Internal Memo Outlines Gawker’s Security Plan

After
a hack of systems belonging to online publishing giant Gawker Media that yielded more than one million passwords,
the online media company’s chief technology officer has announced new defense strategies
aimed at placating their users and preventing further
humiliating data breaches.

GawkerAfter
a hack of systems belonging to online publishing giant Gawker Media that yielded more than one million passwords,
the online media company’s chief technology officer has announced new defense strategies
aimed at placating their users and preventing further
humiliating data breaches.

Gawker Media CTO,
Thomas Plunkett, issued a company-wide memo released on Friday that lays
out the new security measures and suggests the company overlooked
security concerns in the rush to develop new features. A copy of the memo was posted on the Website of the Poynter Institute on Friday, Plunkett confirmed. 

In the memo, Plunkett provides more detail on the massive breach and lays out the new security
measures they are implementing as
a result of it.
He explains that
hackers were able to exploit a vulnerability in their source code which then
allowed them to gain access to user data and passwords.

Plunkett blames the
security blunder on several sources, including: his team paying too much
attention to new projects while neglecting to address flaws and ensure
the
security of previous ones, the massive growth and inherently contentious
nature
of Gawker Media material, a lack of foresight about the
inevitability of such an attack and a lack of preparation for responding
to it. In a Threatpost.com op-ed last week, Jeremiah Grossman noted that planning for incident response was one of the most important lessons from the Gawker breach.

Gawker Media is now working with an Independent security firm to review what
happened. They claim to have established a ‘fairly accurate’ timeline of the
intrusion, regaining control of and reconfiguring compromised Gawker assets,
such as their Google Apps account.

In his memo, Plunkett maintains that the company has addressed
all known vulnerabilities and continue to audit their systems searching for
more. They have also established a help desk to address commenter concerns
regarding the breach.

Other steps taken by Gawker Media include
enabling
SSL for internal communications and two factor authentication for access
to external sources, such as Google Documents. The company, which has
been on the cutting edge of online media, is also looking at ways for
users to sever the connection between Gawker accounts and personal
e-mail accounts, possibly by allowing users to create disposable
accounts that are accessed with a unique key value.

Suggested articles

Discussion

  • Ben on

    People need to understand that this company failed to take any reasonable steps to avoid brute force attack on their password database.  It has become common practice to keep up with strong one-way has algorithms and to salt the password.  Gawker Media showed a great disrespect of their users by failing to do both.

    What is worse is that Gawker Media still to this day require new users to trust them with storing of their password instead of using indirect authentication methods such as OpenID.  If Gawker Media had been using OpenID for the majority of user logins then the break-in would have been a non-story.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.