Ashley Madison Breach – Eight Takeaways for Security Professionals

Source: Bank Info Security

Warnings about new data breaches being discovered now appear to arrive daily, if not faster. But this week’s mega-dump of hacked Ashley Madison data shows how this hacking incident differs from run-of-the-mill data breaches in numerous ways (see Ashley Madison Hackers Dump Stolen Data).

For starters, the self-described “world’s leading married dating service for discrete encounters” had a user base composed – at least in part – of people who apparently trusted the site’s security features to obscure their affair-seeking intentions. Meaning that if the site’s security failed, those customers were at risk of not just seeing their personally identifiable information get made public, but also their clandestine activities.

When it comes to bigger-picture information security questions, the breach highlights both the counterintuitive psychological assumptions that users around the world often make – ironically trusting the promises of a site dedicated to facilitating adulterous activity, for example – as well as the technological challenge facing any organization that attempts to safeguard information stored in digital form.

To say that the breach offers lessons for anyone who is attempting to stay secure online, and any organization that is charged with protecting sensitive data – especially about its employees and customers – would be an understatement.

Here are eight key information security takeaways

1. Beware of Hacktivist Vigilantism

Businesses that operate in ethically gray areas should ensure they number hacktivists among their concerns. Indeed, the group known as “Impact Team” has suggested that it hacked Ashley Madison because it profits “off the pain of others,” and has issued a loose warning to others to beware of its hacktivist-type vigilantism. “We are not opportunistic kids with DDoS or SQLi scanners or defacements. We are dedicated, focused, skilled, and we’re never going away,” Hacking Team says in a “readme.txt” file included with the data dump, which was obtained and reviewed by Information Security Media Group: “If you profit off the pain of others, whatever it takes, we will completely own you.”

2. Cataloging Risks Is Not Enough

Ashley Madison appears to have done some proper security preparation. For example, security experts say that the site – unlike too many others – was storing its passwords using the bcrypt password-hashing algorithm, which was a good security move.

The company had also examined potential threats it might face. Based on a review of the leaked data from Ashley Madison, which was distributed via a compressed 10 GB file distributed via BitTorrent, one of the included files is called “Areas of concern – customer data.docx.” The areas of concern cover data leak and theft issues; disclosure, legal and compliance; and system availability and integrity concerns. Legal issues – listed first – include “a data leak resulting in a class action lawsuit against us,” while data leak issues include “exposing customer data via SQL injection vulnerability in the application code.”

The Impact Team has not revealed how it hacked into Ashley Madison’s systems. But clearly, the security measures put in place by Avid Life Media, the site’s parent company, were inadequate.

3. It’s Time to Use OPSEC

More than 30 million of the site’s users appear to have had the usernames and email addresses that they used to sign up to the site leaked. Other information contained in the data dump in some cases includes credit card billing addresses, as well as GPS coordinates and what the hackers bill as “very embarrassing personal information … including sexual fantasies and more.”

One fact that has caught many security experts by surprise is that, based on samples of the data, many of the site’s users do appear to have used legitimate details, and thus not practiced what’s known as “operations security,” or OPSEC, which refers to the practice of how best to keep sensitive information secure from an adversary, such as by employing compartmentalization techniques. Examples of OPSEC include using bitcoins to mask criminal proceeds, plus Ashley Madison users who employed an email address used only for that site, as well as prepaid credit cards that could not be easily traced back to them.

“Everyone that had something to hide (i.e. on Ashley Madison) is currently learning they needed OPSEC,” the security expert known as the Grugq tweeted after the Ashley Madison hack became public.

4. The Risks to Employers Are Real

Another breach detail that caught security experts by surprise is the fact that many Ashley Madison users appeared to use their real emails, which tie to various governments, military agencies and financial institutions, among others, says Stephen Coty, who’s reviewed the leaked Ashley Madison data and found that it includes personal details on more than 14,000 government officials from around the world.

From a corporate standpoint, furthermore, using real email addresses could make it easy for scammers to shake down victims. “Companies that have people that used those corporate email addresses to sign up for these accounts really [are] at risk,” Coty says.

Alert Logic’s Stephen Coty details concerns over corporate email addresses appearing in the Ashley Madison data dump.

5. Leaked Data May Be Faked

Still, just because an email address or name appears in the Ashley Madison dump does not mean that either are legitimate, security researcher Per Thorsheim – the founder and main organizer of Passwordscon, a conference about passwords and digital authentication – says in a blog post.

“Ashley Madison didn’t do any kind of email [or] ownership verification for new accounts,” he says. In other words, users needed only the user credentials – username and password – they provided when creating an account to access the site, but did not need to have provided a valid email address.

