SHATTER’s View of Gawker’s Database Hack

Tuesday, December 14, 2010

Alexander Rothacker


Yesterday, Gawker was in the news, but not for breaking a juicy story, instead for letting its users learn it wasn’t keen on security.

According to the New York Times more than 1.3 million user names and passwords were compromised, though it was unclear whether all of the data had been decrypted

The database attack against Gawker is an example of what could happen to any organization that doesn’t take security seriously. Look at any news organization just for an example, if you want to leave a comment or subscribe for newsletter you often have to create a username and password, which without the proper security in place could jeopardize sensitive user information.

It appears what happened in this attack is that Gawker was using outdated Linux servers and didn’t have a good patching process in place in order to update the servers and software. Since Gawker’s Web servers are their bread and butter, one can only guess what they patching policies are with regards to other servers, including their database servers.

In addition, they were relying on DES for encrypting their user passwords which was deemed crack-able in 2007. While relying on outdated encryption is big enough problem, members of Gawker’s team also used the same passwords for several other accounts and once the passwords were compromised, Gnosis could access additional websites using their login credentials.

It’s also clear that there wasn’t any database activity monitoring in place – or at least they didn’t take it very seriously.

Information on the web seems to suggest that the Gnosis hackers went in and executed DROP TABLE in the backend database. Now, DROP TABLE is a SQL statement that deletes a table and all data contained.

Changes like this to the schema of a database should be limited to development environments or DBA’s during maintenance. A database monitoring solution would have flagged the use of DROP TABLE on a production database raising all kinds of alarm bells.

Some tips that Gawker and other sites can use to prevent similar breaches:

  • Define and enforce a policy for using strong and complex passwords
  • Educate your users to not reuse their passwords for other logins such as online banking, Twitter, email, posting comments on third-party blogs, etc.
  • Hire or contract a dedicated security professional to your staff
  • Update servers and software with the latest patches  – and continue to do so on a regular basis
  • Monitor network and database activity and Website traffic

While this attack is definitely severe by the raw number of passwords compromised, breaches exposing financial information or Social Security Numbers can be much more detrimental to users and can cause even larger headaches and will take a significantly greater amount of time and hassle to remediate.

Remember, anything you put on the Internet isn’t yours anymore – including your user name and passwords – it’s Facebook’s or Gawker’s, or Twitter’s.

Possibly Related Articles:
Passwords breaches Databases Social Security Numbers Gawker Gnosis
Post Rating I Like this!
mason gamble We all love signing up for different social networking sites but the problem is sometimes hackers gain access to them compromising our account passwords. The açaí berry advertising machine would have you think the fruit can heal the sick and practically raise the dead. However scientific studies have found this to be nothing more than spam - and Twitter users can relate. According to Mashable, a brand new Twitter marketing attack called “acainews” has converted a large number of Twitter accounts into spam-producing programs. According to reports, over 10,000 not authorized tweets have been posted about acai berries and their supposed magic. This could require Twitter to take out a huge payday loan to fix this before they lose customers.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.