In less than a few hours, a worm written by the blog trolling alliance GNAA (no, we’re not telling you what that acronym stands for… click the link if you like) managed to compromise almost 10,000 Tumblr blogs, including many run by major news outlets like Reuters, CNN, and others, forcing reblogs on some pretty offensive content.
How did it happen?
Worms are self-sustaining programs that can travel independently alongside a computer network. In other words, unlike a computer virus, a worm doesn’t need to attach itself to a particular program but acts as a program in and of itself. This particular worm, however, embedded itself into individual blog pages, forcing anyone who visited those pages to reblog a hateful message from GNAA.
Why is it important?
This story stands out because “important” tumblr blogs such as Reuters’ official page were compromised. Fortunately, no real damage was caused (ie. nothing as serious as credit card numbers being stolen) and if it weren’t for several big-name brands like Reuters having been affected, this story would have earned about as much traction as a friend’s Facebook page getting hacked — in other words, none at all.
What should I take away from this?
- Remember to set all your Internet properties to the highest level of security. Most blogs would have remained uncompromised if users had simply remembered to log out of Tumblr when they weren’t actively using it. This should also serve as a reminder about the importance of good, strong, difficult-to-guess passwords: 20+ character passwords will likely confound hackers attempting to upload these worms. Can’t remember a password that strong? Programs such as 1Password offer easy, low cost, high security solutions that not only generate complex, unguessable passwords, but are designed to give you quick access to them as you browse the web.
- Have an emergency plan. Users were lucky that the GNAA was simply a group of professional web trolls and not, say, the Russian hackers who compromised LinkedIn. A malicious, data compromising attack is certainly not out of the realm of possibility. Build a plan of what to do if your personal data or company information is hacked. That way, if the worst comes to worst, you are prepared.