Wednesday, December 15, 2010

DO NOT Poke the Bear

ThreatPost was kind enough to allow me to guest post on their blog about some thoughts on the Gawker hack. A snippet is below, click through for the rest.

Lessons Learned From the Gawker Hack
"Everyone sounded the alarms at the
Gawker Media attack, which included a security breach of websites such as Gizmodo, Lifehacker, Kotaku, io9, and others. The numbers were impressive: 1.3 million user accounts exposed, 405 megabytes of source code lost, and perhaps more important to some, the identity of those leaving anonymous comments potentially revealed. For Gawker, there is a loss of trust that will be difficult to regain. Users are already clamoring for the ability to delete their accounts. And, on the technical side, all Gawker’s systems will need to painstakingly audited or rebuilt entirely from scratch to prevent the same thing from happening again. Happy Holidays indeed.So, what is to be learned from this perfect storm of bluster and bravado? Many lessons, most of them demonstrating what not to do.

1. First and foremost, DO NOT poke the bear. By taunting the hacker community, especially the vigilante types, Gawker made itself a target unnecessarily. Never claim to be “unhackable.” The hackers outnumber you by several orders of magnitude, and they have more free time. Respect their capabilities. Not to mention the odds are always stacked against defenders. The attackers only have to find one little crack in wall to bring the castle crumbling down."


No comments: