Henry Dalziel | Concise Courses | July 28, 2016
Thank you for your interest in our Ashley Madison Hack Course!
What is this?
The Ashley Madison Hack of 2015 was a big deal. We just felt that the story of what happened would make an excellent course – hence why we made this and are now sharing it with our awesome community.
Let’s start this course off by outling the timeline of this infamous hack.
In the summer of 2015, Brian Krebs, a well-known cyber blogger, breaks a story revealing that a group of hackers, known as ‘The Impact Team’, published approx 40 MB of sensitive internal data stolen from Avid Life Media, the organization that owns Ashley Madison and a number of other dating and hookup services. The data dump includes customers’ credit cards and company internal documents. The ‘Impact Team’ threatens to release sensitive details of all 37 million users of Ashley Madison unless the website is permanently closed.
August 18, 2015: The Impact Team releases a data dump containing the account details of all 37 million users of Ashley Madison. Altogether, the files contain 9.7 GB of data which are accessible via the ‘deep web’ and include names, passwords, addresses, phone numbers and credit card transactions of the site’s users.
August 19, 2015: The Ashley Madison data dump is posted on the open web, making its’ information readily searchable on several public websites. However, there is only one full download since one of the original seeders (in the torrent pool) with the only full copy, unplugged before leechers could obtain the full download. However, thousands of people downloaded 97% of that particular data-set.
August 20, 2015: The hackers release a second data dump of sensitive materials. This time the data includes 13 GB of information stolen from Biderman’s (the CEO) private email account. Researchers attempt to open that file, labeled ‘noel.biderman.mail.7z,’ but find that it cannot be unpacked because it has been corrupted.
August 21, 2015: Two Canadian law firms ‘Charney Lawyers and Sutts & Strosberg’, both of Ontario file a 578 million dollar class-action lawsuit against Avid Dating Life and Avid Life Media on behalf of Canadian citizens who in the past subscribed to Ashley Madison’s services. According to a statement issued by the firms, their lawsuit considers to what extent the website protected its users’ privacy under Canadian law. At issue is a feature of Ashley Madison called ‘paid-delete,’ a process whereby users could have their data erased from the website’s servers for a fee of USD 19.
August 22, 2015: The ‘Impact Team’ releases a third dump, which includes a zip file containing messages leaked from Biderman’s personal email account, i.e. not his corporate email which was previously uploaded. The emails reveal that Biderman cheated on his wife and attempted to engage in adultery with at least three other separate women.
August 24, 2015: Toronto Police in Canada begin investigating two suicide reports with possible ties to the Ashley Madison hacking scandal. Meanwhile, the adultery website announces a 380,000 dollar reward for any information that could lead to the arrest of those responsible for hacking its servers.
August 25, 2015: It’s announced that scammers and extortionists had begun to target Ashley Madison’s users.
Who Committed the Hack?
Theory 1: Using Open Source Intelligence, Brian Krebs, (who broke this story) explains his belief that the hacker is an individual who goes by the name of ‘Thadeus Zu’ might be related to the Ashley Madison hack. Krebs explains that the adultery site was first alerted to the breach when its employees saw a threatening message from ‘The Impact Team’ posted to their computers. The AC/DC song ‘Thunderstruck’ accompanied these messages. Krebs then looked back at Zu’s Twitter history and noticed that the hacker was listening to ‘Thunderstruck’ shortly before ‘The Impact Team’ first contacted Krebs back in July with regards to their successful hack of Ashley Madison. The cyber journalist goes on to explore what Zu might look like and where he might live, leading him to the conclusion that if Zu was not involved in the hack, he certainly knows who was responsible for it. His theory, however, has many doubters…
Theory 2: ‘The Impact Team without ‘Thadeus Zu’
Another theory is that the people or the individual behind the attack belonged to a group calling themselves: ‘The Impact Team’. Very little is known about this group aside from the fact that they might be operating like other Hacktivist groups, such as Anonymous. Such groups typically attack companies and governments they see as doing wrong by the citizens of the world. Therefore the attack on Ashley Madison for lying about its ‘Full Delete’ service seems a good fit. However what does not fit is the publication of millions of people’s private information in a bid to get back at a corporation. Add to this the fact that no hacktivist group has claimed credit for the attack (which they traditionally do) and this suggestion seems unlikely.
Theory 3: ‘Female Insider’
John McAfee – namesake of the anti-virus software – thinks the ‘wording’ of the leaker’s manifestos shows ‘intimate knowledge of the technology stack of the company,’ and , ‘reliable sources within the Dark Web – which have yet to fail me suggest that the hacker in question was a female insider’.
