Ashley Madison Breach Should Spark Security Conversation - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
Commentary
8/22/2015
12:05 AM
Larry Loeb
Larry Loeb
Commentary
50%
50%

Ashley Madison Breach Should Spark Security Conversation

As people sift through the Ashley Madison data dump, this massive breach should spark a conversation among IT and security professionals, especially ones who work in the government and cyber-security fields.

14 Security Fails That Cost Executives Their Jobs
14 Security Fails That Cost Executives Their Jobs
(Click image for larger view and slideshow.)

There's plenty to talk about when it comes to the Ashley Madison breach. There are debates to be had about the ethics of the folks registering on the site, and about whether the hack should be viewed as activism or criminality. But, like most of you working in IT, we prefer to be practical when faced with this kind of dilemma. There's no way to undo what's been done, so let's talk about how best to deal with the problem from an IT point of view.

The long-term effects of the Ashley Madison website breach will be especially difficult for government IT professionals. The site, owned by Avid Life Media, and known for promoting extramarital affairs, was hacked in July and this week. Troves of information have been released containing details about most of the site's 37 million registered users worldwide. Some 15,000 email addresses ending in .mil or .gov were among those used to register for the site. The site does not verify email addresses, so it's unclear how many of those are legitimate.

Still, like the Office of Personnel Management (OPM) breach earlier this year, the release of information about government workers in this case is extremely worrisome. In the Ashley Madison case, there's the concern that government workers may be exposed to blackmail attempts, along with all of the other dangers associated with having their email addresses and other personal information released in the wild.

[ Is your organization's email security the best it can be? Read 7 Hot Advances In Email Security. ]

Some security experts have noted that the breach could be a lot worse, at least in terms of compromising credit card information. According to Robert Graham's security blog:

Compared to other large breaches, it appears Ashley-Madison did a better job at cybersecurity. They tokenized credit card transactions and didn't store full credit card numbers. They hashed passwords correctly with bcrypt. They stored email addresses and passwords in separate tables, to make grabbing them (slightly) harder. Thus, this hasn't become a massive breach of passwords and credit card numbers that other large breaches have [led] to. They deserve praise for this.

However, the account names, street addresses, email addresses, and phone numbers used to register for the site were not encrypted. Account passwords for the site seem to have been stored in encrypted format, but cracking them is always possible.

(Image: Rawpixel Ltd./iStockphoto)

(Image: Rawpixel Ltd./iStockphoto)

The TrustedSec blog put the incident into a wider perspective:

Regardless of ethics, this is a massive data breach where attackers had full and maintained access to a large percentage of Ashley Madison's organization undetected for a long period of time. Ashley Madison has not commented on the original source of the breach, how it occurred, or how they were compromised.

Some 10 GB of email addresses, purported to be those of Ashley Madison users, were placed on the TOR-only Deep Web site on Aug. 19. The company's CEO confirmed on Aug. 20 that some of that data was authentic.

Programmer Hilare Belloc (known for creating the Adobe password checker when that site was breached in 2013) has come up with a website where you can check an email address against the Ashley Madison database. According to Belloc's site, approximately 36 million accounts were dumped, 24 million of which had verified email addresses.

We'll wait for a moment while you check if you were compromised.

Back already? Good.

Those responsible for the breach call themselves the Impact Team, and have published a manifesto of sorts. Impact Team seems apolitical in outlook, but others will no doubt use the information revealed in less savory ways. In fact, Hydraze blog reported on Aug. 20, "[T]he unknown-group-that-is-not-Impact-Team has just released a second archive containing data from Ashley Madison on the same page as the first one."

This is the kind of information that can be used to exert leverage by simple acknowledgment of its existence.

Until the breach vectors are admitted by Avid Life Media, it's difficult to know what security steps your IT organization can take. The scope of the breach is breathtaking, and how it happened at all is a question that cannot go unanswered.

Meanwhile, the best you can do is work with your HR, governance, cyber-security, and legal teams to assess the potential damage to your organization. Given the sensitive nature of the information, dealing with affected individuals on a one-on-one basis is recommended. Of course, it's a good time to remind all your employees about the rules regarding the use of their work email accounts.

Beyond that, we want to know what else you're doing in your IT organization to respond, and what advice you have for others who may be facing major fallout from the situation. Let's try to keep the moralizing out of the conversation, and stick to the practicalities: What's an IT professional do to when workers do dumb things using their corporate email? Join the conversation in the comments section below.

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PedroGonzales
50%
50%
PedroGonzales,
User Rank: Ninja
8/22/2015 | 11:32:16 AM
Re: Pending Review
I can't believe someone will use their work website for using such sights.  When I first joined my current employer they made it very clear that you should only use work email for "work related activities".  I think companies should create policies to encrypt or made other personal information of their users be protected.  As this case indicated, everything else was protect but users' personal information which is as important as their username and password.  
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/22/2015 | 12:56:06 PM
Re: Pending Review
Well, it seems your workplace has policies in place that would stop this sort of thing.

