "look better" because it can "get the job done", they can "save money". Security is an afterthought to almost all management levels. The only reason that Gawker's management is even anything close to concerned now is because it's going to cut into ad revenue. But they, like any major company, skate on that thin ice until eventually it breaks.

This isn't surprising in the least bit. Companies don't give two shits about security until it bites them in the ass. Further more, I don't really expect them to make major strides in security, but "just enough" to make sure the "previous situation" doesn't happen again.

That said, there is something called "defense in depth", and it's something they should have implemented from the start. It was a failure at all levels of monitoring and management.

Re:They still don't get it.

Enen read access to the password table is not really needed for the web facing applications database user. Make it write only and use another function with another user for password checks.

Re:They still don't get it.

[mlts]

I have heard this manta repeatedly endlessly by PHBs, "security has no ROI."

With an attitude like this, it gets surprising that these breaches are not even more commonplace. Of course, there will be no long term consequences for the poor security, except what happens to the users.

I hate calling for regulation [1], but it may take governments stepping in and people going to jail before businesses actually pay more than token attention to security.

Defense in depth -- now that is a sensible philosophy. This is really what is needed if businesses are to be able to provide any semblance of integrity. What is ironic is that every MBA that goes through an accredited program has to study ITIL. Defense in depth is one of the topics that they much learn about and pass. So, when a PHB won't fund adequate security, they have no excuse for the consequences.

[1]: With our luck, people call for basic security regulation and get laws like Sarbanes-Oxley which don't add much security (as in less issues with private info walking out the door and onto a torrent site), but would in fact end up making storage companies and "consultants" who do random mumbo-jumbo rich due to mandatory archiving requirements.

Re:They still don't get it.

[mlts]

Elaborating on this, why not have the password checks be done do an isolated SQL server replicating a read-only table? Then for the password queries, have this be a function of the database, where there is an inserted delay between checks. This way, each user might wait an additional half second to second before logging which isn't that big a deal for them. However, someone who compromised the webserver wouldn't just be able to dump the database en masse, but name by name with 500 ms between each.

Of course, what is obtained is an encrypted nonce and a salt, and the Web server takes the user's password + salt, hashes it x amount of times, then tries to decrypt the nonce. If the nonce decrypts, the user is authenticated. Essentially TrueCrypt's mechanism, plus a backend database function to only allow for delayed single queries.

Business needs caused the problem

From TFA:

"The tech team should have been better prepared, committed more time to perform thorough audits, and grown our team’s technical expertise to meet our specific business needs."

We have the exact same problem with an internet-connected application where I work - plaintext passwords. All of the developers have pointed out that it's a problem to business, but they think it's a feature because it allows them to read passwords back to customers who've lost them, or send them a welcome e-mail with their password. No matter how much we whinge and bitch that it's wrong and you can send users new passwords with hashed or encrypted password systems they won't budge and refuse to spend dev time or money fixing it.

"Business Needs" means adding more features, not fixing broken implementations.

OpenID is a piece of shit.

Of all of the authentication schemes out there, OpenID is by far one of the lousiest pieces of shit around. I say this as a programmer and system administrator who has dealt with many such systems in my career.

A few months ago, while developing some software, I ran into an unusual scenario. I wanted to merely ask a question at StackOverflow, but ran into their shitty OpenID-based authentication. My existing Yahoo! and Google addresses wouldn't work. I don't use LiveJournal, Facebook, or the other lesser-known providers they support.

After wasting a few minutes on something that should have taken less than 10 seconds, I decided just to ask my question on a mailing list instead. After all, it didn't waste my time with OpenID nonsense.

Re:OpenID is a piece of shit.

You don't need an account to post questions on SO. And as SO has taken over every other tech forum on the web, it seems most people don't share your experience.

password expiry

[Exclamation+mark!]

Is part of the strategy to force users to change their password every month so they can write it down or reuse it and make it just secure enough to pass validation? This kind of crap is happening at work and forces me to use crappy passwords! Thanks security consultants!

Follow the leader

"and suggests the company overlooked security concerns in the rush to develop new features"

In other words they are no different than Windows.

This Guy doesn't get it.

Like many youngsters thrust into high positions, this guy doens't get it. He has a number of issues, the first is that he hasn't stopped using Google Apps for corporate data. Idiot.

Why don't all the employee interfaces into their systems require a VPN? A REAL VPN - IPSec-based. Idiot.

Mandatory use of a password manager should have been in this post. There's no reason to have short passwords anymore.

No mention of updating the DES encryption to something newer - you know, not 20 yrs old.

OAuth? Seriously? I'm not interested in sharing my access with "those" corporations. Let me use OpenID and authenticate to my personal server.