Theory 4: ‘The Female or Male Insider’
As security professionals we all fear the ‘bad leaver’ or the ‘insider threat’ Well, that might have been the case in this hack. The perpetrator had intimate knowledge of the technology stack of the company: they knew, for example, that the ‘paid delete service’ was a sham, and they also leaked data that contained actual MySQL database dumps which is very rare in such a data breach, Furthermore, the hacker had knowledge of ALM (the parent company) and the Ashley Madison website. Police reports suggest that this is the assumption ALM and the FBI are working on, i.e. that this was ‘an insider job’.
The original hacker manifesto contains a reference to ‘Trevor’, the actual first name of ALM’s CTO, and a quote on something he once said about protection of personal information. The hackers added the line: “Well Trevor, welcome to your worst fucking nightmare.” To some, this personal attack on a single member of the ALM team suggests some deeper resentment. Or, was the naming of ‘Trevor’ just basic social engineering enumeration? The specific intention of naming someone, employed at ALM, is certain of interest and unusual…
Was there an IPO Sabotage?
Ashley Madison, pre-hack, had been planning to launch an Initial Public Offering (IPO) in London. Was the hack intended to scuttle that plan?
Passwords on the live site were hashed using the bcrypt algorithm. A security analyst using the Hashcat password cracking/ recovery tool with a dictionary based on the RockYou passwords found that among the 4,000 passwords that were the easiest to crack, “123456” and “password” were the most commonly used passwords on the live website. Due to a coding error where passwords were hashed with both bcrypt and md5, 11 million passwords were eventually cracked.
So far, the hackers have been very smart. The hacker’s operational security has been excellent. The hackers took many measures to ensure their identity remained hidden; for example the hacker or hackers must have posted links on the dark web through anonymity browsers like TOR and utilizing an Onion web server, which serves only HTML and TXT content. The hackers also used the MailTOR dark web email service to hide their identity. If the hackers had set these up properly, they will probably never be discovered.
How Did The Hack Happen?
No one seems to know if it was an inside or external hack. If it was an ‘inside job’, the problem largely ends there, however, if it was an external hack then either the database was directly reachable across the Internet or the website was vulnerable to, possibly, a cross-scripting attack. Social Engineering (phishing) is also a likely point of entry, but given the fact that the hacker had full access to the entire technological stack it was likely an ‘insider’ job. The overall consensus it seems is that this was ‘an insider job’. Someone within the organization likely knows a lot more but isn’t talking…
In Summary, the purpose of this course is twofold: to give a concise overview of the Ashley Madison breach, and, to reduce your organization’s exposure to a similar cyber attack.
Here are ten ways to reduce your risk in ten critical areas:
Step 1: Establish an Information Risk Management Regime by, for example, establishing a governance framework and enabling and supporting risk management across the organization.
Step 2: Secure Configuration by developing corporate polices to update and patch systems. You should also establish and maintain policies that set out the priority and timescales for applying updates and patches. In addition, create and maintain hardware and software inventories and use automated tools to create and maintain inventories of every device and application used by the organization. It’s also a very good idea to run automated vulnerability scanning tools against all networked devices at least weekly and remedy any vulnerability within an agreed time frame.
Step 3: Network Security. You need to police the network perimeter by establishling multi-layered boundary defenses with firewalls and proxies deployed between the untrusted external network and the trusted internal network. It is also vital that you conduct regular penetration tests and undertake simulated cyber attack exercises, i.e. ‘Red Teaming’.
Step 4: Managing User Privileges. To do this we’d advise that you establish effective account management processes and manage and review user accounts from creation and modification to eventual deletion. It’s also a great idea to limit the number and use of privileged accounts and always try to minimize privileges for all users. Try to monitor user activity, particularly access to sensitive information and the use of privileged accounts.
Step 5: User Education and Awareness is also key. To that extent we’d advise that you produce a user security policy and, for example, produce policies covering the acceptable and secure use of the organization’s systems.
Step 6: Incident Management is also important and for obvious reasons. You must obtain senior management approval and backing to formulate clear and concise incident management plans. Establish an incident response and disaster recovery capability and develop and maintain incident management plans with clear roles and responsibilities. Remember to always and regularly test your plans.
Step 7: Malware Prevention can be achieved by establishling anti-malware defenses across the organization and agreeing a on a corporate approach to managing the risks from malware for each business area.
Step 8: Establish a monitoring strategy and supporting policies by implementing an organizational monitoring strategy and policy based on an assessment of the risks. Network traffic should be continuously monitored to identify unusual activity or trends that could indicate an attack.
Step 9: Removable Media Controls should be limited of course by limiting the media types that can be used together with user and system access and the information types that can be stored on removable media.
Step 10: Home and Mobile Working, should you organization offer that, would also need to be protected. You can do that by assessing the risks and create a mobile working policy. The policy should cover aspects such as information types, user credentials, devices, encryption and incident reporting.