Attacks/Breaches
8/19/2015
05:50 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

ID Thieves, Blackmailers Have Lots To Gain In Ashley Madison Breach

Breach highlights need for greater anonymity controls in identity and payment mechanisms.

Unlike the perpetrators of the Sony and Hacking Team doxing attacks, who uploaded stolen data to Pastebin, the attackers who compromised online hook-up site Ashley Madison dumped data on the dark web -- which is only accessible via the Tor anonymization network. The dark web is someplace the average Internet user never goes, but a great deal of criminal activity takes place there, including child exploitation and assassins for hire.

Could this mean that the Ashley Madison attackers were deliberately trying to put the stolen data in the hands of people who would use it for blackmail? Robert Hansen, VP of WhiteHat Labs for WhiteHat Security doesn't think so.

"The hackers don't seem to be interested in blackmailing individuals," says Hansen. "It's more likely they just wanted to do everything over Tor."

Regardless of the attackers' intentions, Trustify, an online private eye service, has indexed the email database and created a site where people can plug in an email address and check whether or not it was among those leaked.

According to Hansen, the data dump includes 28 million unique email addresses. The lion's share use webmail providers -- topping the list are Gmail (8.77 million emails listed), Yahoo (6.62 million), and Hotmail (6.24 million). However, Hansen also found 13,000 .mil and .gov addresses, as well as a variety of corporate domains, including sizeable clusters from Microsoft, Apple, Cisco, Bank of America, and BP.

"I have found a bunch of fake entries in here, so all of this data should be taken with a grain of salt," says Hansen. "It doesn't appear that they normalized or even checked to make sure the emails were valid before storing them in this database. So, Barack Obama is in here under a dozen different emails as an example, as are a lot of others that are clearly incorrect.

"Even the allegations could ruin people's lives and careers," he says. "This is just a great example of how personal data becomes a liability for companies unless they can guarantee safeguards."

"This does open the door for blackmail," says Stephen Coty, chief evangelist at Alert Logic. "The fact that some companies have made [the stolen data] searchable to drive traffic to their websites just means that it will take the wind out of blackmail. If your spouse or significant other can easily search for this data on one of the many sites, then the effect of blackmail really isn’t an issue because they already know you were a member.

"Now there is the issue," says Coty, "of all the profile data and credit card transaction which would reveal the actual content and desires from their profile and the charges that were made to a credit card that maybe the significant other was not aware of might still be used. Just because you had an email address on the site does not mean that you participated, but the profile and credit card transactions might show otherwise."

“Undoubtedly, many of the emails and domains now published to the Dark Web are fake, but site users can’t run from the credit card information," says Jason Polancich, founder and chief architect of SurfWatch Labs. "The Ashley Madison site required it and, like everyone else, ties it directly to the individual user. This is a good reminder – the web is not anonymous. Credit card payments are not anonymous and this is a big flaw that banks are dealing with now. Attacks such as these will likely be a boost for Bitcoin and others like it. Times are changing and credit card privacy issues need to be solved. And I guarantee that won’t be accomplished with just Chip-and-PIN."

The attackers stuck ALM between a rock and a hard place: they could either shut the site down voluntarily or continue business as usual, wait for the attackers to leak the database, and see if that killed the business.

"The Ashley Madison breach paints a clear picture of how a single breach can be the death of a company," says Carl Herberger, VP of security solutions at Radware. "If this isn’t a very loud wakeup call for any company with a business model that relies on user data and e-commerce, then I would struggle to figure out what is. Online businesses cannot successfully exist without the highest security precautions and protocols and keen prowess at operational secure discretion. A hack of this magnitude can happen to any organization, and it's time for the enterprise to assume that it will, and make the necessary plans to navigate through that eventuality and come to terms of all of the key steps required to avoid it."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Ninja
8/21/2015 | 3:58:30 PM
Re: Hard to imagine
What I find hard to believe is that anyone can be blackmailed with information that is already in the public domain.
lynnbr2
50%
50%
lynnbr2,
User Rank: Strategist
8/20/2015 | 5:54:12 PM
Re: Hard to imagine
Avid Life Media's website home page has a tagline "Learn more about Noel Biderman." According to an Ars Technica article today, we may indeed learn more about the parent company's CEO - as some 19GB of his emails have now been dumped as well.

It looks like the Sony breach opened some eyes as to what is possible nowadays, and it looks like it will become more common to lie low and collect all that you can for a while. Instead of just hack-n-grab like what was common before. 

In the era of Big Data, perhaps storing credit card numbers, all manner of personal details repurposed as security questions, and emails in perpetuity isn't all it's cooked up to be - anymore.

Would be interesting to cross this db with the OPM db?

The only way AM comes back from this - is as a voyeur site <grin>.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/20/2015 | 2:41:30 PM
Re: Hard to imagine
I agree, but one thing I was not aware of on this site is that not all the users on Ashley Madison are the unfaithful type. Some are just singles looking to find other singles with similar fetishes. However, not being a user of the site the data I am going off of is referenced here:

dadaviz.com/s/ashley-madison-revealed

This fact alone may save them.
mcarter641
50%
50%
mcarter641,
User Rank: Apprentice
8/20/2015 | 10:42:48 AM
Cybersecurity and the Intelligence Community
Grace and Peace;

My name is Michael, I am a researcher of IT. I hold a Bachelor's of Science with a Specialization in Visual Commuications...Please, do not be alarmed at my presenting my credentials its that I have really no other life outside of maybe, you too, trying to solve pressing issues that affect America. You do write quite well and have the appearence of some knowledge that could change the tide for the crooks.

I am with you. I am currently writing a report on Cybersecurity, the Intelligence community, and You: report two. As well I would like you to know from me that no matter what you do or run accross - do not give up. We are in this together. I really needed to read your article...Your article! Thank you! And keep the pace rigorous as we have been taught!

 

There is no time like the present,

M. Carter BS IT/Visual Communications
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/20/2015 | 7:28:40 AM
Hard to imagine
I find it hard to believe that many people will use Ashley Madison after this. While the site may continue to operate afterwards, who is going to use a service that demands secrecy, that cannot protect user data? It's good passwords were encrypted, but the fact that so much data is in the open and the fact that ALM didn't delete data after people paid for that to happen... I don't see it bouncing back. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.