Our Initial Presentation about the Ashley Madison Data Breach
DISCLAIMER: The purpose of this blog post is NOT to discuss the morality of Ashley Madison (AM)/Established Gentleman (EM)/Avid Life Media (ALM), the morality of extramarital affairs/cheating, the morality of “cheating” websites, or the morality of hacking/cyber-attacks. This is post about the attack(s) and subsequent dumps of several Gigabytes (GB) of data.
Sequence of Events of Ashley Madison data breach
Per the welivesecurity blog, (2015) the following sequence of events occurred:
The “Founding chief technology officer, Raja Bhatia, warned his colleagues that Ashley Madison (AM) and its parent company Avid Life Media (ALM) were at risk of being attacked (clearly not taking onboard best practice).”
Bhatia and CEO Biderman discussed hacking into another site “Nerve,” an online magazine about casual dating, etc per emails leaked by Impact Team. The purpose seems to have been for reconaissance to leverage a “partnership” between Nerve and Ashley Madison.
25 May 2015
Director of Security, Mark Steele acknowledges that the site has numerous vulnerabilities, including XSS (Cross-Site Scripting), CSRF (Cross-Site Request Forgery) and SQL (Structured Query Language; database programming) Injection. Both XSS and CSRF attacks are based upon coding practices and not “sanitizing” inputs or doing validation checks. They typically require something to help them along, such as phishing and/or social engineering. SQL Injection requires no assistance and is a common vector of attack in many data breaches.
12 July 2015
Employees are greeted with AC/DC’s Thunderstruck on their workstations; Impact Team makes it known that Avid Life Media (the parent company of Ashley Madison and Established Gentleman) has been breached. The threat of leak or doxxing is conveyed.
19 July 2015
The same message from 12 July is posted to pastebin by Impact Team. Impact Team then informs investigative Cybersecurity researcher Brian Krebs, who then posts the news publicly. Mr Biderman informed Mr Krebs that the company was “working diligently and feverishly” to take down ALM’s intellectual property.
20 July 2015
Avid Life Media publicly acknowledges they have been subject to an attack. They state that they have been able to restore security and are cooperating with law enforcement officials.
22 July 2015
The breach becomes more evident to the mainstream media. Impact Team releases the personal information of 2 men that we on the site.
18 August 2015
Impact Team releases the first round of data, that is approximately 10GB in size. Ashley Madison makes a public statement.
20 August 2015
Impact Team releases the second round of data, that is approximately 20GB in size. 30GB has been leaked thus far. This round of leaks also included some of Mr. Biderman, ALM CEO’s emails.
21 August 2015
Impact Team says they were trying to be stealthy, but there were no security measures to defeat. It is revealed that 300GB of information was stolen in the breach. Impact Team says they will target other corrupt entities, such as companies making money off lies and politicians – officially identifying as “Hacktivists.”
24 August 2015
ALM offers $500,000 (Canadian dollars; approximately $377,000 USD) bounty for catching the perpetrator(s).
28 August 2015
Per Wired, ALM CEO Biderman steps down.
Scope of Attack(s)
Based on the information that is publicly available on the internet, it appears as the entire user database (and all fields such as name, address, likes, dislikes, credit card information, etc.) as well as some sensitive internal documents were compromised.
Technical Details Known Thus Far
Based upon public disclosures from Impact Team, it appears as this was an attack conducted from the web with few security measures in place to possibly mitigate or prevent any cyber attacks. This is somewhat corroborated by the discussion with the CTO and CEO in 2012, as they saw vulnerabilities introducing XSS, CSRF, and SQL Injection capabilities. Depeneding on the programming lifecycle at ALM, these could be the same vulnerabilities exploited in 2015.
What Others are Saying
In summary, McAfee belives it to be an “inside job” perpetrated by a woman. His rationale is that the “Very simply. I have spent my entire career in the analysis of cybersecurity breaches, and can recognise an inside job 100% of the time if given sufficient data – and 40GB is more than sufficient. I have also practiced social engineering since the word was first invented and I can very quickly identify gender if given enough emotionally charged words from an individual. The perpetrator’s two manifestos provided that. In short, here is how I went about it.
How did I discover that it was an inside job? From the data that was released, it was clear that the perpetrator had intimate knowledge of the technology stack of the company (all the programs being used). For example, the data contains actual MySQL database dumps. This is not just someone copying a table and making into a .csv file. Hackers rarely have full knowledge of the technology stack of a target.” John McAfee’s statement on the Internation Business Times
Here are his 5 points of discussion:
1. An office layout for the entire Ashley Madison offices. This would normally exist only in the office of personnel management, the maintenance department, and possibly a few other places. It would certainly not be in the centralised database. Neither would it be of much value to the average hacker.
2. Up to the minute organisation charts for every Avid Life division. This might be of value to certain hackers, but considering the hacker had already made off with everyone’s credit card info, billions of dollars worth of blackmail information, every private email of the CEO (fascinating, by the way), and everything else of value, it would seem odd to dig up the organisation charts as well.
