Enterprise IT Watch Blog

Dec 22 2010   10:30AM GMT

Lessons learned in 2010’s network security fails

Melanie Yarbrough Profile: MelanieYarbrough

Nobody wants to be the guy sending out a mass email to members saying, “If you’ve registered an account on any of our websites, then it’s best to assume that your username and password were included among the leaked data.”

But that’s exactly what Gawker Media had to do after its sites were hacked last weekend. Thomas Plunkett, CTO of Gawker Media, pointed out a source code vulnerability as the window hackers used to access user data including passwords, an editor wiki, and email accounts among other things. Once much of the user data was posted on sites such as Pirate Bay, Gawker had to warn its users to change their log ins for other sites using the same password.

One of the lessons learned from the brouhaha? Use different passwords for different log in accounts. (Pretty much a no-brainer at this point, for those of us who regularly take a look at the state of information security.) But for the rest of the world, password complexity and rotation are hassles better left to the pros and the IT departments at work. But what happens when enterprise IT is more concerned with quantity over quality?

Simon Heron at Redscan predicts that 2011’s most damaging attacks will continue to surface via the Internet:

The Internet is the most attractive channel of attack….The real problem is hackers taking advantage of poor programming on a website, and installing malware that attempts to infect visitors. In many cases, website builders do not include security in their design philosophy which so often leads to flaws that can be exploited.

Sound familiar? Plunkett, in the midst of embarrassment, admitted to focusing more on growing the business rather than ensuring the securest platform possible. As though the leaked user data weren’t enough, insult was added to injury when an internal memo was leaked, including these statements and an admittance to their failure to create solid “standards and practices.”

So where do we go right in 2011 where so many of us went so wrong in 2010? The U.S. government has started by sending its employees to cyber security university, and Gawker has enabled SSL for Google Apps users and looking to implement OAuth verification, as well as enabling wary visitors (i.e. most of us) to create disposable log ins for comments. Perhaps the most disturbing part of this hard-earned lesson isn’t the shotty security practices of businesses (pretty common knowledge at this point), but the blase attitude many consumers have toward their end of the security bargain, as V3 reports:

A quarter of UK internet users reuse the same password for important accounts such as email, banking or shopping and social networking sites, according to a survey from network security firm Check Point released today.

The firm also identified that over three-quarters of consumers use risky password construction practices, such as including personal information and words.

It seems, while there are plenty of new things to look forward to in 2011 IT, this age-old lesson will most likely be learned over and over again. The only difference will be the color of the tail between the latest victim’s legs.

Share with us how you plan to stay out of the doghouse in 2011, or how you ended up in it in 2010, either in the comments section or by sending me an email at Melanie@ITKnowledgeExchange.com.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

3  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • valmsmith
    How many times do we tell the newbies we are training to make STRONG passwords and be prepared to change them at least once in a while, and to NOT use the same one repeatedly particularly on "critical" sites. I am personally concerned about some servers who will not allow us to use "special characters" in our passwords. That is one of the better ways to keep the miscreants out. There are MANY excellent ways to secure our sites, but with a few exceptions they are NOT inexpensive upfront.
    870 pointsBadges:
  • MelanieYarbrough
    Great point about the monetary commitment that sufficient security requires, Valmsmith. What are your thoughts on the overwhelming predictions that 2011 is going to be a year of increased security spending in the wake of WikiLeaks and the Google/China debacle?
    6,345 pointsBadges:
  • jinteik
    it is extremely important to have strong passwords and even settings when passwords has been tried 3 times, the ID will be disabled and will not be able to login after x amount of time and etc... I will add on that when newbies get their id lockout, they will then share id's with others. or when they are on leave, they will pass their ID's around...this is something that should not be done at all too.
    18,995 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: