Ashley Madison Breach Should Spark Security Conversation - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
Commentary
8/22/2015
12:05 AM
Larry Loeb
Larry Loeb
Commentary
50%
50%

Ashley Madison Breach Should Spark Security Conversation

As people sift through the Ashley Madison data dump, this massive breach should spark a conversation among IT and security professionals, especially ones who work in the government and cyber-security fields.

14 Security Fails That Cost Executives Their Jobs
14 Security Fails That Cost Executives Their Jobs
(Click image for larger view and slideshow.)

There's plenty to talk about when it comes to the Ashley Madison breach. There are debates to be had about the ethics of the folks registering on the site, and about whether the hack should be viewed as activism or criminality. But, like most of you working in IT, we prefer to be practical when faced with this kind of dilemma. There's no way to undo what's been done, so let's talk about how best to deal with the problem from an IT point of view.

The long-term effects of the Ashley Madison website breach will be especially difficult for government IT professionals. The site, owned by Avid Life Media, and known for promoting extramarital affairs, was hacked in July and this week. Troves of information have been released containing details about most of the site's 37 million registered users worldwide. Some 15,000 email addresses ending in .mil or .gov were among those used to register for the site. The site does not verify email addresses, so it's unclear how many of those are legitimate.

Still, like the Office of Personnel Management (OPM) breach earlier this year, the release of information about government workers in this case is extremely worrisome. In the Ashley Madison case, there's the concern that government workers may be exposed to blackmail attempts, along with all of the other dangers associated with having their email addresses and other personal information released in the wild.

[ Is your organization's email security the best it can be? Read 7 Hot Advances In Email Security. ]

Some security experts have noted that the breach could be a lot worse, at least in terms of compromising credit card information. According to Robert Graham's security blog:

Compared to other large breaches, it appears Ashley-Madison did a better job at cybersecurity. They tokenized credit card transactions and didn't store full credit card numbers. They hashed passwords correctly with bcrypt. They stored email addresses and passwords in separate tables, to make grabbing them (slightly) harder. Thus, this hasn't become a massive breach of passwords and credit card numbers that other large breaches have [led] to. They deserve praise for this.

However, the account names, street addresses, email addresses, and phone numbers used to register for the site were not encrypted. Account passwords for the site seem to have been stored in encrypted format, but cracking them is always possible.

(Image: Rawpixel Ltd./iStockphoto)

(Image: Rawpixel Ltd./iStockphoto)

The TrustedSec blog put the incident into a wider perspective:

Regardless of ethics, this is a massive data breach where attackers had full and maintained access to a large percentage of Ashley Madison's organization undetected for a long period of time. Ashley Madison has not commented on the original source of the breach, how it occurred, or how they were compromised.

Some 10 GB of email addresses, purported to be those of Ashley Madison users, were placed on the TOR-only Deep Web site on Aug. 19. The company's CEO confirmed on Aug. 20 that some of that data was authentic.

Programmer Hilare Belloc (known for creating the Adobe password checker when that site was breached in 2013) has come up with a website where you can check an email address against the Ashley Madison database. According to Belloc's site, approximately 36 million accounts were dumped, 24 million of which had verified email addresses.

We'll wait for a moment while you check if you were compromised.

Back already? Good.

Those responsible for the breach call themselves the Impact Team, and have published a manifesto of sorts. Impact Team seems apolitical in outlook, but others will no doubt use the information revealed in less savory ways. In fact, Hydraze blog reported on Aug. 20, "[T]he unknown-group-that-is-not-Impact-Team has just released a second archive containing data from Ashley Madison on the same page as the first one."

This is the kind of information that can be used to exert leverage by simple acknowledgment of its existence.

Until the breach vectors are admitted by Avid Life Media, it's difficult to know what security steps your IT organization can take. The scope of the breach is breathtaking, and how it happened at all is a question that cannot go unanswered.

Meanwhile, the best you can do is work with your HR, governance, cyber-security, and legal teams to assess the potential damage to your organization. Given the sensitive nature of the information, dealing with affected individuals on a one-on-one basis is recommended. Of course, it's a good time to remind all your employees about the rules regarding the use of their work email accounts.

Beyond that, we want to know what else you're doing in your IT organization to respond, and what advice you have for others who may be facing major fallout from the situation. Let's try to keep the moralizing out of the conversation, and stick to the practicalities: What's an IT professional do to when workers do dumb things using their corporate email? Join the conversation in the comments section below.

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
PedroGonzales
50%
50%
PedroGonzales,
User Rank: Ninja
8/29/2015 | 11:43:57 AM
Re: where is the surprise?
@Impactnow.  That is a good point. One shouldn't be surprise is this things happen.  Breaches will happen; it will be a matter of time.  The worst part is that people in our government and in security positions are jeopardize our national security by using their work email for such activities.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/28/2015 | 10:54:38 PM
Re: where is the surprise?
@impactnow: Of course, that's the problem with trust and security.  There are activities that we don't mind our friends and family knowing about but that still involves information we don't want people knowing, such as our credit card numbers.

It's also worth pointing out that at least one industry pundit, John McAfee, has theorized that the AM "hack" was completely a one-person insider job.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/28/2015 | 10:50:32 PM
Re: Pending Review
@kstaron: That's a good point, especially because there are so many government and military positions from which a person can get fired simply for indiscretions and other activitiy that could serve to embarrass, for fear of being susceptible to extortion.  (Case in point: General Petraeus and the Broadwell affair.)
larryloeb
0%
100%
larryloeb,
User Rank: Author
8/28/2015 | 3:53:51 PM
Re: where is the surprise?
I'll juat assume the Impact Team is not to be found in a corner of your office......

 

Yes, that is a joke.
impactnow
100%
0%
impactnow,
User Rank: Author
8/28/2015 | 2:51:27 PM
Re: where is the surprise?
I guess what surprised me most about the Ashley Madison breach is not that it happened, is that people were surprised that it did happen . We all live in a world where data breaches are commonplace I think I get three letters a month and several emails regarding breaches companies I do business with or have done business with have suffered. If someone chooses to engage in activity on the Internet that they don't want everyone to know about there being very nave . Our Internet lives are public and will always be . Unfortunately we can all expect to be hacked at some point and if you don't want your friends,family and employers seeing what's doing online I suggest you do not engage in this activity online .
larryloeb
0%
100%
larryloeb,
User Rank: Author
8/27/2015 | 12:21:35 PM
Re: Pending Review
Well, if they are that dumb in the first place, why would they even think that far ahead?
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/27/2015 | 12:20:28 PM
Re: Pending Review
It seems far more a parental controls enfocer than an adblocker.

In fact, I dont see it blocking any ads at all, just sites.
kstaron
50%
50%
kstaron,
User Rank: Ninja
8/27/2015 | 12:20:04 PM
Re: Pending Review
My first thought when I saw how many .mil and .gov listed in the AM breach was wow, we sure do have a whole lot of dumb people working for the government. Who uses an easily traceble email for activities that could get you fired (not to mention found out rather quickly)? The sheer number of them is startling. Ad if they are dumb enough to use their government email, what are they let slipping between the sheets? how easy would they be to comprimise without even knowing it?
jastroff
50%
50%
jastroff,
User Rank: Ninja
8/27/2015 | 9:41:25 AM
Re: Pending Review
netnanny.com has been around forever as an example of a web site blocker. give it a try
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/25/2015 | 9:01:29 AM
Re: Pending Review
FWIW, Biran Krebs outlines one of the extorion attempts made against AM users.

The url is : http://krebsonsecurity.com/2015/08/extortionists-target-ashley-madison-users/
Page 1 / 2   >   >>
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll