Ashley Madison breach shows hackers may be getting personal
- 30 September, 2015 15:43
When AshleyMadison.com posted its slogan “Life is short. Have an affair,” it probably wasn’t bargaining for the one that it got last month. Someone got as intimate with the site’s members as you could get, exposing the online identities and sexual preferences of millions of adulterous wanna-bes.
The affair quickly turned into one of the largest personal information dumps ever, and the online hook-up site joined the ranks of the most notorious IT security breaches of all time.
It still remains to be determined who was behind the breach, and even whether it was the result of an outside attack or an insider job. But the nature of the site itself has since drawn plenty of attention.
Prior to the attack many individuals might have asked “Ashley Who?” Now the site appears to be a household name.
Which begs the question, was the Ashley Madison site targeted because of the nature of its business? And if so, does that attack mean other online dating sites might now be a preferred hacker target?
Cyber security experts that CIO.com spoke with all said probably not, although they couldn’t discount the possibility. All agreed that the number 1 motivation for hackers today is the monetarization of any information stolen from a site. Greed rules all.
Still, that is one level of vulnerability. Some sites may have layered levels of vulnerability based on social issues, political issues, religious issues and so on. As one security consultant noted, almost anyone can become a hacker today, and they could have any number of agendas.
Things are getting a bit personal
“My thought is that it was something personal,” says Alex Holden, founder and CTO at Hold Security, a Wisconsin-based company that provides IT security services and data breach analysis. “Hacker messaging to the former CEO of Ashley Madison had a lot of personal comments. The hackers usually don’t quote individuals.”
“From everything that I know, Ashley Madison was conducting business legally. Was it questionable? Yes. But in my book there would be 50 other companies ahead in line on doing less appropriate activities. To be honest, there is obviously a social impact, but the people within the company probably didn’t do anything bad,” Holden says.
Holden’s firm recently discovered that, indeed, several online dating sites have been compromised. They tend to not be the largest and best-known, however.
“We keep our eyes out for information that belongs to our customers and we wandered onto a website that is run by hackers,” Holden explains. “We found that in addition to information that was of interest to us there was additional clearly-marked stolen information from a number of different websites.”
In total, there were nearly 100 websites represented in the lot, and the site yielded significant clues about how the sites were compromised.
“When we examined the data we actually found out that the hackers kept logs of the sites that they attacked, how they attacked them and what they got from the site,” Holden noted. “The vast majority of sites on that one list – and there were also separate files that contain data also stolen from some of these sites – indicate that they went through a number of different sites and tried to steal specific types of data from these sites.”
Hold Security actually encounters such situations on a regular basis. The company has come to specialize in “thinking like a hacker” and that means going where hackers hang out. That has, in turn, revealed a lot about the types of sites that attract them.
“We audit not only from the compliance perspective but also from the real-world perspective where we would look through the eyes of hackers. What this shows me is that the dating sites are vulnerable by-and-large. There are no major sites that are at risk, such as eHarmony, Match.com, etc. The vast majority of these sites are small but they have databases where people have put very intimate portions of their lives.”
These cheaters will never prosper
And there’s the rub. While large-scale breaches such as Ashley Madison are not new, the type of information being compromised is different than the typical personally identifiable information (PII) that’s at risk in most hacks. People are no doubt alarmed enough if standard PII is compromised … and rightfully so. But really personal information such as the potentially embarrassing kind stored on a dating site or an “adult”-oriented website – that could be a whole new set of worries.
“There is the classically defined personally identifiable information – first name, last name, social security number, bank account, credit card, all of that – but this is more of a private personal nature,” confirms Candy Alexander, a CRC security consultant and former CISO.
When she first learned of the Ashley Madison breach, “My reaction was that I wasn’t surprised,” Alexander says. “When we look at hacking it has always been about motivation. Back when this first started, like 20-something years ago, it wasn’t necessarily for monetary value it was about bragging rights – what they perceived as superior intelligence by circumventing the rules and being the rebels. Then hacking morphed into those who had the desire to get monetary gain. Then it morphed into fraud through personal health information. Now, where we are today, it’s to the point where anybody can hack if they really want to.”
Alexander believes that there certainly could be a social conscience factor to the Ashley Madison breach.
[Related: Blackmail rising from Ashley Madison breach]
“We’re seeing a lot of hacktivism coming from the political and the geopolitical perspective as well as the social justice perspective. We’re living in a really dangerous world on the virtual or electronic front,” Alexander stresses.
This match is no heaven
While the major “traditional” dating sites may not yet have been compromised in terms of member information, Match.com U.K. was successfully hacked by cybercriminals who were serving malware through ads on the site, according to Stephen Boyer, a cybersecurity expert and founder and CTO at BitSight Technologies.
“With Match.com they’re installing something called Crypto Wall. It’s a ransomware – once it gets installed you’ve got to pay a ransom. That can have potentially a very serious impact. Even though Match.com didn’t appear to have its servers compromised, the ads that were serving from their site were compromising its user base. Their users could then have their information compromised or be exploited in a ransomware scheme.”
Asked if the Ashley Madison breach represents a change in behavior for hacking, Boyer says “You would think that, but it actually has been going on for quite some time.”
Boyer pointed to “a great website called haveIbeenpwned [pwned is computer geek-speak for compromised].” He’s charting roughly 60 breaches and a lot of those are ones that have been “’dumped’ – you’ve got YouPorn accounts, SnapChat accounts, AdultFriendFinder.com – [even] Domino’s and Sony.”
“Why are those potentially interesting targets? Because they have information that can be used. Right now there is a strong underground economy for this type of information. You can buy and sell and trade that. These compromised credentials have currency in the underground markets,” Boyer says.