Since 3 years have gone by already, the following is my personal opinion on the infamous Ashley Madison Hack of 2015. Many families were affected by this hack as well. Therefore, I will attempt to be a bit more sensitive with this post.
Background
Ashley Madison is a online data service that encourages its users to cheat on their significant others. Ashley Madison is owned by Ruby, formerly known as Avid Life Media. Their slogan is “Life’s short, have an affair”. Founded in 2002, Ashley Madison is claimed to be “the world’s largest online Social Networking Community of its kind”. The online service was reported to have more than 37 million users all around the world .
The Hack
The Ashley Madison Hack occurred in July 2015 and has exposed millions of users’ personal information to the general public. Responsibility for the hack was claimed by “The Impact Group”, who previously warned Ashley Madison to shut down its operations and its business. Impact Group found grievance with Ashley Madison with regard to their policy of holding on to user information. For example, when someone deleted an account in Ashley Madison, their information was still retained in their systems. Ashley Madison implemented a fee for the deletion of account information. As well, many people were apprehensive because they did not want to be publicly shamed if the information became public. However, Ashley Madison claimed to have strong security on their website. Impact Group, working under hacktivist ideology at the time, claimed that the security on the Ashley Madison website was weak and as a result, they were able to steal and release personal information such as names, search histories and credit card numbers.
The first release of information occurred on August 8, 2016 and another on August 20th. On August 21st, Impact team distributed Avid Life CEO’s Noel Biderman’s emails to the public. About a week later, Biderman stepped down as CEO of the company. This release of information caused a chain reaction among the community. To begin, websites across the internet started publishing the names and creating ways for spouses to check if their significant other played any role on the website. In addition, extortion emails started to ensue, requesting bitcoins to prevent information from being shared with spouses. Moreover, Clinical psychologist argued that the public release of this information increased distressed children and spouses. Suicides in relation to the hack were beginning to be reported. Overall, more than 25 gigabytes of data was released to the public causing many to feel like they were publicly shamed. All the information was released on Bit Torrent.
What is known and what was not known?
There has been no evidence that Impact Group used a software vulnerability to breach Ashley Madison. However, vulnerability tests that were conducted revealed that the passwords on Ashley Madison were hashed with bcrypt algorithm. It was found that about 4000 passwords were easy to crack and the most common ones were”123456″ or “password”. Due to a coding error between bcrypt and md5 11 million passwords were eventually cracked .
How did they publicly respond?
On July 20th, Ashley Madison publicized three press statements under the media section of its website that addressed the breach. Here is one of the statements:
“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber-terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online.” – Avid Life Media, 2015 .
In addition to the statement, Ashley Madison agreed to waive its fee for deleting an account. Also, Avid released a statement that claimed that Impact Group was not a hacktivist group, but are criminals.
Assessing Threats and Vulnerability:
If I were asked to assess and monitor the vulnerabilities at Ashley Madison, I would take several approaches. First, operational techniques and active testing such as Penetration testing and ongoing passive vulnerability assessments will be top priority on my list of things to do. A penetration test would have revealed that Ashley Madison had many XSS/CSRF vulnerabilities that can allow hackers to inject malicious code into the website and give access to many usernames and passwords.
In terms of passive testing, I would conduct frequent vulnerability scans since it was made public that Ashley Madison did not monitor their website. This is important because it was reported that Ashley Madison only had a segmented network as their layer of defense. In fact, this was confirmed by Impact Team, who “worked hard to make fully undetectable attack, then got in and found nothing to bypass….Nobody was watching. No security.” As well, these accounts were easily crackable because, as mentioned above, Ashley Madison started using “bcrypt” to encrypt passwords after June 2012. The accounts that were made before then were encrypted with a MD5 hashing. These legacy accounts never got migrated over to the new encryption, which reveal a vulnerability.
Ashley Madison needs active and passive ongoing assessments of their risks and that project based assessments when implementing a new software, technology or third party service. Project based assessments are approached with a specific end point in mind. Now that Ashley Madison has been all over the news for being hacked, and their vulnerabilities public, they should always be watching their backs. Ashley Madison can benefit from taking a FRAAP approach to project based assessments. Not only is the FRAAP approach an accelerator for assessments, it can also facilitate teamwork and communication.
In terms of third party assessments, it is always important to access the security of the third party that you are trusting with the organization. For this type of assessment, I would look for a certification within that third party that shows their commitment to security. A ISO 27001 or a SAS70 Type II certification would be enough to show that they value security enough for us to trust them. Ashley Madison cannot afford to take any more risks.
Personal Thoughts
First, a large number of records were pilfered from the database. Ashley Madison should follow the Principle of Least Privilege, which we learned about in class. This would mean that no user will have the permission to dump a large amount of information from the database because no one should ever have the need to.
Other sources of attacks could have been a SQL injection or a disgruntled former employee. In fact, initially, the CEO Bidermann thought it was the latter stating “We’re on the doorstep of [confirming] who we believe is the culprit,…I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.” I see this as a CEO who is not aware of his own his company’s flaws in information security. To me, this statement serves as one to let the general public know that they have it figured out, but instead they have no idea what has occurred.
What is being done now?
In terms of the technical actions being taken, it was reported that Ashley Madison has been auditing their source code for vulnerabilities and backdoors. As well, it was also reported that all aspects of their network and server environment are now being thoroughly reviewed in order to determine how they may be hardened further, and the amount and granularity of monitoring is being increased in order to detect and handle any anomaly as soon as possible. These are positive steps to be taking in light of such a devastating breach to its community. Not only does Ashley Madison has to protect its assets, but has to heal its public image, so that it can authenticate its claim of having a very secure website.