|
By
Cara Garretson
On
December 12, Gawker Media’s servers were hacked, resulting in a security breach
that affected a number of the online media’s sites. The hack, which lead to the
exposure of email addresses and passwords of registered commenters to the
affected sites, caught the company unprepared. Following a round of damage
control and public apologies to its users, as well as recommendations that
anyone who registered to the site directly (as opposed to those who link to it
through Twitter or Facebook Connect) change their passwords, the company is
starting to take action.
According
to a post on The Poynter
Institute’s Web site, Gawker’s CTO Thomas Plunkett said the company’s IT
department takes responsibility for the breach. In a memo to the Gawker staff
dated December 17 and posted on Poynter.org, Plunkett described what happened
and how the company will take action to prevent future security breaches.
“On
several fronts — technically, as well as customer support and communication —
we found ourselves unprepared to handle this eventuality,” wrote Plunkett in
his memo to staff. “The tech team should have been better prepared, committed
more time to perform thorough audits, and grown our team’s technical expertise
to meet our specific business needs. As a result of not having done these
things, we have not adhered to standards expected of us, and our response was
inadequate.”
In
describing the security event in his memo, Plunkett said that the company’s
servers and some corporate email accounts were compromised; a group named
Gnosis took responsibility for the attack. Web servers were hacked by attackers
who found a vulnerability in Gawker’s source code, said Plunkett. Once the
attackers had user names and passwords, they were able to get access to the
editor wiki, some Gawker Media email accounts, and “other external resources,”
he said. “It is clear that the Gawker
tech team did not adequately secure our platform from an attack of this nature.
We were also not prepared to respond when it was necessary.”
Gawker
hadn’t planned for such a security event – largely because the company is
focused on new products and hasn’t spent much time looking back at completed
work -- Plunkett continued, and therefore didn’t have the process or systems
required to respond. In addition, Gawker is vulnerable because of the products
it owns, which have not been afraid to take controversial stances, he added.
Because of both factors – rapid growth that can lead to rushed work and
mistakes, and the fact that Gawker is often a high-profile target – the company
should have had in place standards and processes to deal with such events.
With
the help of a third-party security team that Gawker hired, the company is
taking the following steps:
-
The IT department has regained control if the compromised systems
(including Google Apps, which Plunkett said employees will have to
reconfigure);
-
Having addressed known vulnerabilities, the IT department is now
auditing systems and its code base for unknown security flaws;
-
The company is planning to move to a new, hardened Web infrastructure;
-
It has dedicated Help Desk staff to dealing with commenter concerns,
which will continue as long as is needed;
-
The IT department has enabled SSL for all users with Gawker Media
accounts on Google Apps and is requiring two-factor authentication for access
to sensitive documents – defined as legal, financial, or accounting-related –
in Google Docs.
-
It is also enforcing a policy that no sensitive information be posted
to the company’s editor wiki or discussed over chat.
Long
term, Plunkett says the company must move away from collecting and storing
personal information, such as email addresses and passwords. The company will look
for more integration with external account verification sources, such as
Facebook, Twitter, and Google, and will introduce disposable accounts that don’t
store email addresses or passwords.
“This has been a very
unfortunate event in Gawker Media history, and we have learned much from it.
Above all, this has been an enormous inconvenience for everyone affected, and
for this I apologize,” wrote Plunkett. “You can expect a much more responsive
and proactive technology and product team for 2011.”
Only registered users can write comments.
Please login or register. |
