Cybersecurity , Risk Management

Ashley Madison Fallout: 8 Security Takeaways

Are Organizations Prepared for Hacktivism and Extortion Risks?
Ashley Madison Fallout: 8 Security Takeaways

Warnings about new data breaches being discovered now appear to arrive daily, if not faster. But this week's mega-dump of hacked Ashley Madison data shows how this hacking incident differs from run-of-the-mill data breaches in numerous ways (see Ashley Madison Hackers Dump Stolen Data).

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

For starters, the self-described "world's leading married dating service for discrete encounters" had a user base composed - at least in part - of people who apparently trusted the site's security features to obscure their affair-seeking intentions. Meaning that if the site's security failed, those customers were at risk of not just seeing their personally identifiable information get made public, but also their clandestine activities.

When it comes to bigger-picture information security questions, the breach highlights both the counterintuitive psychological assumptions that users around the world often make - ironically trusting the promises of a site dedicated to facilitating adulterous activity, for example - as well as the technological challenge facing any organization that attempts to safeguard information stored in digital form.

To say that the breach offers lessons for anyone who is attempting to stay secure online, and any organization that is charged with protecting sensitive data - especially about its employees and customers - would be an understatement.

Here are eight key information security takeaways:

1. Beware of Hacktivist Vigilantism

Businesses that operate in ethically gray areas should ensure they number hacktivists among their concerns. Indeed, the group known as "Impact Team" has suggested that it hacked Ashley Madison because it profits "off the pain of others," and has issued a loose warning to others to beware of its hacktivist-type vigilantism. "We are not opportunistic kids with DDoS or SQLi scanners or defacements. We are dedicated, focused, skilled, and we're never going away," Impact Team says in a "readme.txt" file included with the data dump, which was obtained and reviewed by Information Security Media Group: "If you profit off the pain of others, whatever it takes, we will completely own you."

2. Cataloging Risks Is Not Enough

Ashley Madison appears to have done some proper security preparation. For example, security experts say that the site - unlike too many others - was storing its passwords using the bcrypt password-hashing algorithm, which was a good security move.

The company had also examined potential threats it might face. Based on a review of the leaked data from Ashley Madison, which was distributed via a compressed 10 GB file distributed via BitTorrent, one of the included files is called "Areas of concern - customer data.docx." The areas of concern cover data leak and theft issues; disclosure, legal and compliance; and system availability and integrity concerns. Legal issues - listed first - include "a data leak resulting in a class action lawsuit against us," while data leak issues include "exposing customer data via SQL injection vulnerability in the application code."

The Impact Team has not revealed how it hacked into Ashley Madison's systems. But clearly, the security measures put in place by Avid Life Media, the site's parent company, were inadequate.

3. It's Time to Use OPSEC

More than 30 million of the site's users appear to have had the usernames and email addresses that they used to sign up to the site leaked. Other information contained in the data dump in some cases includes credit card billing addresses, as well as GPS coordinates and what the hackers bill as "very embarrassing personal information ... including sexual fantasies and more."

One fact that has caught many security experts by surprise is that, based on samples of the data, many of the site's users do appear to have used legitimate details, and thus not practiced what's known as "operations security," or OPSEC, which refers to the practice of how best to keep sensitive information secure from an adversary, such as by employing compartmentalization techniques. Examples of OPSEC include using bitcoins to mask criminal proceeds, plus Ashley Madison users who employed an email address used only for that site, as well as prepaid credit cards that could not be easily traced back to them.

"Everyone that had something to hide (i.e. on Ashley Madison) is currently learning they needed OPSEC," the security expert known as the Grugq tweeted after the Ashley Madison hack became public.

4. The Risks to Employers Are Real

Another breach detail that caught security experts by surprise is the fact that many Ashley Madison users appeared to use their real emails, which tie to various governments, military agencies and financial institutions, among others, says Stephen Coty, who's reviewed the leaked Ashley Madison data and found that it includes personal details on more than 14,000 government officials from around the world.

From a corporate standpoint, furthermore, using real email addresses could make it easy for scammers to shake down victims. "Companies that have people that used those corporate email addresses to sign up for these accounts really [are] at risk," Coty says.

Alert Logic's Stephen Coty details concerns over corporate email addresses appearing in the Ashley Madison data dump.

5. Leaked Data May Be Faked

Still, just because an email address or name appears in the Ashley Madison dump does not mean that either are legitimate, security researcher Per Thorsheim - the founder and main organizer of Passwordscon, a conference about passwords and digital authentication - says in a blog post.

"Ashley Madison didn't do any kind of email [or] ownership verification for new accounts," he says. In other words, users needed only the user credentials - username and password - they provided when creating an account to access the site, but did not need to have provided a valid email address.

6. Breach Victims Face More Risks

But many of the accounts do appear to include legitimate information, and attacks against alleged breach victims apparently are already beginning. "It was bound to happen and it will be multi-faceted; blackmail, general abuse and in one case I saw today, a dedicated Twitter account set up to name and shame individuals within a very localized region," says security expert and "Have I Been Pwned?" developer Troy Hunt in a column. "With the rate this data has spread, we can only expect more of the same in the days and weeks to come."

That new Twitter account was @KentuckyAMleak, which promised to continue outing Kentuckians whose information appeared in the dump. The account has since been suspended.

7. Preventive Action Is Needed

But corporate and government employees, and senior leaders, may also now be at risk from shakedown artists if their details are contained in the dump. So information security teams need to review the dumped data to attempt to prevent it from having any business impact, says Rick Holland, a Forrester Research analyst. "I'd be looking through the Ashley Madison data - looking for employees that could be extorted/blackmailed," says Holland via Twitter. "Same thing I'd do for any employee who was dox'd. Increase monitoring. [Probably] would work with HR to help navigate it as well."

8. Not Just Dating Sites Are at Risk

The Ashley Madison breach is a reminder that if information is being stored in digital format, and someone wants it badly enough, then it's possible that intruders have already gotten a copy of it. Consider the U.S. Office of Personnel Management breach, which demonstrates how 21.5 million U.S. government employees and contractors' sensitive background-investigation records can be stolen.

"You can bet China is fusing [Ashley Madison] with their OPM data for even more context," Forrester's Holland says.

Furthermore, while the United States may bear the brunt of much of today's data breach news - thanks in part to U.S. breach notification requirements requiring many breaches to be publicly disclosed - this type of hack, and the accompanying risks, could be perpetrated against customers of any site, anywhere in the world.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network