It’s been two years since one of the most notorious cyber-attacks in history; however, the controversy surrounding Ashley Madison, the online dating service for extramarital affairs, is far from forgotten. Just to refresh your memory, Ashley Madison suffered a massive security breach in 2015 that exposed over 300 GB of user data, including users’ real names, banking data, credit card transactions, secret sexual fantasies… A user’s worst nightmare, imagine having your most private information available over the Internet. However, the consequences of the attack were much worse than anyone thought. Ashley Madison went from being a sleazy site of questionable taste to becoming the perfect example of security management malpractice.
Hacktivism as an excuse
Following the Ashley Madison attack, hacking group ‘The Impact Team’ sent a message to the site’s owners threatening them and criticizing the company’s bad faith. However, the site didn’t give in to the hackers’ demands and these responded by releasing the personal details of thousands of users. They justified their actions on the grounds that Ashley Madison lied to users and didn’t protect their data properly. For example, Ashley Madison claimed that users could have their personal accounts completely deleted for $19. However, this was not the case, according to The Impact Team. Another promise Ashley Madison never kept, according to the hackers, was that of deleting sensitive credit card information. Purchase details were not removed, and included users’ real names and addresses.
These were some of the reasons why the hacking group decided to ‘punish’ the company. A punishment that has cost Ashley Madison nearly $30 million in fines, improved security measures and damages.
Ongoing and costly consequences
Despite the time passed since the attack and the implementation of the necessary security measures by Ashley Madison, many users complain that they continue to be extorted and threatened to this day. Groups unrelated to The Impact Team have continued to run blackmail campaigns demanding payment of $500 to $2,000 for not sending the information stolen from Ashley Madison to family members. And the company’s investigation and security strengthening efforts continue to this day. Not only have they cost Ashley Madison tens of millions of dollars, but also resulted in an investigation by the U.S. Federal Trade Commission, an institution that enforces strict and costly security measures to keep user data private.
What can be done in your company?
Even though there are many unknowns about the hack, analysts were able to draw some important conclusions that should be taken into account by any company that stores sensitive information.
· Strong passwords are extremely important
As was revealed after the attack, and despite most of the Ashley Madison passwords were protected with the Bcrypt hashing algorithm, a subset of at least 15 million passwords were hashed with the MD5 algorithm, which is very vulnerable to bruteforce attacks. This probably is a reminiscence of the way the Ashley Madison network evolved over time. This teaches us an important lesson: No matter how hard it is, organizations must use all means necessary to make sure they don’t make such blatant security mistakes. The analysts’ investigation also revealed that several million Ashley Madison passwords were very weak, which reminds us of the need to educate users regarding good security practices.
· To delete means to delete
Probably, one of the most controversial aspects of the whole Ashley Madison affair is that of the deletion of information. Hackers exposed a huge amount of data which supposedly had been deleted. Despite Ruby Life Inc, the company behind Ashley Madison, claimed that the hacking group had been stealing information for a long period of time, the truth is that much of the information leaked did not match the dates described. Every company must take into account one of the most important factors in personal information management: the permanent and irretrievable deletion of data.
· Ensuring proper security is an ongoing obligation
Regarding user credentials, the need for organizations to maintain impeccable security protocols and practices is evident. Ashley Madison’s use of the MD5 hash protocol to protect users’ passwords was clearly an error, however, this is not the only mistake they made. As revealed by the subsequent audit, the entire platform suffered from serious security problems that had not been resolved as they were the result of the work done by a previous development team. Another aspect to consider is that of insider threats. Internal users can cause irreparable harm, and the only way to prevent that is to implement strict protocols to log, monitor and audit employee actions.
It is an ongoing effort to ensure the security of an organization, and no company should ever lose sight of the importance of keeping their entire system secure. Because doing so can have unexpected and very, very expensive consequences.
The post A dating site and corporate cyber-security lessons to be learned appeared first on Panda Security Mediacenter.