I’ve learned a couple of important lessons in my time as an Internet citizen. First, don’t taunt the Internet Hate Machine known more colloquially known as “Anonymous”. Secondly, keep your passwords secure and complex and don’t use them for every website. Should you do #1 and neglect #2, be certain that #1 will bite you in the ass. As the people at Gawker Media learned this past week.
A group known as Gnosis posted a 500MB torrent containing various data pulled from a variety of Gawker Media websites. They claimed the hack was due to Gawker’s hubris and their mocking of previous hacks. There is also evidence to support the idea that some in Gawker may have taken a stance against the actions of Anonymous in their crusade against those that were involved in the Wikileaks debacle in early December. While the file contains things like chat logs and FTP servers for various sites that probably don’t want them published, there was a singular gem amongst the chaff. The most critical piece of this file is the dump of the Gawker MySQL database. Gnosis was able to access the database and pull the table containing the list of user IDs and passwords. According to the README.TXT contained in the torrent (and reposted across several websites), they decided to stop dumping the database after about 1.3 million users. Gnosis then turned to using John the Ripper to decrypt the passwords, which were stored in the table in DES-encrypted format. The good news is that Gawker decided to store the passwords in a non-plaintext format. The bad news? DES is limited to using 8-character keys for encryption (Check this out for more information). That means that only the first eight characters of the passwords were encrypted and stored. So, if you were diligent and created a super hard password like “passwordc4n7b3|-|4ck3d”, it would only store “password” in encrypted format. So, armed with a password database, a sophisticated cracking tool, and a weak encryption algorithm, Gnosis set out to see what they could see.
What did they find? Well, for one, people violated my second rule by making some pretty easy-to-guess passwords. Like “password”. No kidding. It was the second most popular password out of the bunch, with about 2,100 people out of the 300,000 released hashes using it. What was more popular than that one? How about “123456”? More than 3,000 people used that one. And the third most popular one was “12345678”. For a full list of the most popular passwords, check out the Wall Street Journal Blog.
Guess what? Those passwords SUCK! Yes, they are easy to remember. Yes, it’s slightly more secure that not having a password. Guess what? They’re also quite easy to guess. Thanks to rainbow tables, it’s not hard to find the DES hash for password. In fact, just so you know, it’s “uDGdyZA2EBdWk”. Just search for that string in the database and you’ll know tons of accounts with unsecured passwords. Because I know that everyone reading this knows how to make a secure password, I won’t patronize you with password policy. But, just in case my mom ever decides to read this, a proper password includes ALL of these things:
- At least EIGHT characters (the more, the better)
- A number
- A capital letter
- A symbol
- Non-obvious (see above for a list of some obvious stuff)
If you password doesn’t meet those guidelines, it’s probably not that secure. The longer and more complex the password, the more likely it is to stand up to a dictionary attack or brute force attempt. However, even if you have a nice, complicated password, reuse of it all over the place can still get you in trouble, as the Gawker people found out on Monday.
Once the Gnosis people got finished having their way with the the Gawker MySQL database, they took their hack to the next level. They thought to themselves, “I wonder if these people use the same password everywhere?” So, armed with a list of e-mail addresses and usernames and passwords, they started checking around. Getting into GMail and Yahoo mail accounts. Logging into Twitter and Facebook. Causing general chaos. Like Twitter accounts randomly tweeting about acai berry products. The first thought was a new URL-exploiting worm. Then they realization that a lot of people that were singing the praises of the lowly acai berry were victims of a hijack attack from people that had downloaded the torrent from the Gnosis hack. Because these users had utilized the same password across multiple accounts, a security breech in one had exposed all of them.
In my opinion, Gawker’s response to the hack wasn’t quite as effective as it could have been. They posted banners on all their websites advising users to change their passwords. Except they had taken down the database for some time to patch the holes in it. Which left their password reset mechanism offline. What should have happened was an immediate, blanket password reset of EVERY account in the Gawker database. Gawker already had their e-mail addresses, which would be used to mail the password after a manual reset. It should be a simple matter to reset the password automatically and send off the new temporary password to the account in the database. Instead, the users were forced to take the steps themselves or risk further exposure. A little forethought and perhaps some heavy-handed security admin 101 might have gone a long way to restoring user faith in Gawker.
What we have here is a case of the perfect storm of an older system riddled with insecure passwords that was compromised by a determined foe and then exploited far beyond what anyone except the most pessimistic security expert could have imagined. Hacks of this magnitude are becoming more and more common, and as we spend more and more time online the information exposure becomes worse each time. It is quickly reaching the point where it will be necessary to start compartmentalizing our lives in order to keep ourselves secure. Many people I know have instituted something like this already. Sites like Facebook and LinkedIn get one type of password. E-mail and banking sites get a totally different password that is more secure. For IT professionals, keeping track of multiple passwords isn’t that difficult, especially with password management tools such as 1Password to help us keep our lives straight. But, to be fair, IT professionals aren’t the true targets of these kinds of hacks.
IT professionals and technology-savvy people are hard targets. We rotate passwords. We make secure logins. We’re always conscious of what information is being stored and shared. We make lousy hack targets. But, people like my mom that use the Internet for Facebook and e-mail and shopping are prime targets. They make accounts on websites like the ones run by Gawker to make a comment on a story. They use the same password that they use for their Yahoo Mail account and Facebook. And when something like this comes along and upsets everyone’s apple cart, those people are the ones that suffer. They aren’t walled off and sure of what information may have leaked. And they aren’t sure of what passwords to change or when to do it. And so they might find themselves on the news talking about getting hacked and all the doom and dismay that it has caused. And who knows? Maybe someone will autotune my mom into an Internet meme. Let’s hope not. Because if there’s anything worse in this world than password database leaks or FBI backdoors into IPSec, it’s listening to my mom sing, autotuned or not.