Note:
Here’s resident IT security expert bens and his analysis of the Gawker hack. He also has some tips for how protect yourself when stuff like this happens….
Gawker media got hacked, and in the hack Gawker’s master password file was stolen. What does this mean to you? Well, if you have linked any e-mail address that has any sort of real-world relevence to you to your Gawker account, you should change your password immediately. The same goes for your passwords. There’s a concept called “password entropy.” That is, if you use a login/password for one website and its compromised, you might use a similar login/pass on another site.
Change your passwords, and make sure they’re dissimilar from other passwords you’ve used.
Insofar as the “hack,” it looks like a script kiddie was looking for notoritety. From the released info, it appears that simple measures like having mildly secure passwords were not adhered to. Does it surprise me that between the Gawker Media Network there are machines running potentially inseucre software? No.
What is surprising is that even the site owner is using an eight character-long numeric password. Hey Nick, “24862486” might be a really easy password to remember, but dude, you’re running a media company with a huge online presence. You couldn’t tell me that a password like “N1ck$$d3nt0n$$$$$” isn’t a much better password that would be pretty easy to remember (its your name, with vowels as numbers, a couple non-alphanumeric characters, and its nice and long.)
A lot of brute-force methods won’t try to brute-force non alphanumerics, so signs like “$” and “!” and even more esoteric characters can slow down a brute force attack. However, if the password file is stolen it’s only a matter of time for it to be decrypted and all passwords revealed.
So what should you do? I know most of you are not technical users. The main thing you have to worry about is someone reading that your email address/password linked to Gawker is the same email account/password linked to your bank account.
So, change your bank password. Change your email password. Use multiple e-mail accounts so that if one is hacked, potentially you can compartmentalize the damage. If your bank statements go to your Gmail account, but you use a Hotmail account only for web forum passwords; you’re going to be much less exposed to risk if there’s a security leak.
Use strong passwords. Don’t rely on your password to remain secure. Change it every couple of months. Keep your software updated. If there’s a popup when you start your computer telling you that there’s a “critical software update” … download and install it! No computer system is 100% secure, but there’s a lot you can do to minimize damage.
Oh, and Gawker… who’s running your security policies? I’m not doing anything next week. Send me an email and lets run a pen. test. Were you guys running any IDS? You’re probably on the phone to the FBI right now and getting the run-around. You guys have my email address already!
