backtop


Print 13 comment(s) - last by FaceMaster.. on Dec 19 at 8:51 AM


Over the weekend hackers released a wealth of information they took from an unwitting Gawker (owners of Gizmodo), including their users' emails and passwords.

The attacks got personal for Gawker chief Nick Denton, who had his Flickr and other personal accounts compromised.  (Source: MB Dell)
Hacker group infiltrates Gawker Media; posts username/encrypted password file, source code, internal chats

A group calling itself Gnosis has pulled off a massive heist of data from Gawker Media, the New York-based blog network owned by Nick Denton.  But perhaps "massive" is a bit of an understatement.

Gawker, perhaps best known for is unusual procurement of a lost iPhone prototype and ensuing fury from Apple, owns the popular blogs Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, Io9, and Fleshbot.  In a blog post on Sunday, the petulant commented, "We're deeply embarrassed by this breach."

You Might Want to Change Your Password Now

Posted around the internet are juicy nuggets of what was once Gawker and its customer's secure private data.  The posts include the site's entire PHP-heavy source (a fun read if you're a web dev), thousands of user passwords, server logs, staff emails, staff chats, and tons of information on Gawker chief Nick Denton and his various (compromised web accounts).

After 17 hours of cracking, the Gnosis team is offering up over 273,789 passwords of Gawker users.  And they say they expect to have 500,000+ before they're done.  That represents roughly half of the purloined database of 1,247,897 user entries, which in turn is roughly 80 percent of the entire accounts on the site (in other words, the hackers expect to compromise +30% of the total users' passwords).

Interestingly, 2,650 users were using either "password" or "qwerty" of their password.

Many Gawker staffers seemed be using short common words or pop-culture names as their passwords.  And Nick Denton appears to be a repeating four digit pattern.

The group mocks:

You would think someone like Nick Denton who likes to run his mouth        

and taunts such an unforgiving mass like Anonymous, would use a more secure password than "24862486". The sad thing is he probably believes this password is "secure" because he likes to use it everywhere!

Gawker was using an outdated encryption algorithm, DES ("Data Encryption Standard") so the hackers only needed to figure out the first eight characters of the password to log in.

The result is that if you have a longer password, your password and the rest of your online accounts should be safe. 

In an interview with The Next Web, a member of the group states, "We apologize that you were caught in the crossfire of this attack, if you have a sufficiently good password over 8 characters then you are most likely not at risk, anyone could have did what we did, it was wide open for everyone to exploit, we just got there first."

If your password was insecure and you use it on other locations, beware.  Gnosis already emphasized this fact by posting tweets to the Gawker account and posting pictures and text to Nick Denton's personal Flickr account.

HD Moore, a security research who works for ComputerWorld, has outlined a procedure for you to check if your email has been compromised:

Step 1: Go to http://pajhome.org.uk/crypt/md5/" rel="nofollow, enter an e-mail address in the 'Input' field, click the 'MD5' button, then copy the hash from the 'Result' field.

Step 2: Go to http://www.google.com/fusiontables/DataSource?dsrcid=350662, click 'Show Options,' then paste the already-obtained hash in the field to the right of the '=' symbol. Change the left-most field to 'MD5.' Click 'Apply.'

So why did they do it?

Gnosis, according to the TNW interview, is an invite-only hacking and coding club consisting of "13 members, with three 'others'".  The group seems unconcerned about retaliation from authorities, insisting that the attack will just force Gawker to be more open and humble.

The group frequents the popular image board site 4chan, which Mr. Denton publicly taunted over the summer.  And their Twitter posts and interviews reveal that at least some of their members support Wikileaks.

Yet Gnosis is not 4chan or "Anonymous" -- the greater pool of 4chan hackers.  The group has made a great effort to emphasize that point.  Likewise, they do not appear to have any affiliation to Wikileaks, other than that they are admirers.  They reportedly have no affiliation with recent attacks on banks that opposed Wikileaks; those attacks were reportedly the work of Anonymous.