But, are those policies enforced? By whom?
jastroff
50%
50%
jastroff,
User Rank: Ninja
8/22/2015 | 1:41:09 PM
Re: Pending Review
Financial services companies have for some time had outbound restrictions -- sites people coming from that domain cannnot access due ot security, malware, or other conflicts, some of which are purely social. Policy is created by Compliance with the help of the Security Officer, and enforced by IT in terms of limiting access to specific domains.  Nothing new here. It takes some doing to keep up on the sites, but it can and is done.

It was, at least as far  I knew, also true for the government IDs which could not connect to certain sites for a variety of similar reasons. Maybe not anymore. 

 

 
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/22/2015 | 3:11:46 PM
Re: Pending Review
Well, a company can control the "do not go there " list with better granularity than the US government, I think.

I don't know if there is a master list for .gov and .mil addresses. The domains are just so big.

 
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/25/2015 | 9:01:29 AM
Re: Pending Review
FWIW, Biran Krebs outlines one of the extorion attempts made against AM users.

The url is : http://krebsonsecurity.com/2015/08/extortionists-target-ashley-madison-users/
jastroff
50%
50%
jastroff,
User Rank: Ninja
8/27/2015 | 9:41:25 AM
Re: Pending Review
netnanny.com has been around forever as an example of a web site blocker. give it a try
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/27/2015 | 12:20:28 PM
Re: Pending Review
It seems far more a parental controls enfocer than an adblocker.

In fact, I dont see it blocking any ads at all, just sites.
kstaron
50%
50%
kstaron,
User Rank: Ninja
8/27/2015 | 12:20:04 PM
Re: Pending Review
My first thought when I saw how many .mil and .gov listed in the AM breach was wow, we sure do have a whole lot of dumb people working for the government. Who uses an easily traceble email for activities that could get you fired (not to mention found out rather quickly)? The sheer number of them is startling. Ad if they are dumb enough to use their government email, what are they let slipping between the sheets? how easy would they be to comprimise without even knowing it?
larryloeb
0%
100%
larryloeb,
User Rank: Author
8/27/2015 | 12:21:35 PM
Re: Pending Review
Well, if they are that dumb in the first place, why would they even think that far ahead?
impactnow
100%
0%
impactnow,
User Rank: Author
8/28/2015 | 2:51:27 PM
Re: where is the surprise?
I guess what surprised me most about the Ashley Madison breach is not that it happened, is that people were surprised that it did happen . We all live in a world where data breaches are commonplace I think I get three letters a month and several emails regarding breaches companies I do business with or have done business with have suffered. If someone chooses to engage in activity on the Internet that they don't want everyone to know about there being very nave . Our Internet lives are public and will always be . Unfortunately we can all expect to be hacked at some point and if you don't want your friends,family and employers seeing what's doing online I suggest you do not engage in this activity online .
larryloeb
0%
100%
larryloeb,
User Rank: Author
8/28/2015 | 3:53:51 PM
Re: where is the surprise?
I'll juat assume the Impact Team is not to be found in a corner of your office......

 

Yes, that is a joke.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/28/2015 | 10:54:38 PM
Re: where is the surprise?
@impactnow: Of course, that's the problem with trust and security.  There are activities that we don't mind our friends and family knowing about but that still involves information we don't want people knowing, such as our credit card numbers.

It's also worth pointing out that at least one industry pundit, John McAfee, has theorized that the AM "hack" was completely a one-person insider job.
PedroGonzales
50%
50%
PedroGonzales,
User Rank: Ninja
8/29/2015 | 11:43:57 AM
Re: where is the surprise?
@Impactnow.  That is a good point. One shouldn't be surprise is this things happen.  Breaches will happen; it will be a matter of time.  The worst part is that people in our government and in security positions are jeopardize our national security by using their work email for such activities.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/28/2015 | 10:50:32 PM
Re: Pending Review
@kstaron: That's a good point, especially because there are so many government and military positions from which a person can get fired simply for indiscretions and other activitiy that could serve to embarrass, for fear of being susceptible to extortion.  (Case in point: General Petraeus and the Broadwell affair.)
jastroff
50%
50%
jastroff,
User Rank: Ninja
8/22/2015 | 11:53:50 AM
Major Digital Fallout
@larry -- the release of Ashley Madison data seems to be the perfect storm:

the names, addresses, email ids of  people who want affairs is revealed

the people who paid to have their data wiped didn't get it, and those were revealed as well

government users registered on the site (as far as we know)

The hack appears to be a personal vendetta by former employees? Something went amiss in the AM world, did it? Shocking.

This is like the greatest story of the digital world so far. It's like someone for hire getting caught with a congressman in the fountain in front of a Washington hotel. It's right up there with that.

Digital stuff, digital smut.  

Should we be surprised that a site such as this has had major fallout -- that's the only kind of fallout it can have. It won't go gently. It's dynamite to start out with.

It's purpose makes the "naked ladies" in Times Square look tame. Whether one agrees with the practice or not, the idea of signing up for a site which pairs you with other people of like minds is sort of asking for trouble, no? 

Also, don't government internal firewalls and checking mechanisms stop people with .gov, .mil and others from access to certain sites? Are those restrictions gone?

 
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/22/2015 | 12:58:13 PM
Re: Major Digital Fallout
I'm not sure that those domains have outbound restrictions.

Perhaps someone knows?
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Commentary
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Commentary
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll