Posted by Tara Taubman-Bassirian on August 21, 2015.
This week in the UK, the first news came from the Mumsnet site taken down by DadSecurity ‘Mumsnet’s co-founder suffers ‘swatting attack’ Titled BBC News.r
After OPM, Sony, Anthem hacks, after celebrities nude pictures posted online, here comes the Ashley Madison hack exposing private data of users dumped online. Wired reported /a> the leak late Tuesday after the hack was announced in July by a group calling themselves Impact Team.
These attacks represent a huge potential for damaging people’s reputations.
Huge amount of Personal Information is digitally collected. Frequently these data have been hacked and dumped online. Revenge porn, trolling and swatting happen on a daily basis. As the Attorney Carrie Goldberg rightly points out, “The Internet has created a marketplace where there is a value to other people’s humiliation.” She continues, “This mob revelry – and even sexual gratification – for “humiliporn” drives millions to dedicated revenge porn sites, motivates people to retweet sexual assaults, and is why so many couldn’t resist clicking on those pictures of Jennifer Lawrence … As long as we condone privacy invasions based on the personal values of those entertained by it, we are promoting a real lawlessness.”
As writing, I read the news that Toronto Lawyers have filed a class-action notice in Supreme Court.
These big hacking cases of online revenge should be a lesson for every company, and I am thinking especially lawyers, notaries, or courts, to use all possible security measures when handing clients data. I am frequently astonished by the number of law firms exchanging sensitive clients data via simple email without any encryption.
So, lets have a more in depth look at this case, from what has been published so far online.
What is the scale?
Millions of users data stored by the extra-marital dating site, part of Avid Life Media (ALM), the company behind adult playgrounds of Ashley Madison, Cougar Life, Established Men, and others.
Huge potential impact. The data dump weighs initially estimated at 9.7 gigabytes of compressed data doubled its size after Impact Team released another archive of data bringing it at 18.5GB reports Steve Ragan.
Which kind of information have been published ?
Apart from the inbox of the company’s CEO, it includes ‘account details for approximately 32 million users, seven years of credit card data, contact details, email addresses and, in some cases, detailed sexual preferences and desires‘, reports Jeddidah Bracy. (see also Dan Goodin of Ars Technica)
What was the reason for the attack?
The hacker group said, it’s because the company “profits on the pain of others.” Reports Steve Ragan.
“Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.
Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.
Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”
What was the site’s activity?
Explicitly promoting extra-marital dating.
Who is concerned?
Many many private or public individuals. Apparently many from the US, Canada and Israel, lawyers, teachers, politicians,….
15,019 accounts using either a .mil or .gov email address are included in the data dump, as Steve Ragan points out,
• us.army.mil – 6788
• navy.mil – 1665
• usmc.mil – 809
• mail.mil – 206
• gimail.af.mil – 127
Kashmir Hill mentions many journalists have already contacted some of the users.
“We talked to 24 victims of the Ashley Madison hack about their exposed secrets”
According to Jedidiah, ErrataSecurity’s Robert Graham has been parsing through the information, which he says “appears legit.” He says users mostly appeared to be men—28 million versus 5 million women—but noted, “glancing through the credit-card transactions, I find only male names.” He confirms the data includes full account information and approximately 250,000 deleted accounts and partial credit card data with “full names and addresses … This is data that can ‘out’ serious users of the site.”
Some luckier users had paid with gift cards
Kashmir Hill writes: “Because some people were insane enough to use their work email addresses on the site, reporters have found hundreds of bankers among the Ashley Madison users, dozens of lawyers, and thousands of government officials. According to Advisor Hub, the personal fallout is already happening”.
Where to access the data?
According to Kashmir Hill A handful of websites have popped up to make searching through that data easier. On https://ashley.cynic.al for example, you can plug in an email address and it will tell you if the person affiliated with that address was found in the leaked records. The Ashley Madison hacktells us that in the last 24 hours, it has gotten over 300,000 visitors who have performed more than a million searches.”
BBC reports that “Several people have created tools to let users search for email addresses in the data, but it’s not always clear how these tools are working, how accurate they are, or whether they are recording such search attempts. Microsoft-accredited security expert Troy Hunt has published a tool to allow people to be notified if their email address is part of the dump, but does not allow people to search through it at will. He has also written a Q&A explaining why he believes doing so would be unfair.”
Now wait, why would we want to look at stolen data?
If I left my hand bag unattended would you go and look what is in it?
Kashmir Hill raises an ethical question. She questions: even if you can check to see who was using Ashley Madison, should you?
“Many celebrate this hack, gleeful that cheaters are getting their comeuppance reports and suggest we stay out of other people’s bedrooms, even when the lurid details of those bedrooms are on a platter for us on the Internet. Those reveling in the hack, calling it a karmic triumph, should self-examine. Not just their own relationship and trust issues, but do they really condone the idea that the right to privacy should be on a continuum based on a person’s moral turpitude? writes lawyer Carrie Goldberg (via Kashmir HillI and Jedidiah Bracy https://iapp.org/news/a/the-ashleymadison-leak-and-why-we-shouldnt-buy-into-it/).
I personally think we should consider this information with great cautious as it can create damageable consequences if overly relying on its accuracy.
What are the possible consequences?
Many will look for the partners known email addresses, their family, also employers for their employees and maybe take that as an excuse to sack the unwanted employee. Some military officers will suffer the sever consequences of adultery. In some countries adultery is a crime, in others a cause of divorce,…. In UK, a risk of ‘unreasonable behaviour’ if not corroborated with proof of adultery. Kashmir Hill reports Pentagon Looking into Ashley Madison users with military email addresses as adultery can be a criminal offense”.
