Ashley Madison Breach Should Spark Security Conversation - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
Commentary
8/22/2015
12:05 AM
Larry Loeb
Larry Loeb
Commentary
50%
50%

Ashley Madison Breach Should Spark Security Conversation

As people sift through the Ashley Madison data dump, this massive breach should spark a conversation among IT and security professionals, especially ones who work in the government and cyber-security fields.

14 Security Fails That Cost Executives Their Jobs
14 Security Fails That Cost Executives Their Jobs
(Click image for larger view and slideshow.)

There's plenty to talk about when it comes to the Ashley Madison breach. There are debates to be had about the ethics of the folks registering on the site, and about whether the hack should be viewed as activism or criminality. But, like most of you working in IT, we prefer to be practical when faced with this kind of dilemma. There's no way to undo what's been done, so let's talk about how best to deal with the problem from an IT point of view.

The long-term effects of the Ashley Madison website breach will be especially difficult for government IT professionals. The site, owned by Avid Life Media, and known for promoting extramarital affairs, was hacked in July and this week. Troves of information have been released containing details about most of the site's 37 million registered users worldwide. Some 15,000 email addresses ending in .mil or .gov were among those used to register for the site. The site does not verify email addresses, so it's unclear how many of those are legitimate.

Still, like the Office of Personnel Management (OPM) breach earlier this year, the release of information about government workers in this case is extremely worrisome. In the Ashley Madison case, there's the concern that government workers may be exposed to blackmail attempts, along with all of the other dangers associated with having their email addresses and other personal information released in the wild.

[ Is your organization's email security the best it can be? Read 7 Hot Advances In Email Security. ]

Some security experts have noted that the breach could be a lot worse, at least in terms of compromising credit card information. According to Robert Graham's security blog:

Compared to other large breaches, it appears Ashley-Madison did a better job at cybersecurity. They tokenized credit card transactions and didn't store full credit card numbers. They hashed passwords correctly with bcrypt. They stored email addresses and passwords in separate tables, to make grabbing them (slightly) harder. Thus, this hasn't become a massive breach of passwords and credit card numbers that other large breaches have [led] to. They deserve praise for this.

However, the account names, street addresses, email addresses, and phone numbers used to register for the site were not encrypted. Account passwords for the site seem to have been stored in encrypted format, but cracking them is always possible.

(Image: Rawpixel Ltd./iStockphoto)

(Image: Rawpixel Ltd./iStockphoto)

The TrustedSec blog put the incident into a wider perspective:

Regardless of ethics, this is a massive data breach where attackers had full and maintained access to a large percentage of Ashley Madison's organization undetected for a long period of time. Ashley Madison has not commented on the original source of the breach, how it occurred, or how they were compromised.

Some 10 GB of email addresses, purported to be those of Ashley Madison users, were placed on the TOR-only Deep Web site on Aug. 19. The company's CEO confirmed on Aug. 20 that some of that data was authentic.

Programmer Hilare Belloc (known for creating the Adobe password checker when that site was breached in 2013) has come up with a website where you can check an email address against the Ashley Madison database. According to Belloc's site, approximately 36 million accounts were dumped, 24 million of which had verified email addresses.

We'll wait for a moment while you check if you were compromised.

Back already? Good.

Those responsible for the breach call themselves the Impact Team, and have published a manifesto of sorts. Impact Team seems apolitical in outlook, but others will no doubt use the information revealed in less savory ways. In fact, Hydraze blog reported on Aug. 20, "[T]he unknown-group-that-is-not-Impact-Team has just released a second archive containing data from Ashley Madison on the same page as the first one."

This is the kind of information that can be used to exert leverage by simple acknowledgment of its existence.

Until the breach vectors are admitted by Avid Life Media, it's difficult to know what security steps your IT organization can take. The scope of the breach is breathtaking, and how it happened at all is a question that cannot go unanswered.

Meanwhile, the best you can do is work with your HR, governance, cyber-security, and legal teams to assess the potential damage to your organization. Given the sensitive nature of the information, dealing with affected individuals on a one-on-one basis is recommended. Of course, it's a good time to remind all your employees about the rules regarding the use of their work email accounts.

Beyond that, we want to know what else you're doing in your IT organization to respond, and what advice you have for others who may be facing major fallout from the situation. Let's try to keep the moralizing out of the conversation, and stick to the practicalities: What's an IT professional do to when workers do dumb things using their corporate email? Join the conversation in the comments section below.

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/28/2015 | 10:54:38 PM
Re: where is the surprise?
@impactnow: Of course, that's the problem with trust and security.  There are activities that we don't mind our friends and family knowing about but that still involves information we don't want people knowing, such as our credit card numbers.

It's also worth pointing out that at least one industry pundit, John McAfee, has theorized that the AM "hack" was completely a one-person insider job.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/28/2015 | 10:50:32 PM
Re: Pending Review
@kstaron: That's a good point, especially because there are so many government and military positions from which a person can get fired simply for indiscretions and other activitiy that could serve to embarrass, for fear of being susceptible to extortion.  (Case in point: General Petraeus and the Broadwell affair.)
larryloeb
0%
100%
larryloeb,
User Rank: Author
8/28/2015 | 3:53:51 PM
Re: where is the surprise?
I'll juat assume the Impact Team is not to be found in a corner of your office......

 

Yes, that is a joke.
impactnow
100%
0%
impactnow,
User Rank: Author
8/28/2015 | 2:51:27 PM
Re: where is the surprise?
I guess what surprised me most about the Ashley Madison breach is not that it happened, is that people were surprised that it did happen . We all live in a world where data breaches are commonplace I think I get three letters a month and several emails regarding breaches companies I do business with or have done business with have suffered. If someone chooses to engage in activity on the Internet that they don't want everyone to know about there being very nave . Our Internet lives are public and will always be . Unfortunately we can all expect to be hacked at some point and if you don't want your friends,family and employers seeing what's doing online I suggest you do not engage in this activity online .
larryloeb
0%
100%
larryloeb,
User Rank: Author
8/27/2015 | 12:21:35 PM
Re: Pending Review
Well, if they are that dumb in the first place, why would they even think that far ahead?
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/27/2015 | 12:20:28 PM
Re: Pending Review
It seems far more a parental controls enfocer than an adblocker.

In fact, I dont see it blocking any ads at all, just sites.
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/25/2015 | 9:01:29 AM
Re: Pending Review
FWIW, Biran Krebs outlines one of the extorion attempts made against AM users.

The url is : http://krebsonsecurity.com/2015/08/extortionists-target-ashley-madison-users/
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/22/2015 | 3:11:46 PM
Re: Pending Review
Well, a company can control the "do not go there " list with better granularity than the US government, I think.

I don't know if there is a master list for .gov and .mil addresses. The domains are just so big.

 
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/22/2015 | 12:58:13 PM
Re: Major Digital Fallout
I'm not sure that those domains have outbound restrictions.

Perhaps someone knows?
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/22/2015 | 12:56:06 PM
Re: Pending Review
Well, it seems your workplace has policies in place that would stop this sort of thing.

But, are those policies enforced? By whom?
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
Commentary
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
Slideshows
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll