Gawker Hacking Stirs Password Panic at LinkedIn, Yahoo and Others
Things were bad enough for Gawker when CEO Nick Denton taunted hackers and got what he asked for: a massive cyber attack. Only, he thought it wouldn't be successful. Instead, hackers netted hundreds of thousands of user passwords and decoded 188,279 of them. And even that was minor compared to releasing Gawker's source code as well.
And the bad fortune spreads. Many other sites -- including LinkedIn, Yahoo (YHOO), and Blizzard Entertainment, which runs the popular World of Warcraft online role-playing game -- realized that they had to ask many users to reset passwords, because the people had used the same ones that were now out in the open. This is more than an isolated incident, and shows a growing dynamic that all corporations have to consider as part of their security measures.
That might seem silly. Although computers can exchange data and messages over the Internet, they don't share internal resources. And yet, they do, if you look beyond the physical basics. Many companies use variations on the same hardware and software, so a discovered exploit that can affect one business will likely affect others. This is why Internet worms and other mass attacks spread so quickly and easily. The similarity of systems, combined with the inattention of companies to applying security updates, turns the Internet into a Henry Ford assembly line of mischief.
And you can't underestimate how dangerous the inattention to practical security matters can be. Even as late as yesterday, Gawker still had a major security hole in an open source package, Minify, that Gnosis, the hacker group that pried open the site in the first place, said it had known about for a month:
Gawker Media's problem: the version of Minify that they use is apparently three years old, and the company has not updated to a new, more secure version. This hole was even publicly disseminated on August 31 via the popular hacker emailing list Full Disclosure, which noted that while Minify could not by itself grant access, it provided other paths to Gawker's entire server.It's nothing but sloppiness. And that gets us to an even deeper connection among companies: users. Consumers will do business with many corporations, and many are even sloppier than the companies themselves are. Look at the passwords that people used, as analyzed by the Wall Street Journal:
According to a survey last year by security company Sophos, a third of people use the same password for everything online. Almost half use a few different passwords, which still means that the chance of getting into other accounts is high.
And passwords are just the beginning. Get into other accounts, and you start to reap the personal data that allows social engineering recovery of passwords at other sites (Yes, we do have your mother's maiden name, thanks.) and identity theft. When something goes wrong, you know that the person will blame you for the problem. Suddenly, their laxity becomes your issue to fix.
Corporate security has to look beyond the walls of the company and realize how easily people can leave a back door open for you. Maybe you pay more attention to the problems other sites have, in case things spread. Or maybe you do as relatively few companies do: require people to have a complex password. It's a different view than even most experts have been trained to consider. But if it takes a village to raise a child, in the words of Secretary of State Hillary Clinton, it only takes a few individuals to raze security across much of the Internet.
Related:
- What Business Needs to Learn From the Gawker and WikiLeak Attacks
- WikiLeaks Cyberwar! Business Is a Target -- and Also Collateral Damage
- WikiLeaks Hackers Abandon Cyberattacks, Turn to Straightforward Exposure