6. Breach Victims Face More Risks

But many of the accounts do appear to include legitimate information, and attacks against alleged breach victims apparently are already beginning. “It was bound to happen and it will be multi-faceted; blackmail, general abuse and in one case I saw today, a dedicated Twitter account set up to name and shame individuals within a very localized region,” says security expert and “Have I Been Pwned?” developer Troy Hunt in a column. “With the rate this data has spread, we can only expect more of the same in the days and weeks to come.”

That new Twitter account was @KentuckyAMleak, which promised to continue outing Kentuckians whose information appeared in the dump. The account has since been suspended.

7. Preventive Action Is Needed

But corporate and government employees, and senior leaders, may also now be at risk from shakedown artists if their details are contained in the dump. So information security teams need to review the dumped data to attempt to prevent it from having any business impact, says Rick Holland, a Forrester Research analyst. “I’d be looking through the Ashley Madison data – looking for employees that could be extorted/blackmailed,” says Holland via Twitter. “Same thing I’d do for any employee who was dox’d. Increase monitoring. [Probably] would work with HR to help navigate it as well.”

8. Not Just Dating Sites Are at Risk

The Ashley Madison breach is a reminder that if information is being stored in digital format, and someone wants it badly enough, then it’s possible that intruders have already gotten a copy of it. Consider the U.S. Office of Personnel Management breach, which demonstrates how 21.5 million U.S. government employees and contractors’ sensitive background-investigation records can be stolen.

“You can bet China is fusing [Ashley Madison] with their OPM data for even more context,” Forrester’s Holland says.

Furthermore, while the United States may bear the brunt of much of today’s data breach news – thanks in part to U.S. breach notification requirements requiring many breaches to be publicly disclosed – this type of hack, and the accompanying risks, could be perpetrated against customers of any site, anywhere in the world.

 

6 thoughts on “Ashley Madison Breach – Eight Takeaways for Security Professionals

  • To determine internal swelling is difficult enough, therefore, consequently, they influence the body for a long time, which threatens the normal fetus. Fluids are dangerous because they break blood circulation. Such picture leads to the strengthening of negative tendencies feeding and the breath baby, formed hypoxia.
    Fighting such a pathology should be done with the help of correction feeding and special procedures so that fluid does not stay tissues. If the woman is resting, then under the feet preferably put a cushion or pillow to improve the blood circulation of tired legs. Prohibited long time to sit or stand, as this leads to stagnation in the body. It is recommended that the knee-elbow position several times a day in order to increase blood flow.
    how to reduce swelling while pregnant

  • This is the correct blog for anyone who wants to find out about this topic. You realize so much its nearly arduous to argue with you (not that I really would need匟aHa). You definitely put a new spin on a subject thats been written about for years. Great stuff, just nice!

  • Peels help to eliminate from most old changes dermatological layer. effects effective at any age, shown for skin of any species. After light peeling disappear minor wrinkles, skin becomes young, without wrinkles. Adaptation – three days. an Average peeling effectively copes wrinkles (expression, old, smoothing hardly noticeable pits, eliminates freckles.
    Recovery – seven days. Deep peeling performing in the beauty hospitals. This is maximum efficient operation, but requires long term rehabilitation – up to month.
    what does a chemical peel do

  • Peels can help to escape from the greater part old amendments dermatological layer. Procedures effective at any age, suitable for skin of any type. After light exfoliation disappear minor wrinkles, skin area turns out young, without wrinkles. Regeneration – three days. The middle peeling well struggles wrinkles (expression, old, affects minor scars, eliminates age spots.
    Recovery – 7 days. Deep peeling doing in the beauty medical facilities. This is most efficient procedure, however requires long term adaptation – up to one month.
    deep chemical peel before and after

  • Lump armpit brings discomfort, hurts when clicking. To delay trip doctor is not appropriate. Bulge under the muscle cavity may turn out to be cancer illness. But often it is consequence excessive use deodorants, violation rules personal hygiene, intense sweating. Redness causes narrow clothing, polluted razor-affiliation, the virus.
    painful lump under armpit
    Discomfort under the arm, redness, lump getting hot? This is the boil that should should, then take antibiotics. initial stage cost solutions, anti-inflammatory drugs. If the ailment is started, need surgery.

  • I simply want to say I am just beginner to blogging and site-building and seriously savored your page. Most likely I’m going to bookmark your blog post . You definitely come with fabulous writings. Thanks for sharing with us your webpage.

Leave a Reply

Your email address will not be published.