Week in Security: Gawker’s Big Secret and Rewriting Severity Ratings

The hack of blog news network Gawker dominated the headlines this week, leaving behind a trail of spammy Tweets and stolen passwords across the Internet. But Gawker was just one of a handful of data breaches in a week that saw the continuation of the Wikileaks saga and a massive patch release from Microsoft. To get the full rundown, read on for the week in security.

Week in securityThe hack of blog news network Gawker dominated the headlines this week, leaving behind a trail of spammy Tweets and stolen passwords across the Internet.

But Gawker was just one of a handful of data breaches in a week that saw the continuation of the Wikileaks saga and a massive patch release from Microsoft. To get the full rundown, read on for the week in security.

News of Gawker’s breach came late Sunday after the site’s source code had been posted online and the new outlet discovered that millions of their users’ passwords had been compromised. Users of sites like Valleywag, Lifehacker and Deadspin, which all fall under the Gawker umbrella, were encouraged on Monday to determine if their information was taken and change their passwords, especially those used across different online accounts. Prominent Web sites, including LinkedIn and Twitter, combed the list for their account holders, then prompted them to change passwords.

On Threatpost, Jeremiah Grossman recommended users ‘compartmentalize risk’ on Wednesday by discouraging using the same password across online accounts and instead look into password managers. Grossman had a list of lessons to learn from Gawker’s attack, including keeping hacker taunts to a minimum and exercising a better line of defense and incident response when it comes to security.

In the ongoing saga of whistleblower Web site Wikileaks, the denial of service in defense of Wikileaks and its founder, Julian Assange, calmed somewhat, even as Assange made court appearances in London. And, though its name would suggest otherwise, catching members of the ‘Anonymous’ hacktivist group, which claimed responsibility for DDoS attacks against Visa and Mastercard, was easier than expected. Researchers from the University of Twente in the Netherlands found the tool they used, Low Orbit Ion Cannon (LOIC) didn’t hide the IP addresses of those running it. Meanwhile, Wikileaks figurehead, Julian Assange, was granted bail on Tuesday but didn’t walk free until Thursday, left in limbo while waiting in detention for an appeal by the prosecution.

As we found ourselves in the second full week of the December, it was time again for Microsoft’s monthly Patch Tuesday blowout. This week’s version carried more than 40 vulnerabilities for Windows, including fixes for Internet Explorer and Sharepoint. Also among the updates: A patch (MS10-092) which fixed a problem in Windows Task Scheduler, closing the last hole used by everybody’s favorite industrialized worm, Stuxnet.

17 of the month’s vulnerabilities were rated critical while 14 were rated important. With Microsoft’s ratings system closing in on its 10th birthday, it seemed like the perfect time to pose a relevant question: What exactly do they mean?

Paul Roberts took an in depth look at the ratings, provoking a perhaps more pointed question: Do they still work? The piece asked vulnerability researchers like Charlie Miller of Independent Security Evaluators, Cesar Cerrudo of Argeniss Information Security and Software and Microsoft’s Jerry Bryan about the ratings.

There was news of more prominent data breaches. McDonalds’ third party e-mail marketing firm was to blame for their leak that saw thousands of customers’ contact information pilfered from a database. The case appears to be one of a string of similar attacks that may have stemmed from targeted attacks on a number of prominent email marketing firms.

While only those who subscribe to the fast food giant’s e-mail list are expected to be at risk, those at Ohio State University may not be as lucky.

A whopping 760,000 people may’ve had their data exposed thanks to a server that was illegally accessed by a third party, the college announced on Thursday. Past and present students, faculty, staff, and even student applicants may’ve had their names, addresses, birthdates and social security numbers stolen.

Hewlett Packard reported a security issue this week after they found some of their storage area networking equipment had a backdoor. HP’s officials claimed they were preparing a fix for the product affected, HP StorageWorks P2000. Conversely, despite public allegations, OpenBSD did not have a backdoor in their operating system this week. The company behind the OS spent the week clearing the air, putting to rest rumors that developers with the FBI planted a vulnerability.

Walking on the sunny side of the street for a bit: we reported on what appears to be a substantial bust in Romania, involving the arrest of 42 individuals for involvement in what is alleged to have been a $13m hacking operation that targeted vulnerable voice over IP (VoIP) servers. We also learned of a new effort by Web hosting firm GoDaddy and search giant Google to battle the scourge of bogus online pharmacies and protect consumers from fake drug pitches.

What’d you find interesting this week? Readers flocked to Jeremiah’s piece on learning the lessons of Gawker, as they did to a guest piece on Monday, in which Des Wilson of BreakingPoint Systems tackled cybersecurity offered suggestions for enterprises to better protect their networks from attackers.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.