The BBC report on one particularly widely reported incident that concerns two Australian DJs who, while interviewing a concerned listener live on air, revealed to her that details identifying her husband were present in the database. The woman responded in shock, saying: “Are you freaking kidding me?” Shortly afterwards, she hung up.
As Steve Ragan points out, “If the data in the leaked files is valid, then Impact Team has created a blackmail archive that could land scores of people in hot water.”
How much can you trust the information?
BBC points out that “People were able to sign up to Ashley Madison using false names and email address – no email account verification was required. And of course there is the possibility that you’ll find the information of someone you know in the hack who is not actually a user, say if someone else used their email address to sign up, as happened to an Intercept reporter.”
Jedidiah Bracy warns that “it’s not clear at all how valid or “real” this data is. For example, AM does not require users to validate their email addresses. One Twitter user going by @zerohedge pointed out that former UK Prime Minister Tony Blair’s email address is on there. Now, let’s be honest, there’s no way someone of his stature would have signed up for such a site using that email address. Much of the data, we must conclude, is not accurate.”
Steve Ragan also writes, warning about fake accounts: “If the data in the leaked files is valid, then Impact Team has created a blackmail archive that could land scores of people in hot water.
However, ALM never required that data be valid unless the user registered for a paid account, and even then the verification process wasn’t that hard to bypass as long as the bills were paid“.
He emphasises that “Clearly there are plenty of false records, including those from the White House, or yahoo.gov. However, the records with full account details, including profiles matched to personal and financial records, are going to be harder to dispute.”
The archive was published along with a signed note (using the PGP Key published earlier to verify the files released by the group) telling the ALM CEO, Noel Biderman, that it was okay to admit the leaked files were real.
The files are real, however, the identity of the users is unverified.
Kashmir Reports from the Security reporter Brian Krebs
I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.
5:13 AM – 19 Aug 2015
189 189 Retweets 95 95 favorites
As mentions Jedidiah Bracy, “Initially, there was some question as to the data’s validity. Brian Krebs discussed the latest leak with the founding chief technology officer of AM, Raja Bhatia. Bhatia said, “The overwhelming amount of data released in the last three weeks is fake data.” However, in an update to his blog, Krebs spoke with “three vouched sources who all have reported finding their information and last four digits of their credit card number in the leaked database.”
ErrataSecurity’s Robert Graham has been parsing through the information, which he says “appears legit.” He says users mostly appeared to be men—28 million versus 5 million women—but noted, “glancing through the credit-card transactions, I find only male names.” He confirms the data includes full account information and approximately 250,000 deleted accounts and partial credit card data with “full names and addresses … This is data that can ‘out’ serious users of the site.” Notably, the account holders’ passwords are hashed with bcrypt, something Graham calls “a refreshing change.” He continues, “Most of the time when we see big sites hacked, the passwords are protected either poorly (with MD5) or not at all (in ‘clear text,’ so that they can be immediately used to hack people).”
He concludes : “Clearly, this is valuable PII that has found its way into the public domain.”
He follows by: “What else is clear? Well, that it’s not clear at all how valid or “real” this data is. For example, AM does not require users to validate their email addresses. One Twitter user going by @zerohedge pointed out that former UK Prime Minister Tony Blair’s email address is on there. Now, let’s be honest, there’s no way someone of his stature would have signed up for such a site using that email address. Much of the data, we must conclude, is not accurate.
Plus, as Kashmir Hill points out, journalists and others curious to see what went on in the site may have signed up as well.
Avid Life Media, the company that owns AM and other similar sites like Established Men, issued a statement:
“The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.”
According to Jedidiah, “it appears AM did employ decent hashing of passwords by using bcrypt. But that security measure, though a good one, doesn’t mean a whole lot to those who’ve had their sensitive data hacked. There’s no silver-bullet solution to strong security and privacy. It’s a multi-pronged effort combining good encryption, adroit data retention and deletion processes, two-factor authentication and plenty of other tactics.”
Robert Graham, CEO of Erratasec, says that despite this being one of the most secure ways to store passwords, “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.” If the accounts are still online, this means hackers will be able to grab any private correspondence associated with the account.” Often sites would not bother encrypting passwords. “We’re so used to seeing cleartext and MD5 hashes,” Graham says. “It’s refreshing to see bcrypt actually being used.”
Data protection issues:
As Jedidiah points out “AM has exercised terrible data retention practices by keeping credit card transactions going back almost eight years. The data also includes 250,000 “deleted” accounts. Clearly, those weren’t deleted”, but should have been for the sake of data minimization. Data should not be kept longer than necessary.
According to the BBC, “multiple reports have now alleged that data which users paid £15 ($23) to be removed actually remained in the database that has now been made public online.”
BBC report: “A breach of privacy may have occurred if personal information has been discovered and published, according to Mark Watts, head of data protection at London law firm Bristows. In such cases the victim may decide to sue the perpetrator.
However, searching the data on an individual basis and purely out of curiosity is not likely to be considered illegal. “Simply looking at it itself as an individual shouldn’t be a problem,” he told the BBC.”
Mark Watts considers that “the company would have to have some physical presence, such as an office or server, in the UK.”
“If we assume they are somehow subject to [the act], then people have a right to have their data deleted for free. You can’t charge for it,” he said. “That would potentially be an issue.”.
This is not so certain especially since the recent Google cases and the law suit between, Max Schrems and social networking giant Facebook. French data authorities tend to follow the criteria of targeted public.