It was a busy week in IT security, starting with news that Gawker Media had been compromised.
The hack on Gawker Media’s servers exposed e-mail addresses and passwords belonging to users of Gawker Media Websites, including Lifehacker, Gizmodo, Deadspin, and obviously Gawker.com itself. The incident highlighted issues of password security, as many people who used the same password for both their and Twitter Gawker accounts fell victim to a spam attack on Twitter.
According to an analysis by Duo Security, many of the passwords being used were simplistic; the most common passwords were “123456” and “password.”
“(The) No. 1 best practice is never use a word that can be found in the dictionary,” Richard Stiennon, chief research analyst at IT-Harvest, told eWEEK. “A simple way to create a hard-to-guess password is to use the first letter of each word in a phrase. -When IT Rains it Pours’ becomes WIRIP. Add a number to make it eight characters long – WIRIP421. Change the “I” to “!” and you have a pretty strong password you can remember: W!R!P421. Do that for sites you pay for and ones that are important to you.”
In response to the incident, Gawker said it would work with outside security pros to improve security and maintain “a reliable level of security.”
While Gawker dealt with the fallout from the attack, the open source community dealt with some security controversy of its own. News broke this week that Gregory Perry, now CEO of GoVirtual Education, had accused the FBI in an e-mail to OpenBSD founder Theo de Raadt of putting backdoors and side-channel key leak mechanisms into the OpenBSD Cryptographic Framework roughly a decade ago. However doubt has been cast on his allegations, as at least one developer he accused of involvement denied having any ties to such a plot, and others called the accusations unlikely.
“I will state clearly that I did not add backdoors to the OpenBSD operating system or the OpenBSD crypto framework (OCF),” Jason L. Wright, one of the men Perry accused, wrote in an e-mail to the OpenBSD mailing list. “The code I touched during that work relates mostly to device drivers to support the framework. I don’t believe I ever touched isakmpd or photurisd (userland key management programs), and I rarely touched the ipsec internals (cryptodev and cryptosoft, yes). However, I welcome an audit of everything I committed to OpenBSD’s tree.”
In a message to the mailing list, de Raadt wrote that he released Perry’s e-mail so that anyone accused can defend themselves and those who use the code can audit it for any problems.
On the subject of defense, Microsoft closed out the year with another massive Patch Tuesday release, pushing out 17 security bulletins to cover 40 vulnerabilities. Only two of the bulletins were critical – one impacting Internet Explorer and the other addressing multiple vulnerabilities in Windows’ OpenType Font driver. The company also patched the final zero-day vulnerability associated with the Stuxnet worm.
“The most important bug this month is clearly the IE update that includes a fix for the outstanding zero-day bug discovered in early November,” said Andrew Storms, director of security operations at nCircle. “With more and more people shopping online this time of year, it’s important for everyone to patch their browsers.”
Google added a new layer of protection for Web surfers by putting a new notification in search engine results to prevent users from visiting compromised sites. When Google believes a site has been hacked, a sentence will appear under the search result that reads: “This site may be compromised.” Google provides a similar warning to steer users away from sites found to be infected with malware.
Those involved in the site compromises tied to Operation Payback may have another form of detection to worry about. According to an analysis by researchers from the University of Twete in the Netherlands, the Low Orbit Ion Cannon (LOIC) tool used in the pro-WikiLeaks attacks against sites like MasterCard.com fails to protect the Internet Protocol (IP) addresses of users, meaning people involved in the attacks may be traceable.
“The tool … does not attempt to protect the identity of the user, as the IP address of the attacker can be seen in all packets sent during the attacks,” the researchers wrote. “Internet Service Providers can resolve the IP addresses to their client names, and therefore easily identify the attackers. Moreover, Web servers normally keep logs of all served requests, so that target hosts also have information about the attackers.”
“They talk about commercial data privacy,” said John Simpson, consumer advocate at Consumer Watchdog. “What we should be talking about is consumers’ data and their right to privacy, not a business commodity. This is all about easing things for businesses. It’s in some sense I think an early Christmas gift to the data collection industry from the Obama administration.”