Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/8/2015
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Ashley Madison Guilty Of Hard-Coded Creds, Weak Bot Detection

Researchers find Amazon Web Services credentials in the source code and honeypot email addresses in the leaked user database.

Bad coding may have contributed to the doxing attack at Avid Life Media -- parent company of Ashley Madison, a dating site for people seeking extramarital affairs -- and insufficient bot detection may mean that people who've never even heard of Ashley Madison will find themselves on the leaked database. 

Researchers have found that ALM hard-coded a variety of credentials into its source code, which may have helped enable the attack. Also, ALM uses neither CAPTCHAs nor email verification to weed out bots during the account creation process, so individuals' email addresses -- and dozens of addresses owned by Trend Micro honeypots -- may have been used to create Ashley Madison profiles without their knowledge.

That's bad news for those whose emails are on the list, because they're being targeted by a variety of penny-ante extortion schemes looking to squeeze victims for a Bitcoin here, a Bitcoin there.

Trend Micro last week reported that it had seen criminals hitting up victims for Bitcoin using a variety of tactics. The business model is similar to that used by ransomware operators: small ransoms, lots of targets.

Some messages threatened standard extortion -- the attacker stating that they'd not only gotten the target's Ashley Madison profile, but hacked their Facebook account as well, and if the target did not pay up, they'd expose the victim's Ashley Madison profile info to their family and friends list. This message requested "exactly 1.05 BTC" (about $257 US) in payment. As of Sep. 1, Cloudmark researchers estimated that this message had already netted approximately $6,400.

Another message purported to be from Impact Team -- the group that's taken credit for the attack. The message stated that there would be yet another data dump forthcoming, which would include profile photos, messages between members, and more. With a neighborly tone, stating, "We apologize as the members of the site were not our intended targets it was company itself," it offered recipients the opportunity to completely redact their profile before the next leak, for the price of 1.15 BTC (about $281 US).

A third message claimed to be raising money for a class action lawsuit against Ashley Madison, and sends users to a website to sign up and donate.

In a blog post today, Trend Micro said it received some of these messages in the inboxes of dozens of addresses used by their honeypots, despite the fact that Trend Micro had never knowingly used those addresses to create Ashley Madison accounts.

Threat research manager Ryan Flores gathered 130 accounts that share the same signupip as the honeypot emails and believes they may have been generated by forum/comment spammers and third-party "profile creators" hired by Ashley Madison to help them build markets in new countries. He doesn't think Ashley Madison itself directly created these false accounts because only about 10 percent of the profiles claimed to be female.

He deduced that while some may have been generated by spambots, humans must have created others, including account clusters in Brazil and Korea -- a cluster being a group of accounts, all created from one IP address, within minutes of one another -- because the birthdates and usernames of the profiles were not as random as a bot would generally create.

This would be less problematic if the breach had never occurred in the first place. Yet, according to security consultant Gabor Szathmari, Ashley Madison may have made things easy for their attackers by writing a variety of credentials directly into their source code -- including database credentials, SSL private keys, Twitter OAuth tokens, and Amazon Web Services credentials. In addition, the database passwords Szathmari found "were between 5 and 8 characters, and many of them contained 2 character classes only."

"Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley," Szathmari wrote.

One thing Ashley Madison's security team did do right was encrypt users' passwords. However, researchers at Avast! have begun decrypting some of the weakest passwords in the database, using bcrypt. After two weeks of runtime, Avast says the CPU crack is about 4.8% complete, and the GPU crack is only about 0.0008% complete. So far, at least some of Ashley Madison's users have shown to be just as reckless creating passwords for highly sensitive sites as they are for others. The top five passwords (of those that could be cracked by bcrypt) are, in order of most to least, "123456," "password," "12345," "12345678," and "qwerty."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/10/2015 | 11:09:14 AM
Re: Security
Embarrassing and unprofessional. Seriously, hard coding credentials, tokens and SSL certs?
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
9/9/2015 | 7:32:15 AM
Security
The security, or lack thereof at AVL and Ashley Madison is really embarassing. It shows that when crafting a service you need people who are well versed in web security there from the get go. You cannot build a system and hire a security pro later. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15930
PUBLISHED: 2020-09-24
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
CVE-2020-19447
PUBLISHED: 2020-09-24
SQL injection exists in the jdownloads 3.2.63 component for Joomla! com_jdownloads/models/send.php via the f_marked_files_id parameter.
CVE-2020-3560
PUBLISHED: 2020-09-24
A vulnerability in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on an affected device. The vulnerability is due to improper resource management while processing specific packets. An attacker could exploit this vulnerability by s...
CVE-2020-3509
PUBLISHED: 2020-09-24
A vulnerability in the DHCP message handler of Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, remote attacker to cause the supervisor to crash, which could result in a denial of service (DoS) condition. The vulnerability is due to insufficient error...
CVE-2020-3510
PUBLISHED: 2020-09-24
A vulnerability in the Umbrella Connector component of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches could allow an unauthenticated, remote attacker to trigger a reload, resulting in a denial of service condition on an affected device. The vulnerability is due to insufficient error h...