Memo Details Gawker Security Strategy

Trailrunner7 writes "After a hack of systems belonging to online publishing giant Gawker Media that yielded more than one million passwords, the online media company's chief technology officer has announced new defense strategies aimed at placating their users and preventing further humiliating data breaches. Thomas Plunkett issued a company-wide memo on Friday that lays out the new security measures and suggests the company overlooked security concerns in the rush to develop new features."

Not gonna work..

I read it, but nowhere it mentions not being douchebags. Not gonna work.

Re:Not gonna work..

[PatPending]

Plunkett should be sacked because he is ultimately responsible for his team.

Re:Not gonna work..

[BrowserCapsGuy]

Plunkett should be sacked because he is ultimately responsible for his team.

Right now Gawker needs him because he (probably) knows more about their systems than anyone. I'm sure in time there will be an announcement that he's decided to resign to spend more time with his family.

Re:Not gonna work..

[E+IS+mC(Square)]

* That douchbag Prank at CES (http://gizmodo.com/343348/confessions-the-meanest-thing-gizmodo-did-at-ces)
* Then Brian Lam being complete ass (http://gizmodo.com/303223/halo-3-swag-rebagging-plus-apology)
* Classy!! "if you're a twerpy little internet chump", " Especially not when we own the fucking podium." - (http://gizmodo.com/5687692/you-write-bias-journalism-and-i-read-derp)
* Adam Frucci's post on telling off all Apple haters to go fuck themselves - can't find the origina post (which was modified few times when it backfired)
* Banning any critical commentator (http://gizmodo.com/tag/phantomzone)
* Being complete douch for the iphone prototype thingy and getting banged in the ass by Jesus Steve Jobs himself
* Too much hurt? Wow! (http://gizmodo.com/5461485/ipad-snivelers-put-up-or-shut-up)
* Banning users, creating fake ones, deliberately dissing Nokia and it's users (http://play-this.org/2010/10/nokia-uses-social-pr-tactics-to-battle-gizmodo/)

The list is endless..

Re:Not gonna work..

[Reaperducer]

Wow. I may be in the minority, but I'm certainly glad I've never heard of Gawker. Though it takes the joy out of deliberately avoiding the web site.

Re:Not gonna work..

[c0lo]

Plunkett should be sacked because he is ultimately responsible for his team.

Right now Gawker needs him because he (probably) knows more about their systems than anyone.

Based only on the info published by the memo, he doesn't know too much... but is still only a memo.

Re:Not gonna work..

[Cheech+Wizard]

Gawker is sorta like "The National Enquirer" except it's on the internet rather than on grocery store shelves at the check out lane.

Re:Not gonna work..

[Mashiki]

I always likened it to the place where all the douchebags of the internet liked to congregate. 4chan has it's moments, but even they have some semblance of class.

Re:Not gonna work..

[BrowserCapsGuy]

Yep, I agree. That's why I qualified my statement.

Re:Not gonna work..

[beakerMeep]

http://www.nytimes.com/2008/05/25/magazine/25internet-t.html

Re:Not gonna work..

[E+IS+mC(Square)]

Well played, sir.

Absolutely fascinating!

[BitHive]

I've been dying to know whether the no-name CTO of some joke of a blog franchise has had any thoughts since his incompetence was made public.

I, for one, will be eagerly perusing his recommendations to see if there's anything I've missed.

Re:First rule of Gawker Media Strategy...

[Crash+McBang]

gaah, s/Media/Security/

Re:One item

[Auroch]

Norton 2011.

We can all sleep soundly now.

Yup. Since we'll be unable to use our computers ...

Users

[MrQuacker]

Their whole strategy so far has been to blame the users: "Its not Gawkers fault your passwords are so weak."

Re:Users

[vain+gloria]

Their whole strategy so far has been to blame the users: "Its not Gawkers fault your passwords are so weak."

Which is both reprehensible of them and false. Their poor choice of algorithm literally truncated my sixteen character password to an eight character one. When I logged in to change mine I did so with just the front half.

Re:Users

[MrQuacker]

Both Lifehacker and Gizmodo have been running nothing but security stories since this happened. And they all have the theme of blaming users for having weak passwords.

