Ashley Madison Breach: 6 LessonsCommit to Storing Less Data, Prepping for Breaches
The Ashley Madison online dating site promises: "Trusted Security Award. 100% Discreet Service. SSL Secure Site." But those promises don't appear to have been enough to prevent the site from falling victim to a hack attack (see Pro-Adultery Dating Site Hacked).
Hackers calling themselves Impact Team published a manifesto July 19 to text-sharing website Pastebin that calls on AshleyMadison.com parent company Avid Life Media to close two of its online dating sites or they will "dump" all of the data they've stolen. They also began leaking account information from some of Ashley Madison's members, which reportedly number more than 37 million, primarily in the United States and Canada.
The hack of Ashley Madison is a reminder that no website or personal information can be guaranteed to remain secure against determined attackers. So businesses and consumers must plan accordingly. Here are six takeaways:
1. Treat Customer Data As a Liability
Any site is a potential target for shakedown artists. That's why it pays to identify all sensitive information being stored and take every possible precaution to either safeguard it - or preferably avoid storing it at all.
"Ashley Madison is learning what more legitimate online services figured out a while ago: customer data is a liability, not an asset," says security expert and Johns Hopkins University cryptography professor Matthew Green via Twitter.
The Impact Team's manifesto notes: "Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online," it adds, referring to Avid Life Media's "Cougar Life," "Swappernet" and "The Big and the Beautiful" sites.
2. Exfiltrated Data Easy to Leak
In response to that manifesto, Toronto-based Avid Life Media says in a statement that it has hired a third-party digital forensic investigation firm, called in Canadian law enforcement agencies to help investigate, and noted that it was hacked "despite investing in the latest privacy and security technologies."
But for users, such moves - or assurances - may be too little, too late. True, the Canadian company so far appears to have been getting leaked data rapidly expunged from text-sharing and file-sharing websites via a U.S. law. "Using the [U.S.] Digital Millennium Copyright Act, our team has now successfully removed the posts related to this incident as well as all personally identifiable information about our users published online," the company says.
But if the attackers do decide to dump all of the information, it will only be a matter of time before some of it becomes public. That's why for any organization that wants to avoid finding itself in Ashley Madison's shoes, "the first step that the organization needs to understand is that it's 'game over' when the data has left the company," says Noa Bar-Yosef, a vice president at data exfiltration prevention firm enSilo. "As long as the data is inside, it's not a 'game over.' So now consider, how do you secure the data so it doesn't leave the enterprise?"
3. Avoid Hyperbole, Seek Transparency
To its credit, Avid Life Media appeared to come clean quickly about the breach, and quickly confirmed to security blogger Brian Krebs - who broke the news of the incident - that the site had been hacked, and that the company suspected the breach was the work of someone with authorized access to its network.
But in its public pronouncements, the company has been less measured, for example by calling the attack an "act of cyber terrorism." Security experts, however, have been quick to slam that characterization. "Ashley, that's not what terrorism means," F-Secure chief research officer Mikko Hypponen says via Twitter.
Hyperbole smacks of desperation. Of course, the breach is inconvenient for Avid Life Media, which had announced plans to seek a $200 million initial public offering on the London Stock Exchange later this year. Furthermore, divorce attorneys are no doubt eager to see whether attackers will follow through on their promise to leak the details of a site created to help married people cheat, says information security consultant Brian Honan, who heads Ireland's computer emergency response team. But that hardly qualifies as terrorism.
@mikko tell that to the cheating spouses waiting for the data dump to happen :)" BrianHonan (@BrianHonan) July 21, 2015
4. Don't Charge Extra for Full Privacy
Impact Team claims in its manifesto that Avid Life Media's management misled customers about its "Full Delete" service, pitched to customers as a way to "remove all traces of your usage for only $19." Such a service begs the question of why a "discreet" site charged extra for customers to fully quit its service.
Furthermore, according to Impact Team's manifesto, "users almost always pay with a credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed." The hackers also published what they claimed was PII for a user who had paid for "paid delete," listing his name, address, and list of "fantasies" from his profile. And they claimed that all Full Delete users could also be so identified.
Avid Life Media, however, disputes that allegation. "Contrary to current media reports, and based on accusations posted online by a cybercriminal, the 'paid-delete' option offered by AshleyMadison.com does, in fact, remove all information related to a member's profile and communications activity," the company says in a July 20 statement. "The process involves a hard-delete of a requesting user's profile, including the removal of posted pictures and all messages sent to other system users' email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback."
As a result of the breach, Ashley Madison also says it is now offering its Full Delete service to any of its members for free.
5. Safeguard Identity Information
But "the world's leading married dating service for discreet encounters" was hardly discreet with its customers' identities, warns security expert Troy Hunt, who runs the "Have I Been Pwned?" site - which offers to notify people, for free, if their email address appears in any online data dumps.
Hunt reports in a blog post that there was a flaw in the Ashley Madison website's password reset feature - which now appears to have been corrected - that could be used to reveal which email addresses were registered with the site.
Until July 20, whenever an email address got entered into the reset form, the site returned a screen that read: "Thank you for your forgotten password request. If that email address exists in our database, you will receive an email to that address shortly."
But after brief testing, Hunt had found that if the entered email address was invalid, the resulting screen would include a box, so a user could enter another email address. If the email address was valid, however, it displayed no such box. Accordingly, that feature could be abused to feed in emails and see if they had been registered with the site.
"So here's the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable," he says. "Judgment about the nature of these sites aside, members are entitled to their privacy. If you want a presence on sites that you don't want anyone else knowing about, use an email alias not traceable back to yourself or an entirely different account altogether."
6. Beware of Public Data Dumps
That advice is especially relevant because the Ashley Madison hack is just one attack and potential data dump among many, many more happening on a regular basis. Indeed, Hunt says usernames, emails and other PII continue to get regularly dumped to text-sharing sites such as Pastebin at a furious rate, after which his site automatically catalogs them and notifies any of the 126,000 people who have registered their email addresses with his service whenever there's a match.
"In the last three months, there have been 3.7 million email addresses retrieved from almost 6,000 pastes at a rate of more than 40,000 a day," Hunt reports. And those are just the addresses that attackers publicly reveal for some reason - it's doubtful that the average cybercrime or spam ring would bother publicly releasing that information, rather than continuing to hoard it for phishing or other attacks.
Can someone hack this site and send an e-mail to everyones spouse? http://www.ashleymadison.com/" Chad Ledford (@ChadLedford) March 10, 2010
Be careful what you wish for... https://t.co/CIYtBA7VAj" Troy Hunt (@troyhunt) July 21, 2015
"Never forget that our digital footprints are bigger than we think," networking security vendor Fortinet's Chris Dawson says in a blog post. "The latest social network is one hack away from delivering your personal information to the highest bidder."