TOPICS > Science

Gawker Hacking Exposes Some Web Users’ Bad Password Habits

December 13, 2010 at 4:46 PM EST
Loading the player...
Gawker Media, one of the web's largest publishers, was hacked over the weekend and information for about 1.3 million users was made public. Jeffrey Brown speaks with the NewsHour's Hari Sreenivasan about the cyber attack and what it means for personal security online.
LISTEN SEE PODCASTS

TRANSCRIPT

JEFFREY BROWN: And we turn to now to the vulnerability of the Internet, after a week of very visible hacks and attacks.

In the days following the release of classified government documents by WikiLeaks, thousands of the site’s supporters, so-called hacktivists, have launched online attacks aimed at companies and groups they deem hostile to WikiLeaks and to the free flow of information.

Last week, a group calling itself Anonymous targeted the websites of Visa, MasterCard and PayPal, among others, after the companies stopped processing donations to WikiLeaks. Government websites, too, have been vulnerable. The Senate website was slowed last week after Senator Joe Lieberman criticized sites enabling WikiLeaks.

The attacks used software that chain together hundreds of computers that all request information from the same website at the same time, causing a traffic jam that makes the site inaccessible.

RYAN SINGEL, staff writer, Wired.com: This is a little bit more like what happened in the ’60s when protesters took over buildings at, you know, universities, where people couldn’t get in the building, but it’s not really them blowing up the building.

JEFFREY BROWN: While all that goes on, this weekend, there was another example of online hacking, this one affecting the popular site Gawker, an eight-year-old digital media company that hosts blogs on media, technology, and pop culture.

A group calling itself Gnosis raided Gawker, burrowing inside its databases to unlock the user names, passwords, and e-mail addresses of some 1.3 million people who had left comments on the site. Gawker was forced to stop publishing temporarily Sunday and urged its users to change their passwords.

There were signs the hackers had acted in retaliation after a war of words with Gawker. They also appeared to send a message about the vulnerability of usernames and passwords, listing several thousand accounts in which the password for the account is the word “password.”

Our own Hari Sreenivasan covers technology developments for us online, has been — and has been following the Gawker situation. He joins me now for an update.

So, Hari, first, for those who don’t know much about Gawker, tell us a little bit more. What is it?

HARI SREENIVASAN: Well, it is one of the largest publishers on the Web. And it’s really an amazing set of sites. Whether you care about cars or you care about gadgets, it’s one of the must-check sites on the Internet.

And it’s almost like a modern-day salon, because people come there for information, but they’re coming just as much for the comment threads and to leave a comment and really to be part of a conversation.

JEFFREY BROWN: All right, we talk about this group called Gnosis. How much do we know about what — who they are? And what did they do to Gawker?

HARI SREENIVASAN: Well, a lot of these sort of hacker groups are very shadowy in nature, in the sense that they — there’s no card-carrying membership that says, I’m part of this club. I’m the one who did this, and here is my address and phone number.

So, really, what they did to Gawker was come in behind the scenes in the past few weeks, past few months, figure out vulnerabilities, and essentially start to take the keys to the kingdom. Everything that Gawker held dear, most important, the user information, they took all of that out and splayed it out across the Internet.

They didn’t hide the information for themselves for some sort of kind of nefarious means. They said, here, take it, because this is really — they’re the crown jewels for a website.

JEFFREY BROWN: And you were telling me earlier today that you went online last night.

HARI SREENIVASAN: Yes.

JEFFREY BROWN: So, give us examples. What could you see there?

HARI SREENIVASAN: Well, something very minimally invasive was that I could see what the future of the Gawker website was supposed to look like, which is something pretty important that you want to try to keep secret.

If I was a real kind of a technologist, I could actually see the content management system. I could see the databases. I could see where they store their passwords. I could see the advertising information, which could be very important.

But the most important, again, the crown jewels, were the usernames, the passwords, and the e-mail addresses connected to them of some 1.3 million users. That’s really the stuff that I, as a complete novice, could see.

JEFFREY BROWN: Now, how are those people affected, in what ways?

HARI SREENIVASAN: Well, so, the thing — it kind of gets back to a little bit of social engineering.

So a lot of times people don’t make separate passwords and separate usernames for different websites. Sometimes, they use the same website or same e-mail address that I have for work on to a site like Gawker, and then maybe that’s the same password that gets me into Facebook, and then it’s also connected to Twitter.

So, as we see all of these different kind of communities that we participate in during the day, people aren’t very good at keeping these walls separate. So, that’s where the real influence is.

JEFFREY BROWN: And I heard today that — so, today, they used to that affect Twitter as well, right?

HARI SREENIVASAN: That’s right. So…

JEFFREY BROWN: And this would be people who use the same password for Gawker and Twitter.

HARI SREENIVASAN: That’s right, the same username or the password. So, basically, somebody between last night and this morning wrote a small computer program that figured out that little exploit.

And, so, while hundreds or maybe thousands of people are asleep, their Twitter accounts were automatically sending out advertisements for the acai berry or acai berry, however you say it, the super berry, right? So, while you were sleeping, you were actually a victim to somebody else’s marketing scam.

JEFFREY BROWN: Now, what if I or what if our viewers don’t go on Gawker? Should they care?

HARI SREENIVASAN: Well, they should care because this actually exploits larger vulnerabilities into their workplaces.

Not only were they’re Gmail and Yahoo! accounts. There were a lot of government accounts. There were a lot of edu, which means universities or educational institution, accounts.

So if these people don’t change their passwords, don’t get a little stronger about their own protections, those systems could also be compromised. I mean, all of those e-mail addresses are now out there for other hackers to exploit.

JEFFREY BROWN: And what of Gawker? I said they temporarily stop publishing. They’re certainly back now. But have they taken any steps that we know of to prevent this in the future?

HARI SREENIVASAN: Well, they said that they are. They apologized to their users profusely on their blog. They said, we’re really embarrassed and really we want to try to help you go ahead and change your password.

But, ironically enough, this morning, if I wanted to delete my account on Gawker, I couldn’t do that because the database that would have allowed me to do that was corrupted by the hackers last night.

JEFFREY BROWN: All right, Hari Sreenivasan, thanks a lot.