An e-mail from the Gawker CTO (Tom Plunkett) has been posted online and it outlines the security improvements that Gawker are planning to implement after the recent massive breach of user passwords from their database.
As we mentioned recently, the U.S. Federal Bureau of Investigation is looking into the Gawker breach, which just goes to show how serious this case is.
The improvements are pretty standard security practice, but it just shows in these days of rapid development and the focus being on features rather than security – bad things can happen.
Gawker Media’s CTO has outlined a series of security changes designed to shore up the company’s IT operations following an attack last week that compromised up to 1.4 million accounts.
The company was unprepared to respond to an attack in which user data and passwords were posted to peer-to-peer file-sharing networks, wrote Tom Plunkett in an e-mail memo to Gawker staff on Friday. The e-mail was reposted on Jim Romenesko’s blog on the Poynter journalism site. A group called Gnosis claimed responsibility for the hack, which exploited a flaw in the source code of Gawker’s Web servers.
“Our development efforts have been focused on new product while committing relatively little time to reviewing past work,” Plunkett wrote. “This is often a fatal mistake in software development and was central to this vulnerability.”
As a result, Gawker has done a security audit of the sites affected, which include Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot.
Gawker is now mandating the use of SSL (Secure Sockets Layer) encryption for employees with company accounts using Google Apps. Also, if those employees have access to sensitive legal, financial or account data, two-factor authentication must be used, Plunkett wrote.
Most of the things would have been picked up if they had ever done any kind of internal ISMS audit (based perhaps on something like ISO27001) – which bans all chat applications except for Skype as that encrypts the chats.
Using things like SSL are pretty obvious and should be forced on all login pages on all web applications – with FireSheep bring that issues to the forefront recently.
I’d say the most sensible move would be considering moving away from the local database model and using something like OAuth – that would make sense.
Gawker also will not allow employees to discuss sensitive information on chat applications, including AOL’s Instant Messenger and Campfire.
For users of its websites, Plunkett wrote that Gawker wants to move away from storing information such as e-mail and passwords and use systems such as OAuth.
OAuth is an authentication protocol that allows people to use the same login information for multiple services and share data through an API (application programming interfaces). OAuth provides a token that grants access to different applications, which do not see users’ original login credentials. It is being used now by Google, Twitter and Facebook, among other services.
Gawker will also allow people to create a “disposable” account with its sites in order to leave comments. Gawker will not store e-mail addresses or passwords for those accounts. The accounts can be used as long as the person remembers a key code, Plunkett wrote.
Since the breach, Gawker has been in the process of notifying those who are affected and reminding them to change their passwords, especially if they used the same password for other Web services. Twitter saw a raft of spam soon after the Gawker breach, which illustrated that some people used the same password on both services.
It’s good to see Gawker taking some pro-active measures rather than the normal arrogance we are used to. I think the disposable token based account is a good idea too as often I want to leave a comment on some site or another but the sign-up process, e-mail validation and so on puts me off.
I hope Gawker has gotten around to notifying everyone who had an account that was compromised as sadly many people use the same password and username/e-mail combo for all their online site accounts.
Source: Network World