Ashley Madison Breach: 6 Essential LessonsExperts Offer Advice on Safeguarding Passwords, Expunging Data, Responding to Attacks
The hack attack against infidelity online dating site Ashley Madison, which led to massive data leaks, is grabbing more than its share of headlines. But experts say security professionals worldwide, across all sectors, can use the high-profile case to learn some important lessons about safeguarding sensitive data as well as reacting to a data breach.
See Also: The Global State of Online Digital Trust
The attacker or attackers, using the name "Impact Team," have recently released three batches of stolen data containing personally identifiable information for many of the site's current and former users. Since the Impact Team first began issuing threats against Ashley Madison's parent company, Toronto-based Avid Life Media, in July, the company has released multiple statements decrying the attack as a case of "cyber terrorism." But it apparently has yet to issue any breach notifications to any of its claimed 39 million customers.
On Aug. 28, Noel Biderman resigned as CEO of Avid Life Media (see Ashley Madison CEO Loses His Job). Leaked emails suggest that the company for the past three years has been unsuccessfully attempting to either go public or find a buyer.
Setting aside the morally charged question of the goals and aims of the site, which bills itself as "the world's leading married dating service for discrete encounters," security experts say that the breach - as well as how Ashley Madison has responded to it - offer several useful lessons. Here are six:
1. Identify, Safeguard Sensitive Data
It might seem obvious, yet experts say it bears repeating: One takeaway from the breach is the sheer importance of knowing which information is mission-critical and sensitive, and then devoting the lion's share of resources to ensuring that it remains secure.
In the case of Ashley Madison, the failure to keep customer data secure was the company's biggest error, says Raj Samani, the chief technology officer for Europe, the Middle East and Africa at Intel Security. "Simply put, for a business such as Ashley Madison, customer data is really the most valuable asset they had," he says. Now that the data has been released, of course, the reputational damage and economic impact on Ashley Madison - which had been attempting to launch an initial public offering on the London Stock Exchange later this year - could be devastating. Ditto the leak of what appears to be now-former CEO Biderman's Gmail spool, containing a reported 200,000 individual messages.
In the wake of the Ashley Madison breach, Samani urges all organizations to review their security polices and procedures and do everything they can to identify and then prioritize securing their most important information. "Importance can be categorized into multiple areas, for example certain data types will be regulated and therefore may need to be handled differently - for example, cardholder data. Otherwise you could look at sensitivity, so via a risk assessment, you could determine which data has a higher priority," he says. "This to me is the absolute foundation of any risk management process: identify your assets, classify your assets and then implement the appropriate level of control."
2. Secure Passwords
Australian data security expert Troy Hunt says one fact that deserves more attention is that Ashley Madison - unlike so many other breached businesses in recent years - did get its password security right. Hunt, who runs "Have I Been Pwned?" - a free service that alerts people when their email addresses show up in public data dumps - says Ashley Madison succeeded at password security by not just selecting the bcrypt password hash algorithm, which is a good tool for the job, but also by using it correctly (see Ashley Madison: Hackers Dump Stolen Dating Site Data).
The results speak for themselves: according to a test conducted by password-cracking expert Jeremi Gosney on 4,000 of the leaked Ashley Madison password hashes, only 0.0668 percent could be easily cracked, he tells Ars Technica. Furthermore, attempting to crack the entire set of more than 36 million leaked password hashes - which would require substantial resources and spending, including massive amounts of processing power - would likely take anywhere from several years to hundreds of millennia, Gosney says.
"I almost feel a little bit upset that we're not celebrating the use of good password storage," Hunt says.
3. Store Less Data
But Ashley Madison executives also made what appear to have been a number poor technology and business decisions. For example, Hunt says the leaked data includes many members' credit-card billing addresses and related first and last names, IP addresses, email addresses, as well as their latitude and longitude, logged down to five decimal places, which means they're accurate to a range of about 1 meter (3.3 feet).
So even though the company got its password security right, and the leaked credit card data appears to have been scrambled, except for the last four digits of each card, the other information gathered by the company has now been leaked, reportedly enabling many people to be identified, including by their spouses and members of the public.
The security and privacy takeaway is that businesses should only retain data that they absolutely require, and attempt to expunge everything they do not. Hunt notes in a recent column that while this can take a bit more work, the result would have been a better balance between functionality as well as the anonymity the site promised. For example, he says, Ashley Madison had no need to store ultra-precise longitude and latitude data, or all of the billing-related data that it was retaining. "Now yes, you need some geographic data in order to match people with those in close proximity, but that doesn't need to pinpoint people to precise locations," Hunt says. " The problem is that storage is cheap and humans are expensive; it would have been easier for them not to purge payment records and pay for the extra storage then to implement the features to kill all traces of the data."
4. Honor Promises
Ashley Madison offered a $19 "full delete" service to remove all traces that a person had ever used the website, and after the breach, announced in July, began offering that service for free. But multiple full-delete users have reported that their personal details, including the aforementioned payment-related information, were in fact in the leaked data, according to news media reports.
Samani says the full-delete service highlights the importance for organizations to simply "do what you promise." A number of related lawsuits could now put Ashley Madison officials on the spot, when it comes to asking how they attempted to fulfill those promises (see No Surprise: Ashley Madison Breach Triggers Lawsuits).
"One of the biggest challenges for Ashley Madison will not be to simply demonstrate that they undertook appropriate due diligence to protect data - as per data protection regulation requirements - but to explain why exactly they did not delete customer records even when paid for by customers," Samani says. "This appears to be the basis of legal challenges that will prove hard to argue."
5. Secure the Supply Chain
Every business partner that's granted access to an organization's network and applications is a potential security risk. Indeed, as numerous breaches have highlighted - including attacks against Target, which was hacked via a connection it provided to one of its contractors, and the U.S. Office of Personnel Management, which was reportedly breached using legitimate credentials stolen from a private contractor is uses - hackers can use anyone's valid access credentials to gain access to their target.
Investigators have not identified, at least publicly, who was responsible for the Ashley Madison hack. But in July, former Avid Life Media CEO Biderman suggested that the breach was the work of an insider, saying that "it was definitely a person here that was not an employee but certainly had touched our technical services" (see Ashley Madison: $500K Reward for Hacker).
Likewise, Tom Byrnes, CEO of botnet-blocking service ThreatStop, notes that the leaked Ashley Madison data set is "nicely organized [and] in its original tables with the proper table names." While that is no smoking gun, it suggests that rather than using a SQL-injection attack, allowing attackers to grab unformatted data, the Ashley Madison hackers "likely had legitimate network credentials and were able to dump the data intact, complete with indices and foreign keys," he says. Either way, the evidence so far seems to suggest that the attacker was an insider, or else someone who compromised an insider's credentials.
"We often hear the phrase 'security is only as strong as its weakest link,' and in many cases the supply chain represents that weakest link," Samani says. "Above all else, the need to audit, and manage such third parties is of critical importance."
6. Talk to Customers
Security experts say another promise that Ashley Madison has not been keeping is its home page's still-present claim that the site has "over 39,645,000 anonymous members." The vast majority of those members, of course, are no longer anonymous.
"They keep pushing the anonymity and the privacy, when clearly they could never deliver, and even though they haven't been able to deliver on it, they keep pushing it," Hunt says.
Hunt, as well as multiple legal experts, say the company has apparently failed to issue data breach notifications to victims or offer free credit monitoring services, as many breached businesses will do. But California-based technology attorney Girard Kelly says it's not clear that the Canadian company is under any legal obligation to do so. Furthermore, the pro-adultery dating site might potentially do even more damage to customers' personal lives if it issued breach notifications.