One of the most prominent marketing themes of the recently hacked “Ashley Madison” was that. Despite the padlock logos and the other commercial messages on the website trying to reflect the high level of security it employed, it is important to remember that it is an Internet-based service, and therefore has vulnerabilities in its ability to keep its “secrets” safe.
With the most recent security breaches (Sony, Anthem, Target, Adobe, and others) we are seeing how vulnerable our data and secrets are on the Internet. In the Ashley Madison case, the effects were personal as well as merely corporate or business-based as seen in previous cases, although even this case has involved the publication of several gigabytes of information, e-mails, attachments and documents pertaining to the company’s CEO. After the publication of several gigabytes of personal data (so far data from some 32 million users has been published) from this extramarital dating website whose slogan was “life is short, have an affair”, we can but imagine the millions of broken families and careers destroyed by scandal that could ensue if the effects of an information leak began to expand.
As well as the e-mails and password hashing, the information made public included specific information from dating web sites such as height, weight, etc. It also included addresses and GPS coordinates. It is probable that many users created false accounts with false identities, but the GPS coordinates that their applications transmitted are real. From what we have seen in recent days, the data has been confirmed as legitimate, both in terms of e-mail addresses and the last digits of credit cards. It should be remembered that the web site did not verify e-mail addresses during the registration process, which means a large number of these addresses may be false.
Attacks such as this make us more aware of the vulnerability of our data on the Internet. Without realising, we use dozens of applications on our mobile phones and computers, which upload and store large amounts of personal details on the Internet and we do not worry about how secure these details are. Although in the corporate sphere, businesses are aware of the need to protect data in general terms, we are slowly beginning to realise the importance of the need for security and privacy in the personal sphere.
On the other hand, this attack seems to have different motivations to other recent incidents. Until now, the reasons were often economic, based on stealing financial information, patient details, blackmail and even political motivations. The motives behind this attack are said to be moral objections to the site, but who is to say it was not done for pure entertainment?
The consequences in either case are very different: Public shame for those affected, potential breakdown of relationships, but also blackmail to extract payment in return for not revealing information (now public in any case) to those the user would rather keep it secret from such as their family or work. It has also been claimed that a large number of the e-mail addresses correspond to government domains and military institutions. Might there be the possibility for a different kind of blackmail in these cases? Another possibility now being discussed is that the millions of e-mail addresses made public can now be targeted by malware in the form of phishing, exposing these addresses to new attacks.
According to Ashley Madison, they were victims of a directed attack despite using advanced technological tools. In comparison to other security breaches, Ashley Madison seems to be taking things more seriously than others have done in the past, hashing passwords with bcrypt, tokenising card transactions and storing only the final digits of cards, separating the e-mail address tables from the passwords, and so on.
Although the technique or techniques used (phishing? SQL injection?) are not known, the protection measures used to date have not been sufficient. We should not however get things out of perspective:. It is clear that Ashley Madison’s most valuable information was in its databases. Would the attack have been possible if the site had used transparent encryption on the database or encryption on more points? The simple act of using bcrypt would have made it virtually impossible to access the published user passwords if the users had employed a long password.
For any company working with sensitive information which it needs to protect, it is important they ask themselvesby trying to implement different measures to protect our “crown jewels”.
Methods such as TDE (Transparent Database Encryption) can be useful for protecting databases by encrypting their contents. If the threat is to documentation, then IRM (Information Rights Management) tools such as SealPath can ensure our documentation is encrypted and only accessible by those we give access to. We use document protection or folders in document managers or file servers if that is where the most valuable information is located or a CASB (Cloud Access Security Broker) if we need to increase the security of our Cloud applications.
It is important to stress the need to protect different points; although we may have the perimeter protected with a firewall, the devices protected with an anti virus or IDS to protect against intrusions, is our database secure? What about the documents we store on our PC and servers? When we apply access control to these elements we are elevating the security level of our systems and making them less vulnerable. We are therefore making good use of our technical and financial resources as we have raised the level of protection for our most valuable assets.