As researchers continue to review the data dumps from the Ashley Madison breach, there are lessons to be learned from what has been found.
While Ashley Madison claimed to have good security, the evidence does not support that. For example, the VPN password from the Internet to their servers was Pass1234, according to one article (see here).
Ashley Madison’s former CTO is now threatening to sue a noted blogger for revealing that the CTO said in emails that he had hacked into a competitor’s site. If everything is as reported, this does not look like a lawsuit the ex-CTO would win. Being quiet and hoping it all will blow over in time is probably a better idea.
In terms of things that A-M did wrong from a security standpoint, the list is long:
- Database credentials (userids and passwords) were hard coded into the software, so once the hackers got inside the network, they now had access to all of the databases
- SSL private keys were also hard coded, meaning that anyone who wanted to create a web site that looked and acted like the real site could.
- Twitter credentials were hard coded
- And, finally, Amazon web services credentials were also in the source code
At least some of the passwords were only 5-8 characters long, way to short for something that acts as the key to your kingdom.
Even though A-M encrypted their passwords with bcrypt, which is reputed to be pretty strong, after a couple of weeks of brute force decrypting, some of the passwords have been revealed. The most common ones? 123456, password, 12345, 12345678 and qwerty. Apparently, A-M users were no better at security than A-M itself was.
The lesson here for developers and IT operations is that hard coding passwords into the source code is not a great idea. That makes them hard to protect, visible to any employee who has access to the source code and hard to change. While many companies don’t do this, many do.
A search of the Github public source code repository recently found many database passwords, private keys, email passwords and other security information. That was a double whammy – not only was that information in the source code, but the source code was publicly available.
If developers use this to learn a lesson then maybe something good could come out of the mess that is Ashley Madison.
Information for this post came from Dark Reading.