Tuesday, December 21, 2010

Gnosis Grabs Gawker Goodies

Earlier this month, hackers accessed and later released about 500MB of information from Gawker's commenter database as well as source code from the site, itself, which is home to about 1.5 million usernames, e-mails, and passwords. This breach and the subsequent cracking of the 200,000+ usersnames and passwords, which were encrypted with DES encryption, was carried out by a group known as Gnosis.1

A letter from Gnosis, the group claiming responsibility for the attack stated...

We went after Gawker because of their outright arrogance. It took us a few hours to find a way to dump all their source code and a bit longer to find a way into their database.
We found an interesting quote in their Campfire logs:
Hamilton N.: Nick Denton Says Bring It On 4Chan, Right to My Home Address (After
The Jump)
Ryan T.: We Are Not Scared of 4chan Here at 210 Elizabeth St NY NY 10012
I mean if you say things like that, and attack sites like 4chan (Which we are not affiliated to) you must at least have the means to back yourself up. We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two. Our groups mission? We don’t have one.
We will be releasing the full source code dump along with the database at 9PM GMT today. You are the only outlet we have told the release time.
We cannot provide any more information as to how the attack was carried out, because this could be used against us.
We have been cracking the database for about 17 hours and have managed to retrieve 273,789 passwords. If our release schedule wasn’t so tight we could get 500,000+. Included in the dump are passwords linked to accounts from Nasa, about every .gov domain you could imagine and hundreds from banks. One can only pray that they do not use the same password everywhere. The actual database size is 1,247,897 rows, which is 80+% of their database.
(Private data redacted)
We have had access to all of their emails for a long time as well as most of their infrastructure powering the site. Gawkmedia has possibly the worst security I have ever seen. It is scary how poor it is. Their servers run horribly outdated kernel versions, their site is filled with numerous exploitable code and their database is publicly accessible.
We will be releasing the full source code to their site as well as the full database dump later today or tomorrow, when we get enough press to stir up the release. We will also be releasing a text file describing Gawkers numerous security failings.

A follow-up email mentioned that...

On an interesting side note there are 2650 users in the database using the password “password” or “querty”. Of these users one is registered under a .gov email address, 3 are from a .mil addres and 52 are from .edu addresses. 

While the method of this attack is not in the scope of this current article, one thing is... a very scary but realistic fact. The odd thing about this attack was the simplicity of the passwords that were uncovered. At the top of the list was "123456", followed by "password"...<slaps forehead> and other SIMPLE, EASY TO GUESS passwords. This brings the glaring light of information security down to bear on Gawker and their security policies. How can these be allowed?


It's sad to note that 75 % of people reuse the same password for different accounts and.or services..3
What does this mean? Well, if a site is compromised and some one gets your username and password, chances are that that information will be used to as a potential entry point into other attacks.

When conducting a penetration test, I am surprised at how many people will use the same username or passwords on multiple systems. A password for an account with no access gotten off of a system will often be the same password for an Administrator or Root account on another. Things like that are good for the attacker or pen-tester, but bad for the system admin or the end user.

Is that password that you use to comment on widgets the same one that you use for Facebook?... Amazon?... your bank? Point taken? Good!

OK, OK, so what to do?

  • First, use a different password on EVERY site.
  • Use at least an 8 character password utilizing upper and lower case as well as numbers and special characters like "!", "@", "#" and "$"
  • Don't use passwords common to you like your birthdate, car model, anniversary, son's dog's name, etc.

3 http://www.securityweek.com/study-reveals-75-percent-individuals-use-same-password-social-networking-and-email