Thursday, August 27, 2015

Lessons from the Ashley Madison Hack

Ashley Madison (AM), a worldwide dating site for nearly 40 million married people looking for things on the side, was hit by a massive hack where gigabytes of user data are leaked to the public.  36 million email addresses and activity history are in the wild, and Avid Life Media (ALM), the owner of the site, insisted that the data may not be genuine.  So naturally, the hacker dumped another (larger) set of data -- 13GB worth -- containing even more sensitive information (internal emails, source code for the website and mobile apps, etc), taunting ALM's CEO to admit that the hack is real.

Here are some of the things we've learned:

1.  Most "hacks" are not really so 

I hate to bring up CSI:Cyber all the time,  but the kinds of "brute force attack"-type hacks (like you see on TV) are terribly slow and heavy on computing resources, and they are rarely successful.  Moreover, the typical hacking methods of SQL injection and buffer overflow attacks are well-documented, and good IT specialists know how to prevent them.  "Hacked" companies are more likely to be victims of one of the following:
  • social engineering: along the lines of me calling Microsoft's support hotline, telling them I'm Bill Gates and I've lost my password,  
  • a rogue employee (or ex-employee, contractor, vendor) stealing and dumping data they have/had privilege to (this even has a technical term 'doxing').  

Sadly, victimized companies probably won't admit they screwed up their customer service or internal HR policies, they'd rather say some criminals spent tons of money to break into their system.  So the general public will continue to think they are more vulnerable than they really are.

2. People are super-lazy with their passwords

I can explain this: perhaps these people think they just want to try the website once, so they just use stupid passwords like "123456" or "password".  I do the same on sites that I wouldn't give real personal information, like news sites or software companies' download pages.

3.  Dating sites like AM are sleazy, probably stuff their database with fake (female) profiles 

They do it in order to attract new members, even going to lengths to hire an army of "angels" to manually write fake profiles in multiple languages and post image sets stolen from Facebook.  These fake profiles are then "reanimated" by software, programmed to talk dirty to men and induce them to pay up.

Is it ethical? Nope (although accusing an extramarital hookup site of acting unethically is a bit redundant).  But illegal? Unlikely (i.e. somewhere in the legalese it will say the site is purely for "entertainment purposes").  Is it acceptable because all other sites do it? Maybe.  The fact that these kinds of sites are full of fake women and real scammers seeking to steal from unsuspecting men? Not surprising at all.

John C Dvorak of PC Magazine:
"What our researcher discovered in 2003 [from various dating sites] was that you sign up for these operations and then get inundated with messages from women who are just itching to meet you. But you must pay for more information. And surprise: once you join, you never hear from anyone ever again."

4.  It seems fair to say most men are probably not cheaters

We men are probably just curious, want to see what's out there.  If something happens, well great.  But (more likely) if not, well, it's only a few bucks, we can just move on and call women bitches.   If anything, us men, we are just retarded.

5.  People are less concerned about "financial information" than they are about "personal data"

Who cares about my credit card info? Needless to say, people who actually have secrets, are panicking.

6.  The vultures have come out and they stand to benefit the most from the debacle

I'm talking about divorce lawyers, ambulance chaserslitigation lawyers, and extortion artists.

7.  Hell hath no fury like a woman scorned

John McAfee -- billionaire cybersecurity expert, real-life Tony Stark and world-renowned connoisseur of cocaine, guns and prostitutes -- combed through the massive data dump and concluded the AM leak was done by one single female insider -- probably a disgruntled former employee, and that the so-called "Impact Team" hacker group does not exist.  You may agree or disagree, but read McAfee's article and tell me it doesn't seem plausible.  If you want to have fun, read it out loud as Oscar Winner™ Patricia Arquette explaining to Ally McBeal's befuddled boss.  As if things are not crazy enough, the key to identifying the real perpetrator may be legendary hard rock band AC/DC.

Head of FBI Cybercrime Division: "Ooh, is that the new angry birds?"

8.  This leak will be a game-changer

We only get real-life data dumps of this magnitude once every few years.  The silver lining is that this "hack" would provide a massive corpus for analysis by data scientists (in addition to showing the naked truth about these kinds of sites, of course).  It would, hopefully, change how companies view security and the importance of safeguarding customer information.  Just hope the impact would be as definitive as the 2009 "Rockyou" hack and how it changed cyber security forever.

No comments: