The Gawker Hack and Web Security: The Gnosis Hackers Respond
This past weekend, Gawker Media was dealt a damaging blow when a group that calls itself Gnosis successfully hacked into Gawker’s servers and thereafter released a torrent which contained Gawker’s source code and a database containing 1.3 million Gawker commenters’ usernames, e-mail addresses, and passwords, about a fifth of which Gnosis decrypted. Considering that many people use the same password for multiple web services, this is bad news; this morning, Twitter said that a wave of acai-related spam had been traced to accounts with emails hit by the Gawker leak. Gnosis also gained access to Gawker’s content management system, publishing a taunting post with a link to the torrent on Pirate Bay. (Both the Gawker post and that particular Pirate Bay torrent have since been removed, although the data is out there now.)
In the wake of the attack, Gawker has promised to “[bring] in an independent security firm to improve security across our entire infrastructure. Additionally, we will continue to work with independent auditors to ensure we maintain a reliable level of security, as well as the processes necessary to ensure we maintain a safe environment for our commenters.” However, the attack has alarmed many of its readers, and should be alarming to most people who have transmitted their personal information over the Web. Perhaps even more alarming than the user database hack is the source code leak: Gawker is built on a proprietary, closed-source framework, which its proprietor Nick Denton says ‘underpins his entire empire to this day.’ Blogger Felix Salmon writes that Gawker Media is in the process of trying to transform into a technology company; this is a hard thing to do when your source code is thoroughly compromised.
Geekosystem got in touch with members of Gnosis and discussed what the attacks meant for Gawker Media, web publishers, and everyone who shares unsecured information on the Internet:
Geekosystem: I’m sure you all have been following today’s media coverage of the hack. What do you think was most misreported or underreported? What haven’t people been talking about enough with respect to the attacks that you think they should be talking about?
Gnosis: That answer is easy. The source code. I just read a post on Fox News that dealt entirely with the release of the database. While this is understandable because your average joe reader might not understand the full implications that comes with releasing a sites source code I feel that it could be targeted a bit more. I expect though that the initial frenzy is to do with the database and that will slowly fade into people researching the source (Or rather I hope that this will happen).
Just to spell it out releasing a sites source code is one of the worst things that could happen – the source that runs the site is now public and this means anyone can view how it works, meaning exploits can be found for the code. What is worse is that with a large code base the site owners cannot simply refactor and change large portions of it, they are stuck and often have no choice but to continue running the public code base until a newer, private version is created which can take a long time. They also have to consider that most of their code, which they worked hard on, is effectively dust-binned. Unless they take the open source route, of course.
As with any story things spin out of control and people add their own opinions to the mix. The only sites that we released information to were Mediaite and TNW, which means that everything else is pure speculation and/or opinion. People are talking about security, which is good, and I think it has brought to light the security issues that face both users and sites, and I hope that Gawker and other sites can learn from the mistakes that led to this.
Editor’s note: At roughly the same time as our interview, Gnosis apparently gave an interview to The Next Web containing some additional information, including the number of people in the group (“13 members, with three ‘others'”), the relation between Gnosis’ recent action and Gawker’s spat with 4chan over the summer (none, they say), and why they released user data rather than just sitting on it (“Release is the safest path, as it allows lessons to be learned.”) It’s worth the read.
Geekosystem: You previously mentioned that Gawker used DES [Data Encryption Standard, an outdated hashing algorithm in which only the first eight characters of a password are necessary for login]. What other mistakes do you think that they made that made your attack easier? Nick Denton said today that Gawker Media will be hiring an outside firm to evaluate their properties’ web security; if they hired Gnosis, what would you tell them to change?
Gnosis: They made several mistakes which contributed to their compromise – leaving passwords literally lying around, using the same password for multiple accounts and services (A lot were weed related, perhaps they had been smoking a bit too much and forgot some basic security principles? (GANJA framework anyone?!)). Unfortunately, I am afraid that until Gawker Media *do* hire us we cannot report fully on any of our findings. Sorry Nick!
Geekosystem: […]Would you care to comment on [Felix Salmon’s above-mentioned observation that Gawker may be trying to become a technology company], both in light of the attacks and as a group that knows Gawker’s framework very well now?
Gnosis: Gawker wrote their own framework and a lot of their site is powered by their own code. I personally *hate* PHP with a vengeance, and if I am perfectly honest I could not face myself to study the reams and reams of source code. We did get a good look and feel for the sites internal structure, and it looked sturdy.
Geekosystem: One of the lessons a lot of people seem to have taken from the attacks is that third-party comment systems [Facebook Connect, DISQUS, etc.] are the way to go from a security vantage. Would you agree or disagree?
Geekosystem: Can you clarify your relationship with 4chan/Anonymous?
Gnosis: No relationship. Some of our members visit the site, but there are no ties or any form of relationship.
(They said more on this in their most recent interview with TNW: “As for 4chan, we are not directly connected, no. But 4chan’s influence on the net is large and several of our members visit the site. We don’t directly agree with some of 4chans tactics, or rather “anon’s” tactics. We believe that ddosing sites won’t help their cause and will only generate negative press and I personally see in the media a lot of acts being simply put under the umbrella of “4chan” or “anonymous”. We would have not wanted this to be lumped with such acts as DDOS’ing Amazon or Mastercard.”)
Geekosystem: At the end of your readme.txt [the text file which accompanied the torrented leaked data], you wrote, “We’ve not done yet, we have other targets in our sights.” What do you mean by this?
Gnosis: Only time will tell.