December 20, 2010, 2:02PM
Internal Memo Outlines Gawker’s Security Plan
1 Comment
After
a hack of systems belonging to online publishing giant Gawker Media that yielded more than one million passwords,
the online media company's chief technology officer has announced new defense strategies
aimed at placating their users and preventing further
humiliating data breaches.
Gawker Media CTO, Thomas Plunkett, issued a company-wide memo released on Friday that lays out the new security measures and suggests the company overlooked security concerns in the rush to develop new features. A copy of the memo was posted on the Website of the Poynter Institute on Friday, Plunkett confirmed.
Featured Resource
In the memo, Plunkett provides more detail on the massive breach and lays out the new security measures they are implementing as a result of it. He explains that hackers were able to exploit a vulnerability in their source code which then allowed them to gain access to user data and passwords.
Editor's Pick
Plunkett blames the security blunder on several sources, including: his team paying too much attention to new projects while neglecting to address flaws and ensure the security of previous ones, the massive growth and inherently contentious nature of Gawker Media material, a lack of foresight about the inevitability of such an attack and a lack of preparation for responding to it. In a Threatpost.com op-ed last week, Jeremiah Grossman noted that planning for incident response was one of the most important lessons from the Gawker breach.
Gawker Media is now working with an Independent security firm to review what happened. They claim to have established a ‘fairly accurate’ timeline of the intrusion, regaining control of and reconfiguring compromised Gawker assets, such as their Google Apps account.
In his memo, Plunkett maintains that the company has addressed all known vulnerabilities and continue to audit their systems searching for more. They have also established a help desk to address commenter concerns regarding the breach.
Other steps taken by Gawker Media include enabling SSL for internal communications and two factor authentication for access to external sources, such as Google Documents. The company, which has been on the cutting edge of online media, is also looking at ways for users to sever the connection between Gawker accounts and personal e-mail accounts, possibly by allowing users to create disposable accounts that are accessed with a unique key value.
Commenting on this Article is closed.
Today's Most Popular
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- Iranian Students Claim to have Stolen Thousands of Researcher's Records
- Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends
- Why Google Won't Protect You From Big Brother
- Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest
Most Commented Stories
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
20%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
28%
I don’t pay attention to how I access the internet while traveling
14%
Total votes: 65
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
People need to understand that this company failed to take any reasonable steps to avoid brute force attack on their password database. It has become common practice to keep up with strong one-way has algorithms and to salt the password. Gawker Media showed a great disrespect of their users by failing to do both.
What is worse is that Gawker Media still to this day require new users to trust them with storing of their password instead of using indirect authentication methods such as OpenID. If Gawker Media had been using OpenID for the majority of user logins then the break-in would have been a non-story.