Re:Users

[tpstigers]

While Gawker has thus far avoided accepting any real responsibility for the incident (not so much as an apology yet), they haven't actually been blaming users. Lifehacker has run a succession of posts on good password practices, but they haven't been criticizing anyone. And they certainly haven't reprimanded their users for 'weak' passwords. The truth of the matter is that users who had passwords that were unique to their Gawker account (a practice we all know is the smart way to go, right?) only had to fear for their Gawker account. Which means that all someone could do with their data would be to post comments on Gawker sites. Hardly a big problem.

What Gawker users have learned here (and Lifehacker, at least, has been driving home) is the inadvisability of having a global password (a frighteningly common practice).

Re:Users

"The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack" -- in a way that is not a lie and not critizing their users, but it does give the impression that the users actually had a choice to secure their account. Reality is that with gawkers password scheme that was not possible.

Re:Users

[Jawnn]

While Gawker has thus far avoided accepting any real responsibility for the incident (not so much as an apology yet), they haven't actually been blaming users. Lifehacker has run a succession of posts on good password practices, but they haven't been criticizing anyone.

This is the same bullshit, "We can't actually say this, but we will hint at, imply, and suggest it in every possible way until you believe it" strategy that Fox News has mastered so well. The plain fact, of course, is that Gawker is to blame for the breach of their users' passwords, weak and strong alike. They want desperately to have those users start thinking along different lines and sadly, it appears to be working.

Re:Users

[cprincipe]

Except for the fact that many of the other sites/services for which I use my email address have gone into the leaked torrent, found my email address, and locked my account and forced me to change my password, even though I haven't used the same password amongst the sites. I've spent the last week getting locked out of various places and having to come up with all new passwords

"The online publishing giant"...

[pongo000]

...no one has heard of!

Seriously, was Gawker on anyone /.ers' radar before this news broke? Or am I the only one who never leaves the cave?

Re:"The online publishing giant"...

Posting anonymously because my email was in the leaked info.

Lifehacker has some useful tips; Linux, Mac and Windows. Including their mobile variants and smartphones.

Gizmodo is another, which I used to read often but I got sick of reading so many commercials (that's the idea of the site, they didn't do anything wrong).

Give them a look over. At the bottom of Lifehacker.com pages there are links to the other sites (fleshbot.com is missing, maybe because it's NSFW).

Re:"The online publishing giant"...

[MoonBuggy]

They are a giant precisely because they are the force behind a fairly diverse range of sites, all of which are big names in their respective fields. You may not have heard the name 'Gawker Media', and I don't expect valleywag or Jezebel to come up on most Slashdotters' daily rotation, but Gizmodo gets linked here (either in stories or comments) fairly regularly.

Re:"The online publishing giant"...

[PhrostyMcByte]

There's a good chance you've been to one of their sites before. Gizmodo, Kotaku, Lifehacker, and io9 are their bigger ones I can recall -- I'm sure there are others. I personally read Gizmodo and io9 quite often, though I've never made an account with them.

Re:"The online publishing giant"...

[perryizgr8]

imo, engadget is much better than gizmodo. though i do find useful lifehacker page when searching for specific software.

Features prioritized over bugs

[Stiletto]

You don't say!

Our development efforts have been focused on new product while committing relatively little time to reviewing past work.

Software engineers, stop me if you've heard this one: "Don't worry about bugs or security holes! Just keep shoveling features in and ship! Audits? Code reviews?? Don't have time--gotta ship ship ship!"

Re:Features prioritized over bugs

[Phopojijo]

Whoa whoa whoa whoa, I did hear that one before.

They still don't get it.

[140Mandak262Jamuna]

In recent weeks, intruders were able to gain access to our web servers by exploiting a vulnerability in our source code, allowing them to gain access to user data and passwords.

They are still blaming bugs in code. Pretending to be mistakes made by low level programming flunkies. The problem was using an unsalted hash that allowed them to do a simple dictionary attack. Further even the top guys were using very simple passwords. Used the same password for multiple accounts. Continued to leave other accounts and usernames unlocked even after knowing one account using that password has been compromised.

No. The real problem was that the managers and the top dogs drawing top salaries were clueless idiots. Pretending that it was some kind of stupid bug left in code by some low level programmer shows how disconnected these bozos are from reality.

Re:They still don't get it.

[OnePumpChump]

Did you read the readmes in the torrent? The attackers claim that they took DAYS to download those passwords. That traffic didn't look unusual to anyone? Should any system anywhere that isn't either migrating that database or backing it up be looking at more than a couple of passwords in any short span of time? Regardless, this didn't draw any attention. Bug or not, there's not really any excuse here.