As to why they did the attack, aside from "helping" Gawker realize that its security was weak, they say that they were inspired by Mr. Denton's arrogance, which he displayed towards the tech-savvy 4Chan community.

In the TNW interview, the group comments, "We read about [Mr. Denton's insulting comments towards 4Chan] as they happened and thought nothing of them but a member brought it up and we decided to see if we could get inside Gawker but the large gap was because we didn’t really care at the time.  But after a quick pentest we discovered how truly arrogant they were, which makes more sense if you know the levels of security within Gawker."

The group has ruled out conducting another attack of similar scope in the near future, but did mention that they have several "project" they are working on.  States the group, "Well, we have a few pokers in the fire, but nothing we can discuss. We will however re-visit Gawker sometime in the future and see if they have improved their security and fixed the numerous holes. I hope they will, they mentioned they were hiring IT experts, whatever that means."

In an interview with GeekoSystem, the group [perhaps jokingly] suggests that Mr. Denton hire them for security consultation.  Comments a group member, "They made several mistakes which contributed to their compromise - leaving passwords literally lying around, using the same password for multiple accounts and services (A lot were weed related, perhaps they had been smoking a bit too much and forgot some basic security principles? (GANJA framework anyone?!)). Unfortunately, I am afraid that until Gawker Media *do* hire us we cannot report fully on any of our findings. Sorry Nick!"

What Was Learned

Ultimately, if there's one thing this incident reminded the general public of, it's that the web is still very much like the Old West.  Those who feel like it's a warm and safe place are underinformed.

If you insult the wrong person in this environment, there's a good chance you will be attacked.  If you and your employers were smart, such attacks may fail leaving hackers with only "undesirable" routes like distributed denial of service.  But a lot of it comes down to just how much you anger certain individuals.  The angrier some folks get, the more they'll fully leverage the ever growing toolkit of vulnerabilities.

Is this wrong?  Many would argue it is.  Exposing users' email addresses could lead to them getting spammed, but exposing their passwords is far more dangerous.  While many of the passwords were likely used exclusively on the Gawker network, other users may find multiple accounts across the web compromised.

But at the end of the day right and wrong won't help you out a whole lot.  Like in the Old West, the authorities likely aren't going to catch the bands -- not all of them at least.  So for the most part you have to fend for yourself.

Use secure passwords.  Passwords should be at least 16 characters -- a good way to be able to accomplish this with something memorable is to use a passphrase.

Use separate passwords, respectively, for business accounts, important private accounts (e.g. your Facebook/Twitter), and extraneous private accounts (e.g. your Gawker or DailyTech login).

If your information is compromised, change all of your affected passwords and inform pertinent administrators as soon as possible.  Multiple password changes may be necessary to truly resecure your account.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

DES and insulting 4Chan... tut tut tut
By NubWobble on 12/14/2010 4:27:27 AM , Rating: 4
quote:
they say that they were inspired by Mr. Denton's arrogance, which he displayed towards the tech-savvy 4Chan community.


LOL owned.

Using DES and expecting nobody to hack you, they were asking for it and got what they deserved.




By Gzus666 on 12/14/2010 10:30:56 AM , Rating: 1
I know, right? Believe it or not, I run into DES encryption on company networks for VPNs more often than I would like to. Scares the crap out of me that they are so lax on security. Some of them push it to the limit with 3DES, also a joke.

You should see some of the morons that administrate these firewalls as well. It is unbelievable how easy most of this stuff would be to hack due to horrible administration. I have had to go through and clean up numerous firewalls thanks to inept IT personnel.


RE: DES and insulting 4Chan... tut tut tut
By DtTall on 12/14/2010 11:27:54 AM , Rating: 3
Perhaps they 'got what they deserved' but what about the users? It is easy to say just have stronger passwords, but I would wager that you don't have iron curtains and bars on your windows and a reinforced front door on your house. If your house gets broken into do you deserve it?

Seems like the same rational that some parts of the world use when a women gets raped and then punished for it because she 'deserved it' because of how she was dressed.

I guess my point is that I don't feel like the users are at fault in this case and a broad release of their passwords makes this cross the line of just proving a point.


RE: DES and insulting 4Chan... tut tut tut
By Anoxanmore on 12/14/2010 1:42:20 PM , Rating: 4
Rule #1 of the internet.
Do not talk about /b/

Rule #2 of the internet.
Do NOT talk about /b/

=^-^=


RE: DES and insulting 4Chan... tut tut tut
By ShaolinSoccer on 12/15/2010 1:23:17 AM , Rating: 2
May you burn in hell for ever mentioning them...


By snyper256 on 12/17/2010 7:00:53 PM , Rating: 2
"anonymous" isn't a group, it's everyone and anyone, unless referring to a specific post...
o.o


Shame on you, gawker!!
By slugmandrew on 12/14/2010 5:05:41 AM , Rating: 2
Hmm.. this looks like a nice, secure place to chat about tech online. Maybe I'll chill here from now on. Security should be such a high priority for all sites.

Luckily my password has been over 8 characters long for a while, so I'm good, but thanks a lot for this guide as it was nice to check anyway. If any of my passwords get out I'd be terrified!

Nice site dailytech, maybe I'll subscribe to your feed :)




RE: Shame on you, gawker!!
By mcnabney on 12/14/2010 9:02:07 AM , Rating: 3
I was spared too since I used a longer password.

As to the issue listed above, if the Internet is the 'Wild West' someone needs to hire some Pinkertons to put some not-so-virtual bullets into some of these bandits heads.


I have a gawker account, but who cares?
By CharonPDX on 12/14/2010 1:58:23 PM , Rating: 2
I have three "base" passwords.

One ultra-simple for things like accounts at blog-type sites (like here) that I don't care if it gets released.

One secure (lower and upper case, numbers, symbols, no dictionary words or "l33t" facsimiles thereof,) for more important, but not financial uses. (Email, social media, etc.)

One secure for financial uses, with variation per use. So my password at one bank's website is not the same as for another's, even though they're based on the same 'core'.

I keep an encrypted text file that contains just the DIFFERENCES for my financial passwords. (AKA, the file doesn't contain the 'base', and isn't secured with that 'base', so that even if someone gets into the file, they still won't know my financial password.)

I change the three "base" passwords once every 2-3 years.

And, I use a completely different password for work use. I don't want even the remotest possibility of my work's IT department getting a password that could be used for any of my personal stuff.

So hackers have my gawker password. My gawker account was created with an email address that is my spam-magnet, and isn't personally-identifiable. That email address doesn't use my "simple" password, so they can't get into even that email account. Yes, my gawker account may have the same user name as some other sites (although it might not, I use a few different ones,) and the same password; but worst case they'll make posts as "me" (well, my handle, anyway,) on random tech sites. Ooooh. Big deal.




By FaceMaster on 12/19/2010 8:51:07 AM , Rating: 2
² symbol. 'nuff said.


Ironic
By Ammohunt on 12/14/2010 2:45:43 PM , Rating: 2
quote:
If you insult the wrong person in this environment, there's a good chance you will be attacked. If you and your employers were smart, such attacks may fail leaving hackers with only "undesirable" routes like distributed denial of service. But a lot of it comes down to just how much you anger certain individuals. The angrier some folks get, the more they'll fully leverage the ever growing toolkit of vulnerabilities.


How ironic this attitude was generated by groups directly or indirectly supporting wikileaks type of "Openness". If this is true it’s sad that companies with web presences need to live in fear of being attacked based on what they or an employee says on the internet about known anarchist miscreants.




By deeznuts on 12/15/2010 3:26:17 AM , Rating: 2
I just tried to login to my email and they made me change my password there, because they detected suspicious activity. The passwords I use for sites such as gizmodo are super simple though, and are different than my emails, which are different than my financial accounts.

So I'm good. But still, wow I'm pretty lax at security, it is only by accident I have the 3 layers of passwords (well, actually it's the banks that made me change my passwords as they are too simple




People Magazine for Geeks?
By Spacecomber on 12/14/10, Rating: -1
"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki