Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Applications
    • Applications
    • Cloud
    • Cybersecurity
    • Networking

    Gawker to Add Stronger User Authentication to Thwart Future Hacks

    Written by

    Fahmida Y. Rashid
    Published December 20, 2010
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Gawker’s family of Websites will integrate third-party account verification systems into its commenting system to defend against future database attacks, Gawker Media CTO Tom Plunkett wrote in an e-mail memo to the staff.

      In the memo, which was also posted on Jim Romenesko’s Poynter blog, Plunkett wrote that, “We should not be in the business of collecting and storing personal information.” The memo was issued in response to last week’s attack on Gawker servers which compromised more than 1.3 million usernames and passwords. The hack affected Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot.

      “It is clear that the Gawker tech team did not adequately secure our platform from an attack of this nature,” wrote Plunkett. Gawker’s security team was using outdated encryption to secure the servers and hadn’t deployed three year’s worth of security patches. The team was also using the same passwords on various Gawker systems, including the wiki and Google Apps, which allowed hackers to expand their target beyond the initial database server, according to the memo.

      Plunkett outlined two major changes to the commenting system in the memo: integrating OAuth services and enabling disposable accounts. OAuth is a single sign-on authentication protocol that allows users to sign into a Website using credentials from a third-party site. Moving to this kind of an authentication service allows users to comment on Gawker sites without the site having to store personal information such as e-mail addresses and passwords.

      “We have lost the commenters’ trust and don’t deserve it back,” wrote Plunkett.

      There are a number of authentication services, including OpenID implementations used by sites such as Google, and Yahoo, Microsoft Passport, and Facebook’s “Login with Facebook,” service (formerly Facebook Connect). Twitter also launched Twitter OAuth over the summer, allowing users to use their Twitter credentials on apps such as Twitterific, Seesmic, and TweetDeck to send and read tweets.

      Disposable accounts will allow users to comment anonymously on the site by generating a unique key code for the user. The account is tied to that key, and once lost or deleted, it is abandoned. Since there is no e-mail address or password information stored with the key, users can “toss out” the account and not worry about it somehow connecting to their identity, Plunkett said.

      One of the downsides of using third-party authentication was that users who didn’t have an account on that external site or did not want to expose their personal information were left out in the cold. Many sites, such as blogging platform TypePad from SixApart, fix this problem by accepting credentials from multiple sources, including WordPress.com, LiveJournal, Google, MySpace, or any other OpenID-enabled site. Users can choose which identity to use.

      Shortly after the Gawker hack, Facebook announced a tool that would make it the identity management broker for all users, not just the ones with Facebook accounts. The social networking giant’s Registration Tool allows site developers to hand the work of authenticating users over to Facebook. Sites such as Gawker would display an iFrame form on the site instead of a registration/sign-in form, prepopulated with the user’s Facebook credentials.

      Once the user accepts the form, the user can access the site using their Facebook accounts. Non-Facebook users enter and submit their personal information through the form onto Facebook’s servers. Despite not having an account on the social networking site, Facebook has that user’s information and can authenticate that user for the site from that point on.

      “Independent Website developers can leverage an existing user database of a large service, like Facebook, and get access to the data the users have stored there,” said Andrew Walls, research director at Gartner.

      Even so, OAuth is not the fix all, since if the third-party site is down for any reason, users are unable to access any of the other linked sites. These services also remain vulnerable to phishing attacks or keyloggers because one identity is linked to so many sites, according to Roman Yudkin, CTO of Confident Technologies.

      Sites should adopt layers of authentication so that one point of failure doesn’t compromise the account, Yudkin told eWEEK. The company offers image-based passcodes to supplement traditional passwords. Users are required to remember “meaningful” categories and select pictures that fit those categories when logging in. Since the images are different each time, the resulting passcode becomes unique for each login, said Yudkin.

      Gartner analyst John Pescatore wrote on his blog that instead of moving toward a “trusted” central service controlling user authentication, sites should consider processes such as Google’s two-factor verification process that sends a text message challenge/response code to a user’s smartphone, or similar methods.

      “Can you think of a candidate to be that central site who hasn’t had their own security problems?” Pescatore wrote, arguing against the move toward a centralized service.

      Fahmida Y. Rashid
      Fahmida Y. Rashid

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.