Re:They still don't get it.

[PhrostyMcByte]

If their claims to be consulting an "independent security firm" are true, then it appears they also realize they're incompetent and are bringing in outside help to school them on proper security.

We've learned many lessons from this experience, both as a tech team, as a company, and as individuals. If there's one lesson nearly all of us learned, it's that we can and must be smarter with passwords. Lifehacker is a great resource for password advice (and there are many others). I suggest you start here: http://lifehacker.com/184773/geek-to-live-choose-and-remember-great-passwords.

It seems they're at least beginning to learn, though.

They also mention that they're going to let users use OAuth to log in. It's not clear if they'll be moving all accounts to OAuth, or if they're going to keep using unsalted crypt() for users who want to keep their account local.

Re:They still don't get it.

[Dhalka226]

I'm not disagreeing with you that there were multiple failures at multiple levels of the management chain.

But wouldn't using an unsalted hash vulnerable to dictionary attacks be the mistake of "low-level programming flunkies?" Why should any management-level people know what the hell a hash or a salt is, much less be micromanaging their programmers to that extent? Isn't that why you hire coders in the first place -- for their expertise in doing things the right way?

Re:They still don't get it.

[magamiako1]

The problem usually comes down to this:

A) Pay a decent, well reputable, knowledgeable coder $$$$ for his time to develop a website.

or

B) Pay some outsourced company $$ for their time to develop a website.

Most management usually goes for B. It generally makes them "look better" because it can "get the job done", they can "save money". Security is an afterthought to almost all management levels. The only reason that Gawker's management is even anything close to concerned now is because it's going to cut into ad revenue. But they, like any major company, skate on that thin ice until eventually it breaks.

This isn't surprising in the least bit. Companies don't give two shits about security until it bites them in the ass. Further more, I don't really expect them to make major strides in security, but "just enough" to make sure the "previous situation" doesn't happen again.

That said, there is something called "defense in depth", and it's something they should have implemented from the start. It was a failure at all levels of monitoring and management.

Re:They still don't get it.

[mlts]

I have heard this manta repeatedly endlessly by PHBs, "security has no ROI."

With an attitude like this, it gets surprising that these breaches are not even more commonplace. Of course, there will be no long term consequences for the poor security, except what happens to the users.

I hate calling for regulation [1], but it may take governments stepping in and people going to jail before businesses actually pay more than token attention to security.

Defense in depth -- now that is a sensible philosophy. This is really what is needed if businesses are to be able to provide any semblance of integrity. What is ironic is that every MBA that goes through an accredited program has to study ITIL. Defense in depth is one of the topics that they much learn about and pass. So, when a PHB won't fund adequate security, they have no excuse for the consequences.

[1]: With our luck, people call for basic security regulation and get laws like Sarbanes-Oxley which don't add much security (as in less issues with private info walking out the door and onto a torrent site), but would in fact end up making storage companies and "consultants" who do random mumbo-jumbo rich due to mandatory archiving requirements.

Re:They still don't get it.

[mlts]

Elaborating on this, why not have the password checks be done do an isolated SQL server replicating a read-only table? Then for the password queries, have this be a function of the database, where there is an inserted delay between checks. This way, each user might wait an additional half second to second before logging which isn't that big a deal for them. However, someone who compromised the webserver wouldn't just be able to dump the database en masse, but name by name with 500 ms between each.

Of course, what is obtained is an encrypted nonce and a salt, and the Web server takes the user's password + salt, hashes it x amount of times, then tries to decrypt the nonce. If the nonce decrypts, the user is authenticated. Essentially TrueCrypt's mechanism, plus a backend database function to only allow for delayed single queries.

Business needs caused the problem

From TFA:

"The tech team should have been better prepared, committed more time to perform thorough audits, and grown our team’s technical expertise to meet our specific business needs."

We have the exact same problem with an internet-connected application where I work - plaintext passwords. All of the developers have pointed out that it's a problem to business, but they think it's a feature because it allows them to read passwords back to customers who've lost them, or send them a welcome e-mail with their password. No matter how much we whinge and bitch that it's wrong and you can send users new passwords with hashed or encrypted password systems they won't budge and refuse to spend dev time or money fixing it.

"Business Needs" means adding more features, not fixing broken implementations.

password expiry

[Exclamation+mark!]

Is part of the strategy to force users to change their password every month so they can write it down or reuse it and make it just secure enough to pass validation? This kind of crap is happening at work and forces me to use crappy passwords! Thanks security consultants!

Re:One item

[c0lo]

Norton 2011.

We can all sleep soundly now.

Yup. Since we'll be unable to use our computers ...

Nor the malware... scorched earth strategy... effective protection by starving the medium of any "nutrients" (CPU cycles, IO and RAM). A better scheme... combine it with "fruit poisoning" (e.g. BSOD at any attempt to start any process). Hang on, that's Microsoft's job though.

Re:Why

[Darkness404]

Oddly enough, I don't want comments to be tied to either my Google or Facebook account. And I really don't think I'm in the minority.

He admits that they cannot successfully...

[darrad]

secure data within their network. Every solution he proposed uses and outside resource. Move away from storing all data? Use outside authentication? One time accounts? (this one really got me)

Are they that bad at the basics of security? Someone please tell me this is not the norm.

Drugs are probably to blame

[XCondE]

from the memo:

Disposable accounts are similar to the service a pre-paid phone offers to drug dealers (a disposable, untraceable communication device).

I wonder how did he come across this service? I mean, even if you think doing drugs is ok it's a questionable example to use in a corporate memo.

I Dunno

[glebovitz]

I never heard of Gawker, but I received email from them telling me that my account was compromised. I just went to their site, entered my email and asked for a password reset. I got a reply with a username I don't recognize. When I logged in with the id and password, I got an error message that said I had never "verified" my account.

  I'd say they have some serious problems that go beyond the password hack.

The premise of the site seems pretty sketchy.

Re:I Dunno

[SunTzuWarmaster]

Actually, ditto. Also, I've read Lifehacker for some time. It isn't exactly like SunTzuWarmaster is a username that has been ever taken... why would Gawker, of all places, have a username that I have never heard of?

bye Gawker

[J05H]

They really screwed the pooch. I'll never go to their sites again, this is basic info-sec that should have been simple and unobtrusive. They failed.

Wanted: New CTO

[rudy_wayne]

It turns out that Gawker has a "Chief Technology Officer". However, if you read this article from Forbes, it makes you wonder what this guy actually did, other than show up and collect a paycheck.

Re:Why

[perryizgr8]

poor encryption==stored in the clear

Memo

[Loki_666]

Here is a copy of the memo that was sent out highlighting the new security protocols:

To: All Employees

New Security Protocols

1) Do not write down your passwords on post-it notes and then attach them to your monitor.

Thank you for your cooperation.

Re:Memo

[chimpo13]

It would've been more secure for employees to write them down. Then they only have to worry about their spouse, kids, plumber and people who get to see the house office. If they have a real office, it's still limited to employees and finding out who the Evil One is after something like this shouldn't be that hard. Writing down passwords on post-its isn't that big of a problem.

More Gawker Douchebaggery

[hyades1]

I may be wrong, but it appears that when you try to delete your account, they don't actually get rid of the information, they just make it inaccessible to you. I guess they'd prefer not to offend all the advertisers they whored your personal information out to.

Re:Why

[arth1]

Actually, they weren't stored encrypted either - a hash to the password was stored.

The problem with using the hash method and length used (the old default for Unix, Unix-like systems and Apache) is that it's vulnerable against rainbow tables -- someone with LOTS of disk space and 4096 rainbow table databases (one for each possible salt) could quickly find a usable password for every hash.

But against dictionary attacks, permutations of known data, and brute force, it doesn't matter how strong the hash is. And that's what the crackers used.

Re:Mother of god people md5

[Captain+Hook]

That wouldn't have helped here, my understanding is that the password were hashed but not salted. So once the hackers had downloaded the hashed password all they had to do was compare the resulting hash strings with a database with precompiled password hashes (Lookup Rainbow Tables).

For example, using MD5 hashing. password always comes out as 5f4dcc3b5aa765d61d8327deb882cf99 so if you ever see that string in a password file, you know the user password = password.

The way around this is to salt the hash with a second string, known only by the website authentication function so that the password has become MD5(salt value + password) rather than just MD5(password). This creates unique strings which are much longer than can feasibly attacked by a Rainbow Table.