By Malcolm Rowlings
The sordid scandal created by the release of customer data from the Ashley Madison servers is teaching Internet security professionals some very hard lessons about keeping confidential data secure. The incident emanated from a brazen attack by a shadowy hacking outfit known as the Impact Team, and it has brought about sweeping implications for the IT security industry.
Understanding the Ashley Madison Hack
To understand the implications of the hack on AshleyMadison.com, one must first consider the motives and the mechanics behind the attack. The Impact Team is a self-described “hacktivist” group, which means that their modus operandi may include black-hat strategies to justify their means. For an enterprise such as Ashley Madison, groups such as the Impact Team are more dangerous than cyber criminals. Hacktivist groups tend to be larger in numbers and better organized than hackers who wish to steal assets for potential financial profit.
Ashley Madison is an infamous social network that aims to profit from what can be considered an unethical practice: marital infidelity. Ashley Madison essentially promises those who sign up that they will be able to access a social network of philanderers and cheaters. The Impact Team took issue with this premise, but what they considered to be even more egregious was the company’s data retention policy; if a member wanted his or her personal information deleted from the Ashley Madison servers, he or she would have to shell out $19. The Impact Team reportedly found out that the company was not delivering on this promise even after members paid the data deletion fee.
Unlike hacking outfits that demand hefty ransoms in exchange for not continuing their attack, the Impact Team warned Ashley Madison that they had successfully penetrated the site and copied 9.7 gigabytes of personal data and credit card transactions. The Impact Team issued an ultimatum: either take down the site or else suffer the consequences of a data dump. In the end, Ashley Madison did not relent, and the Impact Team posted the decrypted data on an onion router, which is accessible through tor-enabled browsers that allow navigation of the deep web.
The data dump, which revealed personal information of millions of users who were shamed for their inclination towards marital infidelity, has apparently motivated a number of suicides in Canada and in the United States. The CEO of the parent company that owns and operates Ashley Madison resigned in shame.
How the Ashley Madison Hack Worked
Essentially, the Impact Team first breached the Ashley Madison servers before they moved on to explore the data structure, find the folders that stored customer data, copy the files, and issue warnings to key personnel. It is unclear whether Ashley Madison used cloud servers, but those who are familiar with IT virtualization basics know that virtual servers need as much security against intrusions as their hardware counterparts.
The next major step in the Ashley Madison attack was the decryption of the more than 35 million sets of member data, which was actually encrypted by means of the bcrypt protocol. Security analysts who have investigated the aftermath of the attack found that the Impact Team had enough time from the issuance of the first threat until the data dump to conduct hash cracking runs, which involves a combination of running a brute force process plus an algorithm function. However, security analysts also looked at the source code of the site, which revealed that not all passwords had been properly encrypted.
A careless code change in 2012 allowed security analysts to see passwords that had not been salted, which allowed them to create a hash cracking procedure that enabled decryption based on values that were not kept secret.
In the end, a site that was not secure enough to withstand intrusions plus a coding error sealed Ashley Madison’s fate.
Malcolm Rowlings spends his time elevating businesses through independent consultant work, with core focuses around; bigger ideas, bottom-lines and better business. When Malcolm isn’t writing, or meeting with a board, he’s gearing for the eventual ultra marathon he’s been planning for years. Follow him on Twitter @MalcolmRowlings.