The Ashley Madison hack is the perfect example of why Network Security should not be overlooked!
Last month, the affair matchmaking website Ashley Madison was hacked by a group calling itself the Impact Team. On ZDNet, Violet Blue correctly points out, the website is “a honeypot for people who had something to hide” — between the company’s claims that it is “the last truly secure space on the Internet,” the cringeworthy advertisements it runs, and the salacious nature of the business, this hack was probably inevitable.
As the data from the hack has been disseminated over the last week, there has been an immense amount of social commentary made about Avid Life Media (the owner of Ashley Madison), and the subscribers who have had their email addresses made public. Bearing that in mind, the focus of this article is the enterprise security lessons that can be learned from this event.
Lesson #1: Don’t skimp on IT security from the start
If you’ve ever read any other article on this website, you probably already understand the importance of data security. The problem is that most bean counters do not, and spending on security does not grow sales or pageviews. So, it falls by the wayside because IT is ultimately beholden to the demands of management, and there is not sufficient time / staffing / money available for hardening information security.
This might be the case that changes that. Ultimately, paying for security upfront is likely better for the bottom line and corporate reputation than cleaning up the issue after the fact and paying out any judgements in court.
Presently, Avid Life Media is facing a $578 million class-action suit in Canada, with other individual suits being filed in the US. One point of contention is the $19 “full delete” service that users paid with the expectation that their information would be removed from the Ashley Madison databases — users who now have their personal information leaked alongside millions of other users.
According to Aldo M. Leiva, a partner at Lubell Rosen, users may be able to “pursue breach of contract claims,” and that Avid Life Media may face “an FTC investigation and enforcement action… most likely for unfair or deceptive trade practices.”
Providing context to the Ashley Madison data
It has been reported that not all of the Ashley Madison registrations are genuine — any valid-looking email address can be used. As such, registrants with obviously fake email addresses such as email@example.com, firstname.lastname@example.org, and the email address for the opinion line of The Wichita Eagle are among the addresses listed. According to Dadaviz, about one third of the addresses are fake.
Also of importance is the difference between paid and free accounts, as well as the fact that not everyone is using the website for the advertised purpose. Under the expectation that registration email addresses would never be publicly visible, private investigators and human resources workers sign up for free accounts in the course of their investigations. According to Rob Holmes, the CEO of IPCybercrime, “With a free account used for investigations, you’re not contacting people, so it’s more convenient to not use a burner account.”
Lesson #2: Don’t mix business with pleasure
With the release of 36 million email addresses with subscriber information, this information has been used by curious onlookers and extortionists to see who has registered for Ashley Madison.
Generally speaking, it is advisable to not use your corporate email for personal affairs. Information about registrants from tech companies using their work email address has been widely disseminated following the release by the Impact Team.
Ultimately, any information you would prefer to keep private from your coworkers — like being in a B-52’s fan club, or having a Second Life account — is ultimately private, and thus should be handled using a private email address. On an individual level, if a hack out of your control results in your work email address being disseminated worldwide, it has the potential to be damaging to your career. At a corporate level, having the dubious honor of having the most number of registrants on a website intended to facilitate extramarital affairs is not particularly good for PR. As such, putting a policy in place to not use corporate-assigned email addresses for private affairs is highly advisable.
Lesson #3: Don’t linger in stages one and two of Kübler-Ross
The initial reaction from Avid Life Media thus far has been one of denial — the first step in the Kübler-Ross model of grief. A former CTO at Ashley Madison, Raja Bhatia— who is now working as a contractor for Avid Life Media after the announcement by the Impact Team last month — told Brian Krebs that “The overwhelming amount of data released in the last three weeks is fake data,” in reference to other groups using the publicity from Impact Team for their own (likely criminal) purposes, as if that negates the fact that Ashley Madison was hacked.
As a reaction to this, the second leak had a one-sentence note attached to it – “Hey Noel [Biderman, CEO of Avid Life Media], you can admit it’s real now.” Additionally, in an interview with Motherboard, the Impact Team claimed that “We worked hard to make fully undetectable attack, then got in and found nothing to bypass” and that gaining access was so easy that “You could use Pass1234 from the internet to VPN to root on all servers.”
Another journalist at Motherboard has received a DMCA takedown demand for posting a screenshot of the header cells of an Excel document from the leaks, which contained no personal information. Unfortunately, the reaction here is very similar to the Sony Pictures Entertainment hack late last year, in which that company also issued DMCA takedown demands in an attempt to prevent information from being disseminated.
Too often, companies spend far too much time in the Denial or Anger stage of the Kübler-Ross model. Being forthright with users and the media in the event of a data breach will assist the affected customers on how to protect their safety.
In the case of Ashley Madison, the claims that credit card information was not exfiltrated turned out to be wrong, as the Impact Team recovered the login credentials for the payment processor, and disclosed that information in the first data dump. With finances, every minute counts when securing information, and spreading misinformation and interfering with reporting of events is a disservice to everyone.
What’s your view?
Does your organization have a policy against using corporate email for private purposes? Have you faced resistance about spending more money or time on security? Share your thoughts in the comments.