The controversy surrounding the Ashley Madison website rolls on. For those who have just emerged from a catatonic state, last week, hacktivists called The Impact Group gained access to the client list of a dating website specifically directed at people who want to cheat on their partners. They possess the unique strap line: Life is Short. Have an Affair. The hackers subsequently published several samples of the 37 million customer details they claim to have stolen via the web host Github. So far, Avid Life Media Inc., who own Ashley Madison, have had these lists taken down using the powers of the Digital Millennium Copyright Act. Presumably not before others have copied them.
The motivation of The Impact Group appears to be moral, rather than financial. The personal details of the Ashley Madison website users are being leveraged to blackmail Avid Life into pulling the website; thus far their only demand. They have not requested any ransom money or a public apology, simply the complete removal of the Ashley Madison site. Security profilers suggest these hackers may be motivated by far right Christian views. While other hacks have been motivated by moral crusades in the past, the personal impact for the families of those concerned has never been higher. If this crime sets a precedent that the hacking of businesses, deemed by some to be immoral, is seen as legitimate justification for the activity; then what next?
Secondly, Avid Life have not made a comment on their site or in the media since July 19th, the day after news of the hack was broken by KrebsonSecurity. Subsequently, cyber lawyers are having a field day debating whether or not the personal details of the Ashley Madison users are covered by copyright under the DMCA. If this goes to court, we will watch with interest to see what the judge decides.
Thirdly, this week it has been discovered that an attempt to login to the website using the correct email of someone on the Ashley Madison user database with the wrong password, will return a different response on screen to an attempt made using an email which is not on the client list. This means that anyone wanting to check their spouse’s fidelity can use their known email addresses to try and login. This alone will be enough to tell them whether an account is registered to said email address. The Register claims that the spike in traffic since this ruse was published has almost brought the site down twice, coming close to achieving the hackers demand.
Avid Life claim that they have brought in one of the world’s top IT security teams to take every possible step towards mitigating the attack. Clearly they should have called us, as whoever they did bring in has yet to rectify the vulnerability represented by the different responses generated for attempted logins using valid and invalid email credentials. This means that ten days after the attacks people can still identify whether a known email address is present on the Ashley Madison user database. So much for the world’s leading married dating service for discreet encounters.
If Portcullis had been brought in, our primary goal would be to prevent any further data loss or exfiltration from the site. Our incident response team could help with battening down the hatches post event, such as suggesting that the company bring down the website temporarily until any issues resulting from its illegal intrusion have been addressed. This may be seen as acquiescing to the hackers demands but what is the point of keeping the site up and open to further attack when so few clients, if any, will be using it for the time being? The methods used by the hackers must also be identified. So far, IT security media is suggesting that the hackers posed as external IT technicians in order to gain access to the Ashley Madison offices and facilitate the hack physically. At Portcullis our Social Engineering Physical Intrusion Assessment (SEPIA) service is aimed at helping clients to make sure such physical intrusions do not happen in the first place. Engaging our SEPIA team would be a crucial step towards ensuring that the hackers cannot do this again. Download our SEPIA brochure here.
Clearly Avid Life should have engaged Portcullis.