Anyway, he has the corporate culture to fight AND the teenage-like mentality that many of the editors/contributors display.

Security isn't an easy thing to do, especially with that code base. With all that javascript, I'd be afraid, very afraid that too many interfaces are public. Do they even use reverse proxies with filters? They can make good progress in a year, but I wouldn't expect the security-as-part-of-daily-work to be there for 3-5 years. In the meantime, everything they do needs to have a 2 pg "is this security" checklist.

He admits that they cannot successfully...

[darrad]

secure data within their network. Every solution he proposed uses and outside resource. Move away from storing all data? Use outside authentication? One time accounts? (this one really got me)

Are they that bad at the basics of security? Someone please tell me this is not the norm.

Drugs are probably to blame

[XCondE]

from the memo:

Disposable accounts are similar to the service a pre-paid phone offers to drug dealers (a disposable, untraceable communication device).

I wonder how did he come across this service? I mean, even if you think doing drugs is ok it's a questionable example to use in a corporate memo.

I Dunno

[glebovitz]

I never heard of Gawker, but I received email from them telling me that my account was compromised. I just went to their site, entered my email and asked for a password reset. I got a reply with a username I don't recognize. When I logged in with the id and password, I got an error message that said I had never "verified" my account.

  I'd say they have some serious problems that go beyond the password hack.

The premise of the site seems pretty sketchy.

Re:I Dunno

[SunTzuWarmaster]

Actually, ditto. Also, I've read Lifehacker for some time. It isn't exactly like SunTzuWarmaster is a username that has been ever taken... why would Gawker, of all places, have a username that I have never heard of?

bye Gawker

[J05H]

They really screwed the pooch. I'll never go to their sites again, this is basic info-sec that should have been simple and unobtrusive. They failed.

who cares?

[perryizgr8]

i deleted my account.

Wanted: New CTO

[rudy_wayne]

It turns out that Gawker has a "Chief Technology Officer". However, if you read this article from Forbes, it makes you wonder what this guy actually did, other than show up and collect a paycheck.

Danger

Umm... Maybe you've been scammed? Or maybe woosh for me.

Memo

[Loki_666]

Here is a copy of the memo that was sent out highlighting the new security protocols:

To: All Employees

New Security Protocols

1) Do not write down your passwords on post-it notes and then attach them to your monitor.

Thank you for your cooperation.

Re:Memo

[chimpo13]

It would've been more secure for employees to write them down. Then they only have to worry about their spouse, kids, plumber and people who get to see the house office. If they have a real office, it's still limited to employees and finding out who the Evil One is after something like this shouldn't be that hard. Writing down passwords on post-its isn't that big of a problem.

More Gawker Douchebaggery

[hyades1]

I may be wrong, but it appears that when you try to delete your account, they don't actually get rid of the information, they just make it inaccessible to you. I guess they'd prefer not to offend all the advertisers they whored your personal information out to.

Mother of god people md5

Why is it so hard to just md5 the password into the DB, then do a md5 compare at login, I thought this was a fucking standard. Its db security 101 for gods sake.

Re:Mother of god people md5

[Captain+Hook]

That wouldn't have helped here, my understanding is that the password were hashed but not salted. So once the hackers had downloaded the hashed password all they had to do was compare the resulting hash strings with a database with precompiled password hashes (Lookup Rainbow Tables).

For example, using MD5 hashing. password always comes out as 5f4dcc3b5aa765d61d8327deb882cf99 so if you ever see that string in a password file, you know the user password = password.

The way around this is to salt the hash with a second string, known only by the website authentication function so that the password has become MD5(salt value + password) rather than just MD5(password). This creates unique strings which are much longer than can feasibly attacked by a Rainbow Table.

Re:Mother of god people md5

The way around this is to salt the hash with a second string, known only by the website authentication function so that the password has become MD5(salt value + password) rather than just MD5(password). This creates unique strings which are much longer than can feasibly attacked by a Rainbow Table.

Wrong.

Salts are not "private" knowledge and should not be treated as such. You need to assume that the attacker knows how you salt. There are (2) reasons for using salt:

- Using a unique salt for your site means that rainbow tables from one site can't be used to attack your site. The attacker has to spend the CPU time to calculate all new tables for your database.

- Adding a unique salt for each different user multiplies the attacker's workload. Now, not only do they have to calculate rainbow tables for your site, but they would also have to calculate individual rainbow tables for every user since each user has their own unique salt.

Knowing how to construct the salt gains the attacker nothing in both cases. Salts do not protect against dictionary attacks or brute-force efforts, their sole purpose is to prevent the use of pre-calculated rainbow tables.