Holy Shit! My Favorite Site Got Hacked! Part 1

Editor’s Note: This spot is normally reserved for our retro recaps, today’s Firefly recap can be found on Wednesday in this time slot, and the West Wing recap that’s been traded with it will appear later on today.  In the meantime, here’s part one of Jordan’s new (very timely) series on removing the mystery from hackers.  ~Ophelia

Welcome to part 1 of my series of blogs on hacking.

Seeing popular and favorite websites get hacked is a recurring sight on the web. Seeing reports of  millions of user’s accounts get compromised. Passwords and emails stolen. Personal data now in the hands of thieves. Well, despite the alarmist tone of the news, it’s not as dangerous as losing your wallet in the street. In fact, most of the time these events are quickly forgotten by both users and website admins…which isn’t always a good thing.

First, all good websites don’t keep their users passwords in plaintext in their database. They, usually, only keep an hash of the user’s password. You might be wondering what a hash is. Well it’s just gibberish to the common eye. A hash is a string of encrypted characters created from a string of text with a math function. The function needs to have specific properties: the same string of text will always return the same value, two strings of text should not return the same result (no collisions) and finally you can’t find the original string of text by knowing the function algorithm. A good example of a hash function is MD5, although it have now been show to not be “collision resistant” which mean that two different strings of text could return the same value or hash. By doing this, the database never contains the real password, only the encrypted hash,  and hackers won’t be able to unencrypt the hashes to find your password. So you actually can’t get your password stolen, if the web admin and website designers knew what they were doing. It should be web 101… When passwords are ‘parsed’ by hackers, like in this weekend’s shitstorm on Gawker, they’ve been guessed by a program trying a series of possible passwords with each username.

Second, username are almost useless. I said, almost…unless the hackers knows you go to a lot of specific websites. Which means that you are already compromised. Which means you might want to clean your computer and run a few anti-virus and malware apps ASAP and maybe unplug that internet cable. The only use of a username is for accessing other websites, because the username is half of the security you have when you login, the other being the password. With a username the hacker has half the job done to crack a specific credential, but they need to know if you go to a specific website first.

Third, the email. That one hurt a bit more. A) expect spam, lots of it. B) change your email password fast. Like the username, it’s half the credential, but in this case it’s easy to know where they should put it in and whom to contact to claim that “you” forgot your password to access the email box. One of my friend got his email box hacked a few years ago, it was a pain to get  it back. Also, hacked email boxes don’t look compromised easily and they are usually used to allow people to get passwords reset on other websites. These days hackers prefer to keep the hacking of an email box secret, there is too much value in reading somebody else’s mail to be detected accessing their email box.

Finally, personal data. Security risk depends on the website. A website where you actually spent money, ordered something and that keep credit cards information will be a bigger risk than an obscure forum where you entered random information in all the fields. While websites usually have security measures on par with the information they keep, they aren’t infallible.  Also, now website that accept credit cards don’t keep all the information about it (dates, security number, etc) making it harder for a hacker to do anything with the number. Still, getting personal information stolen make it easier for someone to use your ID in real life for other things. When possible use fake information and don’t save the information you don’t want to be saved.

Next time I will talk about the type of hacking and give a few tips to protect on self on the web.

Image Credit of kitty about to hack your network from Flickr

3 replies on “Holy Shit! My Favorite Site Got Hacked! Part 1”

Last night got a lot more interesting when I randomly checked STFUJezzies, saw stuff about Gawker getting hacked, downloaded the the Pirate Bay torrent, and found my username and email on there (thankfully they didn’t crack the password). So, because I am anal, I then went and changed passwords to basically every website I use, from banking to ebay to PayPal, and if Gawker allows users to delete accounts, I might very well do that, since I rarely comment there anymore.

To what extent do you think Gawker could have prevented this from happening? Was their encryption weak, or was this inevitable once they pissed off the right crowd of people?

Oh, one last note: I’m really disappointed that my email address was in their database at all, because I had never attached it to my account. I first signed up years ago, and I can’t quite remember, but an email address may have been required then, who knows. It would have been nice to have been able opt out of that…

I don’t know Gawker setup (and I didn’t research it, but most website hack happen because of exploit (knowns weakness). I would guess Gawker experienced an SQL injection hack (SQL is the language used to query a database). This mean the hacker used a specific SQL request through a website exploit and got access to the database of Gawker and succeeded to download all the information they wanted. The best protection here is to get up to date on security fixes for your softwares and monitor access to the database. Although, when you piss off the wrong crowd, everything is possible. It’s no more different then somebody looking into your trash (in real life) to steal personal information. Only time matter to get that small little info that will allow a good hacker to get through the system security.

Email address are unfortunately often used to validate if the registration is a valid one (that you are not a bot). So it probably required an email since the beginning. I never registered to any Gawker websites, though…

Leave a Reply