Ashley Madison Data Breach: Follow Up
DISCLAIMER: The purpose of this blog post is NOT to discuss the morality of Ashley Madison (AM)/Established Gentleman (EM)/Avid Life Media (ALM), the morality of extramarital affairs/cheating, the morality of “cheating” websites, or the morality of hacking/cyber-attacks. This is post about the attack(s) and subsequent dumps of several Gigabytes (GB) of data.
As you have certainly seen if you’ve watched the news, been on the internet, interacted using social media, or have read our blog; Ashley Madison was hacked one or more times between July and August 2015, using vulnerabilities dating back as far as from 2012. The information of 37,000,000 users was released on the Dark Net and the CEO stepped down. There is speculation as to whether it was an inside job, an external attack, or a combination of the two with some hacktivism mixed in.
Lawsuit…err, the first of many more
Three “John Doe” anonymous Ashley Madison users are suing GoDaddy and Amazon in Arizona per Business Insider. “The lawsuit calls for $3 million in damages and losses. In addition to GoDaddy and Amazon (both of which are internet service providers or ISPs), the John Does are suing the actual operators of websites that allowed the public to search for Ashley Madison users’ personal information” (Business Insider, 2015).
While it seems farfetched that someone could reasonably do this, it is really not; especially with the Digital Millenium Copyright Act of 1998 or DMCA in play. This is the same legislation that Ashley Madison and Avid Life Media has used to keep the user database list off the public internet.
Apparently, Impact Team wasn’t explicitly lying about the lack of security. According to The Register, “Gabor Szathmari, writes that the Ashley Madison source code ‘contains AWS tokens, database credentials, certificate private keys and other secret credentials.'” This is major blunder in secure coding and IT/Cyber Security in general. It is almost surreal that a company like Avid Life Media, running a site like Ashley Madison, that has to have known that they’re a target for moral hactivists, would make such “rookie” mistakes in coding.
Szathmari goes on to say that he found passwords of 5 to 8 characters in length. Furthermore they only had 2 of the 4 print types: UPPER case, lower case, Numb3r5, $ymbols. This is also a rookie error. I find it hard to believe that no one every read and/or applied any best practices to the enterprise at Ashely Madison. A complex password for use in the US Federal Government must meet the criteria below:
- 15 characters-Have 3 of the 4 print types
- Cannot be reused twice in a cycle of 24 passwords
- Expires every 60 days
- Cannot be changed more than once in a 24 hour period
- Cannot have more than 3 sequential characters
- Cannot contain anything to do with the user name or user’s name
- Has a lockout threshold of 3
Additonally, it was discovered that there were Twitter OAuth tokens, Amazon Cloud API keys, and SSL Certificate private keys hard coded into the source code. At this point, it almost seems like the programming team at Ashley Madison has done everything completely contradictory to security OR they wanted something like this to happen, which seems counterproductive in my opinion. I also fault the PCI QSA that did the PCI Audit for Ashley Madison. They should have found this and pointed it out during the outbrief. This is another point of negligence.
Revelations about Users
The users were not “Security Experts” either </sarcasm>. According to Tech Crunch “after about two weeks running password cracking utility, hashcat, on the first million passwords from the Ashley Madison database of ~36 million bcrypt-hashed passwords, security firm Avast has been able to crack 25,393 unique hashes — out of which it says there were 1,064 unique passwords.” Here are the top 5:
Scams are Targeting Users
SC Magazine is posted that “Cloudmark has been investigating a series of emails demanding 1.05 Bitcoin, or around $250 as of Friday, in exchange for not releasing Ashley Madison data to family and friends. The emails each include a unique Bitcoin address for payment.” We had to have seen this coming. Criminals are criminals because they do not follow the law. There is nothing stopping them from using the Dark Net to find the users and attempt to black mail or extort them. This is a rudimentary reason why the US Department of Defense discourages users from using their official email addresses to register for non-work related sites and lists.
Another scam targeting Ashley Madison users involves a website – ashleymadison-repair[dot]com – that offers a data removal service.Do NOT attempt to use the aforementioned site. It IS A SCAM! Users can supposedly pay anywhere from $199 to $4,999 for a variety of specific services, but MailChannels – the outbound anti-spam and email delivery technology company that wrote about the scam – recommended not coughing up any money according to SC Magazine.
I seriously hope that GMail, Yahoo, Hotmail, and other mail vendors are stepping up to the plate and ensuring that Ashley Madison related phishing attack signatures are input into the spam filter. Even for those people who never signed up for an account with Ashley Madison, this could create turmoil in their lives if their spouses receive a phishing email purporting that the spouse was on Ashley Madison. Perhaps this will become the next wave of cyber havoc.
Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.