Gawker Media's CTO Tom Plunkett outlined new methods for securing Gawker sites, such as moving to single-sign-on mechanisms and implementing disposable accounts, even though experts say these moves aren't perfect solutions.
Gawker's family of Websites will integrate third-party
account verification systems into its commenting system to defend against
future database attacks, Gawker Media
CTO Tom Plunkett wrote in an e-mail memo
to the staff.
In the memo, which was also posted on Jim Romenesko's
, Plunkett wrote that, "We should not be in the business of
collecting and storing personal information." The memo was issued in response
to last week's attack on Gawker servers
which compromised more than 1.3 million usernames and
passwords. The hack affected Lifehacker, Gizmodo, Gawker, Jezebel, io9,
Jalopnik, Kotaku, Deadspin, and Fleshbot.
"It is clear that the Gawker tech team did not adequately
secure our platform from an attack of this nature," wrote Plunkett. Gawker's
security team was using outdated encryption to secure the servers and hadn't deployed
three year's worth of security patches. The team was also using the same
passwords on various Gawker systems, including the wiki and Google Apps, which
allowed hackers to expand their target beyond the initial database server,
according to the memo.
Plunkett outlined two major changes to the commenting system
in the memo: integrating OAuth services and enabling disposable accounts. OAuth
is a single sign-on authentication
protocol that allows users to sign into a Website using credentials from a third-party site. Moving to this kind of an
authentication service allows users to comment on Gawker sites without the site
having to store personal information such as e-mail addresses and passwords.
"We have lost the commenters' trust and don't deserve it
back," wrote Plunkett.
There are a number of authentication services, including OpenID
implementations used by sites such as Google, and Yahoo, Microsoft Passport,
and Facebook's "Login with Facebook," service (formerly Facebook Connect).
Twitter also launched Twitter OAuth
over the summer, allowing users to use
their Twitter credentials on apps such as Twitterific, Seesmic, and TweetDeck
to send and read tweets.
Disposable accounts will allow users to comment
anonymously on the site by generating a unique key code for the user. The
account is tied to that key, and once lost or deleted, it is abandoned. Since
there is no e-mail address or password information stored with the key, users
can "toss out" the account and not worry about it somehow connecting to their
identity, Plunkett said.
One of the downsides of using third-party authentication
was that users who didn't have an account on that external site or did not
want to expose their personal information were left out in the cold. Many
sites, such as blogging platform TypePad from SixApart, fix this problem by
accepting credentials from multiple sources, including WordPress.com,
LiveJournal, Google, MySpace, or any other OpenID-enabled site. Users can
choose which identity to use.
Shortly after the Gawker hack, Facebook announced a tool
that would make it the identity management broker for all users, not just the
ones with Facebook accounts. The social networking giant's Registration Tool
site developers to hand the work of authenticating users over to
Facebook. Sites such as Gawker would display an iFrame form on the site
instead of a registration/sign-in
form, prepopulated with the user's Facebook credentials.
Once the user accepts the form, the user can access the
site using their Facebook accounts. Non-Facebook users enter and submit their
personal information through the form onto Facebook's servers. Despite not
having an account on the social networking site, Facebook has that user's
information and can authenticate that user for the site from that point on.
"Independent Website developers can leverage an
existing user database of a large service, like Facebook, and get access to the
data the users have stored there," said Andrew Walls, research director at
Even so, OAuth is not the fix all, since if the third-party
site is down for any reason, users are unable to access any of the other linked
sites. These services also remain vulnerable to phishing attacks or keyloggers because
one identity is linked to so many sites, according to Roman Yudkin, CTO of
Sites should adopt layers of authentication so that one
point of failure doesn't compromise the account, Yudkin told eWEEK. The company
offers image-based passcodes to supplement traditional passwords. Users are
required to remember "meaningful" categories and select pictures that fit those
categories when logging in. Since the images are different each time, the
resulting passcode becomes unique for each login, said Yudkin.
Gartner analyst John Pescatore
wrote on his blog that
instead of moving toward a "trusted" central service controlling user
authentication, sites should consider processes such as Google's two-factor
verification process that sends a text
message challenge/response code to a user's smartphone, or similar methods.
"Can you think of a candidate to be that central site who
hasn't had their own security problems?" Pescatore wrote, arguing against the
move toward a centralized service.