T. Kearny Vertner, III
Ashley Madison Breach: Another Study in Security and Mitigation
Cheating never pays... and neither do bad security practices.
So you've probably heard a little bit about Ashley Madison and the massive data breach, but may have been wondering a few things. Namely, who is Ashley, why do I care that her data is all over the internet, and why does this matter to me? If this is you, you should absolutely care because it's yet another important lesson in safeguarding your personal information and why we all need to assume that our private data becoming public is a matter of when, not if. Who is Ashley? Ashley Madison is the name of a web site that is dedicated to linking up married adults interested in having extra-marital affairs. That's right, a whole community of folks interested in (supposedly) discretely violating their marriages. Putting aside any judgments, it had been successful. More than 38 million paying users and $115 million dollar revenue successful. So successful, that parent company Avid Life Media, Inc announced in April was seeking a $200 million dollar initial public offering. They disclosed that their profit margin was between 20-25% and valued the company at over $1 billion. All of this changed on July 20 this year. The Breach and Release While details are thin on who did it and how they did it, what is known is that on July 20, a hacktivist group calling itself Impact Team released a taste of the data they secured with a promise that if Ashley Madison and one its sister sites, Established Men, did not shut down completely, they would release the full data dump to the public. This data dump was said to include complete names, passwords, user profiles, addresses, credit cards, phone numbers, and more. Approximately one month later, on August 18, they made good on their promise and it was more massive than anyone could have guessed. The Ashley Madison data dump is over 10 Gigabytes, compressed. To put that in perspective, the latest compressed dump of the English wikipedia was over 12 Gb compressed. That's right folks, they released almost as much data on Ashley Madison and its users as the entire text of Wikipedia. The full scope of the release is still being investigated by security researchers, law enforcement, and privacy enthusiasts, but it's increasingly appearing both genuine and broad in scope. How broad? The dump appears to include Avid Life Media employee Paypal accounts, their windows domain credentials, and a tremendous amount of proprietary internal documentation such as memos, organizational charts, server infrastructure, contracts, and sales techniques. This isn't just a breach of the users, this is a full-scale compromise of the company. What Can We Learn? We can actually learn a lot from this breach. Believe it or not, while their system may have had some (clearly) exploitable loopholes, Avid Life Media did at least go to the trouble of encrypting all of the password hashes using Blowfish File Encryption or bcrypt. While it's slow and resource-intensive, it's considered one of the more secure ways to store password hashes, meaning that password crackers are going to need a lot of extra time to break them out into plaintext. That said, there are two big lessons: 1. Never Assume Your Data is Secure. No matter how much you trust a web site, pay system, or database, there is always the possibility of a breach. Mitigate your risks by understanding what data about you is available publicly and privately and judiciously limiting your use of data-hungry services. In the age of free web-based e-mail services, there's no reason to not consider using throwaway e-mail accounts and false information, though understand that the determined attacker may still be able to identify you when you invariably cross-pollenate elements of that persona with your true identity. 2. Never Re-use Passwords. This is the big one. I've written about this before, but it's a mantra that always bears repeating. Despite Avid Life Media's smart use of bcrypt, many passwords will be cracked. When paired with the plaintext e-mail accounts and the other exposed private information, e-mail and bank accounts will be violated by malicious opportunists. Why? Because we're all lazy creatures of habit and re-use passwords. It's absolutely likely that a number of the same users with easily-cracked passwords will use the same password on their e-mail account. Once an attacker has your e-mail account, it's trivial to lock you out and start changing the passwords to all of your other services before milking them for any profit they can. So while it's tempting to poke fun and engage in a bit of schaudenfraude about the apparent inability to trust a service for untrustworthy people, it's important to remember that there are real lives affected. There are many reasons people might chose to try such a service and it's always possible that the user information is not legitimate; wouldn't you hate to be served divorce papers because a friend used your name and address with a fake e-mail account? Additionally, regardless of your opinion of people using this service, adultery is usually a private and painful matter. This breach will bring a lot of people's personal pain into the public sphere. If we can't defend the privacy of the questionable, we will lose everybody's privacy. As the old adage goes, "If you don't have anything to hide, you haven't lived a very interesting life."