3. A stock option agreement list, with signed contracts included. The hacker would have had to gain access to the private files of the CEO or the VP of Finance to obtain this material – a job requiring as much time to implement as a hack of the centralised database. Again, of what value would this be considering the hacker had already made off with potentially billions.
4. IP addresses and current status of every server owned by Avid Life – of which there were many hundreds scattered around the world. Why any hacker would trouble themselves with such a task, considering what was already taken, is mind boggling.
5. The raw source code for every program Ashley Madison ever wrote. This acquisition would be a monumental task for any hacker and, unless the hacker planned on competing with Ashley Madison, has no value whatsoever.
Our Analysis of the Ashley Madison data breach
This could easily be an insider attack. Our analysis leans more towards this being an “insider attack with some outside help.” This is not like the insider attacks and spillage from Bradley Manning and Edward Snowden. They released a lot of very harmful information, but that information was in the form of documents, not an entire database with 37 million (37,000,000) records! Someone, somewhere had to have observed the data egressing their enterprise, unless security was non-existent as Impact Team stated. Another plausible explanation with regards to this is that the Director of Security, while a real person, may have been significantly limited in oversight abilities. He may have not had the budget, manpower, or organizational authority to implement the proper security measures.
I think that this leans closest to the “disgruntled employee” scenario. Someone on the inside is angry or hurt about something and seeks help from the outside to get revenge. The insider may have had all the necessary access to plant malware to siphon the data over an encrypted channel out of ALM’s enterprise. The database breach itself can likely be attributed to a SQL Injection attack. Whether the injection can from inside or outside is moot at this point, since the data ended up in the same place.
Ultimately, I think this will lead to other dating, hookup, and maybe even pornography sites to increase their security and make it a priority. Once they see how the public and the users are handling and responding to the breach, they will react how they see accordingly. While it shouldn’t have taken something like this to create the awareness, this is a positive step for the cybersecurity industry, as more companies are being breached and those that haven’t been do not want to be added to the list.
How the Ashley Madison data breach could have been prevented
A sound security program is almost as vital as the core business – it protects the core business, whatever it is. Defense in Depth should certainly be used because even the most advanced technical security solution has limitations and could fail at some point. People are the #1 way attackers get in. They spear phish, whale, social engineer, etc. the users based on weaknesses in human nature. People inheritently want to help others. They want to answer questions from people that seem to need help. Some people are naive enough to click on anything, I certainly know a few. All it takes is an email promising them something they want and they’ll click and introduce whatever malware you wrap it with.
Assuming ALM and Ashley Madison had a security program, contrary to what Impact Team says, it seems as if someone – the insider John McAfee speaks of, had too much access. Organizations must implement segregation of duties and the principle of least privilege to effectively implement defense in depth. Giving everyone 100% administrative control over his or her workstation is the wrong answer. The organization will lose their secure software baseline (if they have one), no two machines will be the same, and there is no one to properly assess and vet the software installed.
Having a secure code review process would have minimized the XSS, CSRF, and SQL Injection vulnerabilities. Having the second set of eyes look at the code to ensure there aren’t any opportunities for exploitation based on what is trending today can go a long way. Sanitizing the inputs of anything is the first step. From here, an Intrusion Detection System (IDS) or Intrusion Detection and Prevention System (IDPS) in conjunction with a firewall, next generation firewall, and/or web application firewall could have detected and prevented the egress of the data. At a minimum, someone could have been notified.
While it doesn’t seem as if vulnerability management was an explicit issue here, it is never a bad time to implement a good program for it. Users will never manually install updates and shouldn’t necessarily be trusted to do so. Someone with administrative privileges should review and install updates on all systems. They can use a cron job on Linux or WSUS/SCCM on Windows if they want an automated solution. Either way, the systems must be patched or failure will become immiment.
Finally, organizations need policies. These are in place to direct how things work. They can direct data retention requirements, how can have access to what, what is defined as “Acceptable Use,” what is grounds for dismissal (firing), how users get accounts, what to do in the event of a loss of power, what to do in a natural disaster, or what to do if there is a cyber attack. Policies are heavily relied upon for regulatory compliance like HIPAA, PCI, FISMA, FERPA, SOX, etc. They typically are the bridge between what someone (the regulatory compliance, client, vendor, etc.) says an organization must do and how it is done. An audit compares policy to reality.
Advanced Persistent Security can assist organizations with security implementations, training, and security policies. Contact Us for more information as to how we can help.
If you think your data may have been compromised in this breach or any other, please check out HaveIBeenPwned and enter your email address.
Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). To provide a little information about this blog, we (Advanced Persistent Security or APS) will be using it to educate readers about trends in the IT/Cybersecurity field. This is a two-fold objective: we help people (possibly potential clients) learn about what is going on and how to prepare for possible threats, thus being able to mitigate any attempted attacks/breaches; and secondly, this helps establish us as experts via demonstrated knowledge, so if you (or anyone you know) needs help with security, you will recognize our expertise and choose us. This is meant to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page