There's plenty to talk about when it comes to the Ashley Madison breach. There are debates to be had about the ethics of the folks registering on the site, and about whether the hack should be viewed as activism or criminality. But, like most of you working in IT, we prefer to be practical when faced with this kind of dilemma. There's no way to undo what's been done, so let's talk about how best to deal with the problem from an IT point of view.
The long-term effects of the Ashley Madison website breach will be especially difficult for government IT professionals. The site, owned by Avid Life Media, and known for promoting extramarital affairs, was hacked in July and this week. Troves of information have been released containing details about most of the site's 37 million registered users worldwide. Some 15,000 email addresses ending in .mil or .gov were among those used to register for the site. The site does not verify email addresses, so it's unclear how many of those are legitimate.
Still, like the Office of Personnel Management (OPM) breach earlier this year, the release of information about government workers in this case is extremely worrisome. In the Ashley Madison case, there's the concern that government workers may be exposed to blackmail attempts, along with all of the other dangers associated with having their email addresses and other personal information released in the wild.
[ Is your organization's email security the best it can be? Read 7 Hot Advances In Email Security. ]
Some security experts have noted that the breach could be a lot worse, at least in terms of compromising credit card information. According to Robert Graham's security blog:
Compared to other large breaches, it appears Ashley-Madison did a better job at cybersecurity. They tokenized credit card transactions and didn't store full credit card numbers. They hashed passwords correctly with bcrypt. They stored email addresses and passwords in separate tables, to make grabbing them (slightly) harder. Thus, this hasn't become a massive breach of passwords and credit card numbers that other large breaches have [led] to. They deserve praise for this.
However, the account names, street addresses, email addresses, and phone numbers used to register for the site were not encrypted. Account passwords for the site seem to have been stored in encrypted format, but cracking them is always possible.
The TrustedSec blog put the incident into a wider perspective:
Regardless of ethics, this is a massive data breach where attackers had full and maintained access to a large percentage of Ashley Madison's organization undetected for a long period of time. Ashley Madison has not commented on the original source of the breach, how it occurred, or how they were compromised.
Some 10 GB of email addresses, purported to be those of Ashley Madison users, were placed on the TOR-only Deep Web site on Aug. 19. The company's CEO confirmed on Aug. 20 that some of that data was authentic.
Programmer Hilare Belloc (known for creating the Adobe password checker when that site was breached in 2013) has come up with a website where you can check an email address against the Ashley Madison database. According to Belloc's site, approximately 36 million accounts were dumped, 24 million of which had verified email addresses.
We'll wait for a moment while you check if you were compromised.
Back already? Good.
Those responsible for the breach call themselves the Impact Team, and have published a manifesto of sorts. Impact Team seems apolitical in outlook, but others will no doubt use the information revealed in less savory ways. In fact, Hydraze blog reported on Aug. 20, "[T]he unknown-group-that-is-not-Impact-Team has just released a second archive containing data from Ashley Madison on the same page as the first one."
This is the kind of information that can be used to exert leverage by simple acknowledgment of its existence.
Until the breach vectors are admitted by Avid Life Media, it's difficult to know what security steps your IT organization can take. The scope of the breach is breathtaking, and how it happened at all is a question that cannot go unanswered.
Meanwhile, the best you can do is work with your HR, governance, cyber-security, and legal teams to assess the potential damage to your organization. Given the sensitive nature of the information, dealing with affected individuals on a one-on-one basis is recommended. Of course, it's a good time to remind all your employees about the rules regarding the use of their work email accounts.
Beyond that, we want to know what else you're doing in your IT organization to respond, and what advice you have for others who may be facing major fallout from the situation. Let's try to keep the moralizing out of the conversation, and stick to the practicalities: What's an IT professional do to when workers do dumb things using their corporate email? Join the conversation in the comments section below.