IT & Network Infrastructure : Eight Things to Learn from the Gawker Fiasco

When it became clear over the weekend of Dec. 11-12 that Gawker Media's user database had been compromised by a hacker group, perhaps the most shocking thing about the case was not the break-in itself or the sizable number of people using the Gawker sites who use a business or U.S. government e-mail as their point of contact. Instead, the real attention grabber from a technical point of view turned out to be how woefully unsecure Gawker's servers and data were. The haul included the user-and-password database, e-mail and chat room threads that detailed Gawker Media's day-to-day operations, and the proprietary source code for the Gawker sites, which the company considered an asset with commercial potential. With user identities compromised, the once-secret source code now published for anyone to pick over and more than a few people cheering at the iconoclasts hoisted by their own petard, here are eight lessons that we can learn from the humbling of Gawker's IT staff.

• Eight Things to Learn from the Gawker Fiasco

  

  by P. J. Connolly

• Understand the Threat

  

  Some organizations have more to fear from inside attacks than from the outside ones. Others can trust users implicitly, but have a public profile—whether deserved or not—which makes them targets with a very high value.

• Dont Think Youre All That

  

  If you're calling yourself a technology company, you have to protect your core technology; in the case of Gawker and its founder Nick Denton, this was the Ganja framework, which Gnosis captured from poorly secured servers and made available as a torrent.

• Assume You Are a Target

  

  If you dare people to hack into your systems, you'd better have an intrusion detection system in place and security policies that correctly identify the probable attackers and their possible approaches.

• Keep Patches Current

  

  Patching public-facing systems is not only necessary, it's vital. It's one thing to be a week or two behind to allow for testing before a general rollout, but some Gawker systems were reported to be up to a year behind on kernel patches.

• Dont Use Obsolete Crypto

  

  Gawker's authentication database, which linked user IDs, e-mail addresses and passwords, was encrypted using the obsolete DES algorithm; it can be assumed that every account's password would be decrypted before the end of December.

• Clarify and Enforce Password Policies

  

  Gawker's IT policy for employee accounts broke rules that were commonplace by the mid-1990s: no dictionary words, no repeated numeric strings, change passwords on a regular basis.

• Dont Reuse Passwords on Critical Systems

  

  Using the same password on multiple mission-critical systems isn't a valid approach to single sign-on; key Gawker employees it seems have used the same credentials for everything they touched, making the break-in that much easier.

• Dont Reinvent the Wheel

  

  If your site already has a relationship with an OAuth provider such as Facebook or Twitter, you might want to take advantage of the provider's authentication architecture, instead of trying to duplicate it.