Gawker to Add Stronger User Authentication to Thwart Future Hacks
Gawker's family of Websites will integrate third-party account verification systems into its commenting system to defend against future database attacks, Gawker Media CTO Tom Plunkett wrote in an e-mail memo to the staff.
In the memo, which was also posted on Jim Romenesko's Poynter blog, Plunkett wrote that, "We should not be in the business of collecting and storing personal information." The memo was issued in response to last week's attack on Gawker servers which compromised more than 1.3 million usernames and passwords. The hack affected Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot.
"It is clear that the Gawker tech team did not adequately secure our platform from an attack of this nature," wrote Plunkett. Gawker's security team was using outdated encryption to secure the servers and hadn't deployed three year's worth of security patches. The team was also using the same passwords on various Gawker systems, including the wiki and Google Apps, which allowed hackers to expand their target beyond the initial database server, according to the memo.
Plunkett outlined two major changes to the commenting system in the memo: integrating OAuth services and enabling disposable accounts. OAuth is a single sign-on authentication protocol that allows users to sign into a Website using credentials from a third-party site. Moving to this kind of an authentication service allows users to comment on Gawker sites without the site having to store personal information such as e-mail addresses and passwords.
"We have lost the commenters' trust and don't deserve it back," wrote Plunkett.
There are a number of authentication services, including OpenID implementations used by sites such as Google, and Yahoo, Microsoft Passport, and Facebook's "Login with Facebook," service (formerly Facebook Connect). Twitter also launched Twitter OAuth over the summer, allowing users to use their Twitter credentials on apps such as Twitterific, Seesmic, and TweetDeck to send and read tweets.
Disposable accounts will allow users to comment anonymously on the site by generating a unique key code for the user. The account is tied to that key, and once lost or deleted, it is abandoned. Since there is no e-mail address or password information stored with the key, users can "toss out" the account and not worry about it somehow connecting to their identity, Plunkett said.
One of the downsides of using third-party authentication was that users who didn't have an account on that external site or did not want to expose their personal information were left out in the cold. Many sites, such as blogging platform TypePad from SixApart, fix this problem by accepting credentials from multiple sources, including WordPress.com, LiveJournal, Google, MySpace, or any other OpenID-enabled site. Users can choose which identity to use.
Shortly after the Gawker hack, Facebook announced a tool that would make it the identity management broker for all users, not just the ones with Facebook accounts. The social networking giant's Registration Tool allows site developers to hand the work of authenticating users over to Facebook. Sites such as Gawker would display an iFrame form on the site instead of a registration/sign-in form, prepopulated with the user's Facebook credentials.
Once the user accepts the form, the user can access the site using their Facebook accounts. Non-Facebook users enter and submit their personal information through the form onto Facebook's servers. Despite not having an account on the social networking site, Facebook has that user's information and can authenticate that user for the site from that point on.
"Independent Website developers can leverage an existing user database of a large service, like Facebook, and get access to the data the users have stored there," said Andrew Walls, research director at Gartner.
Even so, OAuth is not the fix all, since if the third-party site is down for any reason, users are unable to access any of the other linked sites. These services also remain vulnerable to phishing attacks or keyloggers because one identity is linked to so many sites, according to Roman Yudkin, CTO of Confident Technologies.
Sites should adopt layers of authentication so that one point of failure doesn't compromise the account, Yudkin told eWEEK. The company offers image-based passcodes to supplement traditional passwords. Users are required to remember "meaningful" categories and select pictures that fit those categories when logging in. Since the images are different each time, the resulting passcode becomes unique for each login, said Yudkin.
Gartner analyst John Pescatore wrote on his blog that instead of moving toward a "trusted" central service controlling user authentication, sites should consider processes such as Google's two-factor verification process that sends a text message challenge/response code to a user's smartphone, or similar methods.
"Can you think of a candidate to be that central site who hasn't had their own security problems?" Pescatore wrote, arguing against the move toward a centralized service.