Gawker Media Hack Is A Password Reminder

Over the weekend, Gawker Media was hacked, providing an encrypted password list (among other things) to the hackers. A group calling themselves Gnosis has taken credit for the hack and released a package full of server information, notes on the hack, Gawker Media site source code and worst, everyone’s passwords.

Gnosis hack on Gawker Media

Judging by the statement made by the hackers, it looks like someone at Gawker pissed them off. I was actually planning another post about web security before this happened, but that will wait for another day as it has to do with different perils of having online accounts.

Here’s the email Gawker Media sent out today:

This weekend we discovered that Gawker Media’s servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you’re a commenter on any of our sites, you probably have
several questions.

We understand how important trust is on the internet, and we’re deeply
sorry for and embarrassed about this breach of security. Right now we
are working around the clock to improve security moving forward. We’re
also committed to communicating openly and frequently with you to make
sure you understand what has happened, how it may or may not affect you,
and what we’re doing to fix things.

This is what you should do immediately: Try to change your password in
the Gawker Media Commenting System. If you used your Gawker Media
password on any other web site, you should change the password on those
sites as well, particularly if you used the same username or email with
that site. To be safe, however, you should change the password on those
accounts whether or not you were using the same username.

We’re continually updating an FAQ (http://lifehac.kr/eUBjVf) with more
information and will continue to do so in the coming days and weeks.

Gawker Media

How Does This Affect You?

If you’ve never commented on a web property in the Gawker Media network, you may not have anything to worry about. If you have, on the other hand, your password on that site has been compromised and you should think about where else you used that password and change it on all sites. In the quoted text above, Gawker points us to a post on Life Hacker full of answers. Of course, to minimize the effects of future hacks on Gawker or any site, it’s best to have a strong password (see below) and use different passwords for different sites. As an example, you wouldn’t want to use the same password on Gawker that you use for online banking.

Is Your Password Strong Enough

Surprisingly, too many people have passwords that are easy enough to crack or even just guessable. Without a doubt, the absolutely worst password you can use for any account is the word, “password”. Regardless, of the nearly 1.3 million accounts compromised, 1,959 had “password” as their passwords. Even if it’s not guessed by a hacker, the simplest brute force attack can crack this password in no time. So how do you know if your password is strong enough?

Is my Password Strong

I built a quick and easy password strength test site to help you test your password. This may be helpful but you can also get by with some quick password tips. To understand them, you should know a little about how a brute force attack works. Typically a script runs that tries one password after another until one works. A simple script might first try every word in a dictionary file. This is just a file full of known real words like “gamer”, “puppy”, or maybe, “password”. Failing that, it would start going through every character combination from aaa, aab, aac, for example, through to larger guesses like 9999999. A more time-consuming attack might make use of characters like $%!, etc. but this takes far longer. Having to check for upper vs lower case takes a lot longer as well. From this, we can assume that you can make your password stronger by making it longer and including numbers, mixed case, and special characters. By this logic, “Chr1Stm@s!!%” is a far more secure password than “christmas”.

Even if you were not affected directly by this, take this as a reminder to audit your password habits and make changes if needed. A little effort now can save you a lot of future headache.

Using Chi.mp to Manage Your Social Media Presence

A tag cloud with terms related to Web 2.Image via WikipediaWhile skimming through my friends’ tweets on Twitter last week, I noticed a mention of something called chi.mp. The first thing I noticed upon visiting the site is the need for a beta code to sign up. I hate having to wait after requesting a code, but I also know that it means they’re doing something right, and I have less fear of it being overloaded while I’m using it. I submitted my request for a beta code and forgot all about it, as I do often. Today, I got my beta code in the mail and jumped right in.

What is chi.mp?
chi.mp touts itself as “the dashboard for your digital life”. That’s great, but what does that really mean? Any service I sign up for online should do one of three things for me: promote my brand/name/site, make me money, or save me time. This one falls into the “save me time” category, but it also fits into a fourth category. It gives me more control over who sees what.

For example, Rob and Anthony are surfing buddies of mine and I want to share with them my activity on surfersgonewild.com. However, I only want to show them and not, say, my family or my boss. With chi.mp I can label Rob and Anthony with the tag ‘surfers’ and then label my activity from surfersgonewild.com with the same tag. When Rob or Anthony visit my domain they will be able to see all my surfing escapades, but no one else will. I get to share my surfing side with my buddies but keep my professional persona intact for work purposes.

The only downside is that I have to give out the domain, but I’ll talk about portability below.

Let’s talk about the control
Frankly, I don’t care as much about the OpenID end of things. It’s nice that it remembers all my passwords, but I’m more interested in the control of information. I have a tech blog, but I like to talk about marketing, too, and I have 2 companies and a radio station and friends and family. Many of these contacts fall into multiple groups. I live my life somewhat transparently, so I don’t feel much of a need to “hide” information from my contacts, although I like that I can share my phone number only with people I tag, say, “phone-allowed”. The control chi.mp promises for me is the ability to give contacts tags that I can then tie to permission to see certain things. I may only want to show my MySpace updates to people I tag “friend”, and my twitter to people I tag “twitter”, but I may want to tag a few friends as “friend” and also as “twitter” and “phone-allowed”, so they can see my tweets, my MySpace updates, and call me if they like.

Will I use it and how?
I have spent a lot of time and effort branding the domain JoeTech.com, so to imagine pointing everyone elsewhere to keep up on my online life seems a bit counter-productive to my branding efforts. However, I’m already thinking of ways I can integrate it with JoeTech.com in a way that maintains my brand. But it’s not all just about other people getting the full effect of my web presence all in one place. It also helps me keep it all together.

I really like Chi.mp. The support (so far) has been great, the site just seems to work, and it’s very smooth.

Reblog this post [with Zemanta]