Nobody wants to be the guy sending out a mass email to members saying, “If you’ve registered an account on any of our websites, then it’s best to assume that your username and password were included among the leaked data.”
But that’s exactly what Gawker Media had to do after its sites were hacked last weekend. Thomas Plunkett, CTO of Gawker Media, pointed out a source code vulnerability as the window hackers used to access user data including passwords, an editor wiki, and email accounts among other things. Once much of the user data was posted on sites such as Pirate Bay, Gawker had to warn its users to change their log ins for other sites using the same password.
One of the lessons learned from the brouhaha? Use different passwords for different log in accounts. (Pretty much a no-brainer at this point, for those of us who regularly take a look at the state of information security.) But for the rest of the world, password complexity and rotation are hassles better left to the pros and the IT departments at work. But what happens when enterprise IT is more concerned with quantity over quality?
Simon Heron at Redscan predicts that 2011’s most damaging attacks will continue to surface via the Internet:
The Internet is the most attractive channel of attack….The real problem is hackers taking advantage of poor programming on a website, and installing malware that attempts to infect visitors. In many cases, website builders do not include security in their design philosophy which so often leads to flaws that can be exploited.
Sound familiar? Plunkett, in the midst of embarrassment, admitted to focusing more on growing the business rather than ensuring the securest platform possible. As though the leaked user data weren’t enough, insult was added to injury when an internal memo was leaked, including these statements and an admittance to their failure to create solid “standards and practices.”
So where do we go right in 2011 where so many of us went so wrong in 2010? The U.S. government has started by sending its employees to cyber security university, and Gawker has enabled SSL for Google Apps users and looking to implement OAuth verification, as well as enabling wary visitors (i.e. most of us) to create disposable log ins for comments. Perhaps the most disturbing part of this hard-earned lesson isn’t the shotty security practices of businesses (pretty common knowledge at this point), but the blase attitude many consumers have toward their end of the security bargain, as V3 reports:
A quarter of UK internet users reuse the same password for important accounts such as email, banking or shopping and social networking sites, according to a survey from network security firm Check Point released today.
The firm also identified that over three-quarters of consumers use risky password construction practices, such as including personal information and words.
It seems, while there are plenty of new things to look forward to in 2011 IT, this age-old lesson will most likely be learned over and over again. The only difference will be the color of the tail between the latest victim’s legs.
Share with us how you plan to stay out of the doghouse in 2011, or how you ended up in it in 2010, either in the comments section or by sending me an email at Melanie@ITKnowledgeExchange.com.