A recap of the past week in IT security news features Microsoft patches, a hack of Gawker Media and allegations against the FBI.
It was a busy week in IT security, starting with news that Gawker Media had been compromised.
The hack on Gawker Media's servers exposed
addresses and passwords belonging to users of Gawker Media Websites,
including Lifehacker, Gizmodo, Deadspin, and obviously Gawker.com
itself. The incident highlighted issues of password security, as many
people who used the same password for both their and Twitter
Gawker accounts fell victim to a spam attack on Twitter.
According to an analysis by Duo Security, many of the passwords
being used were simplistic; the most common passwords were "123456" and
"(The) No. 1 best practice is never use a word that can be found in
the dictionary," Richard Stiennon, chief research analyst at
IT-Harvest, told eWEEK. "A simple way to create a hard-to-guess
password is to use the first letter of each word in a phrase. -When IT
Rains it Pours' becomes WIRIP. Add a number to make it eight characters
long - WIRIP421. Change the "I" to "!" and you have a pretty
strong password you can remember: W!R!P421. Do that for sites you
pay for and ones that are important to you."
In response to the incident, Gawker said it would work with outside
security pros to improve security and maintain "a reliable level of
While Gawker dealt with the fallout from the attack, the open source
community dealt with some security controversy of its own. News
broke this week that Gregory Perry, now CEO of GoVirtual
Education, had accused the FBI
an e-mail to OpenBSD founder Theo de Raadt of putting backdoors and
side-channel key leak mechanisms into the OpenBSD Cryptographic
Framework roughly a decade ago. However doubt has been cast on his
allegations, as at least one developer he accused of involvement denied
having any ties to such a plot, and others called the accusations
"I will state clearly that I did not add backdoors to the OpenBSD
operating system or the OpenBSD crypto framework (OCF)," Jason L.
Wright, one of the men Perry accused, wrote in an e-mail to the OpenBSD
mailing list. "The code I touched during that work relates mostly to
device drivers to support the framework. I don't believe I ever touched
isakmpd or photurisd (userland key management programs), and I rarely
touched the ipsec internals (cryptodev and cryptosoft, yes).
However, I welcome an audit of everything I committed to OpenBSD's
In a message to the mailing list, de Raadt wrote that he released
Perry's e-mail so that anyone accused can defend themselves and those
who use the code can audit it for any problems.
On the subject of defense, Microsoft closed out the year
another massive Patch Tuesday release, pushing out 17 security
bulletins to cover 40 vulnerabilities. Only two of the bulletins were
critical - one impacting Internet Explorer and the other addressing
multiple vulnerabilities in Windows' OpenType Font driver. The company
also patched the final zero-day vulnerability associated with the
"The most important bug this month is clearly the IE update
includes a fix for the outstanding zero-day bug discovered in early
November," said Andrew Storms, director of security operations at
nCircle. "With more and more people shopping online this time of year,
it's important for everyone to patch their browsers."
Google added a new layer of protection for Web surfers
a new notification in search engine results to prevent users from
visiting compromised sites. When Google believes a site has been
hacked, a sentence will appear under the search result that reads:
"This site may be compromised." Google provides a similar warning to
steer users away from sites found to be infected with malware.
Those involved in the site compromises tied to Operation Payback may
have another form of detection to worry about. According to an analysis
by researchers from the University of Twete in the Netherlands, the Low
Orbit Ion Cannon (LOIC) tool used in the pro-WikiLeaks attacks against
sites like MasterCard.com fails to protect the Internet Protocol (IP)
addresses of users, meaning people involved in the attacks may be traceable
"The tool ... does not attempt to protect the identity of the user, as
the IP address of the attacker can be seen in all packets sent during
the attacks," the researchers wrote. "Internet Service Providers can
resolve the IP addresses to their client names, and therefore easily
identify the attackers. Moreover, Web servers normally keep logs of all
served requests, so that target hosts also have information about the
While the hackers involved in Operation Payback may have their own
concerns about anonymity, the U.S. government meanwhile is concerned
with privacy of another kind. Dec. 16, the U.S. Department of Commerce
threw its hat into the ring in the debate about online privacy,
suggesting the creation of a new policy framework as well as a Privacy
Policy Office within the department. While applauding the report's
recognition of online privacy problems, some consumer advocates criticized
report for its talk of industry self-regulation and safe harbors
against punitive action by the Federal Trade Commission (FTC).
"They talk about commercial data privacy," said John Simpson,
consumer advocate at Consumer Watchdog. "What we should be talking
about is consumers' data and their right to privacy, not a business
commodity. This is all about easing things for businesses. It's in some
sense I think an early Christmas gift to the data collection industry
from the Obama administration."