Tag Archives: Ashley Madison

Password Reuse A Problem – 11 Million Ashley Madison Passwords Cracked Already

After the Ashley Madison breach, everyone sighed a breath of relief because the passwords were encrypted with bcrypt.  Bcrypt, as used by Ashley Madison, hashed the password 4,096 times.  That calculation meant that even with fast computers it would take centuries to crack all of them.

Until a group of hobbyists – yes hobbyists, not professional hackers – discovered 15.26 million of those passwords were also stored with an MD5 hash.  These hobbyists decided to try and crack the MD5 hash instead of the bcrypt hash.

To add insult to injury, since the source code was released, the hobbyists were able to examine it and find two “bugs” in how Ashley Madison’s programmers did the MD5 hash.

The combination of all this makes it one million times easier to crack the Ashley Madison passwords.

The hobbyists have already cracked 11 million of them and expect to crack another 4 million in the next two weeks.

So, what is the moral of this story?  There are several.

  • For users, password reuse, even though it is convenient, is a really bad habit because if one site gets hacked, the hackers can get into other sites where the user used the same password.  We have seen this numerous times before.
  • If you were/are an Ashley Madison customer, change your password now and DO NOT reuse that password anywhere else.
  • Triage the web sites that you visit.  For the important ones (such as banking or credit cards), if you are reusing those passwords, change them now.
  • Finally, for programmers, an independent third party review of the security of your web site is a good plan.  This means an in depth review, including the source code.  Without an in depth review, reviewers would not have caught Ashley Madison’s use of MD5 or the programming shortcuts that they took that made cracking the MD5 hashs even easier than it would have been.
  • While I never suggest that security by obscurity is sufficient to protect your company’s crown jewels, not protecting your source code will make it easier for hackers to find flaws to use against you.  Ask the folks at Ashley Madison.

And given that nearly 100 gigabytes of data has been released so far (the hackers say that they have been 300 and 400 gigabytes and will release more), researchers and hobbyists are not done pouring over that dump yet – not to mention future dumps, if they happen.  Don’t be surprised if there are more revelations.

We can use what we learn from this to make us safer.  OR NOT.

Food for though.


Information from this post came from Ars Technica.

Ashley Madison Hack Provides IT Pros More Hints On What Not To Do

As researchers continue to review the data dumps from the Ashley Madison breach, there are lessons to be learned from what has been found.

While Ashley Madison claimed to have good security, the evidence does not support that.  For example, the VPN password from the Internet to their servers was Pass1234, according to one article (see here).

Ashley Madison’s former CTO is now threatening to sue a noted blogger for revealing that the CTO said in emails that he had hacked into a competitor’s site.  If everything is as reported, this does not look like a lawsuit the ex-CTO would win.  Being quiet and hoping it all will blow over in time is probably a better idea.

In terms of things that A-M did wrong from a security standpoint, the list is long:

  • Database credentials (userids and passwords) were hard coded into the software, so once the hackers got inside the network, they now had access to all of the databases
  • SSL private keys were also hard coded, meaning that anyone who wanted to create a web site that looked and acted like the real site could.
  • Twitter credentials were hard coded
  • And, finally, Amazon web services credentials were also in the source code

At least some of the passwords were only 5-8 characters long, way to short for something that acts as the key to your kingdom.

Even though A-M encrypted their passwords with bcrypt, which is reputed to be pretty strong, after a couple of weeks of brute force decrypting, some of the passwords have been revealed.  The most common ones?  123456, password, 12345, 12345678 and qwerty.  Apparently, A-M users were no better at security than A-M itself was.

The lesson here for developers and IT operations is that hard coding passwords into the source code is not a great idea.  That makes them hard to protect, visible to any employee who has access to the source code and hard to change.  While many companies don’t do this, many do.

A search of the Github public source code repository recently found many database passwords, private keys, email passwords and other security information.  That was a double whammy – not only was that information in the source code, but the source code was publicly available.

If developers use this to learn a lesson then maybe something good could come out of the mess that is Ashley Madison.


Information for this post came from Dark Reading.

Ashley Madison Fallout – It Could Be Your Company

As the Ashley Madison data is more widely circulated and people have a chance to digest it, consequences are beginning to add up which will have a negative impact on the parent company Avid Life Media, likely for years to come.

Granted this is a somewhat unusual situation, so some of the consequences may not apply to any given company, but maybe other, different, consequences may apply.  Some of the fallout is:

  • ALM planned a $100 million initial public offering this fall.  That IPO is now on “hold”.  It is unlikely that anyone would be interested in investing in this company for years to come, given the lawsuits that are on the horizon.
  • The Toronto police are investigating two suicides that they say are likely related to the release of the data.  If the company is held liable for that, it could have significant financial consequences.
  • The U.S. military is investigating specific service members.  There were about 15,000 .mil and .gov email addresses in the data dump.  Extra marital affairs are a violation of the Uniform Code Of Military Justice.
  • Local investigative reporters in every big city are reviewing the data for names of public figures in their cities.
  • A few named people have been “outed”.  Josh Duggar, ex-reality TV star and now ex-spokesperson for family values based PAC Family Research Council admitted that he had two Ashley Madison accounts.  In addition a stripper/porn star has come out on the cover of one of the supermarket tabloids saying that he paid her for sex.  While this likely doesn’t have any negative consequences for Avid Life Media, it doesn’t bode well for the Duggar family brand.  Their TV series has been cancelled and talks about spinoff series are “on hold”.
  • ALM has been served with at least 5 lawsuits seeking class action status in California, Texas, Missouri and Canada.  The lawsuits are filed as John Doe and Jane Doe lawsuits.  What is unclear is whether the courts will say that the plaintiffs being embarrassed is sufficient reason to allow the suits to go forward anonymously.
  • ALM has offered a CAN $500,000 (about $375,000 US) reward for information leading to the arrest of the hackers. For a company that is reported to make $60 million a year in revenue and $20 million a year in profit, offering a $375,000 US reward seems a little light.
  • Police are investigating multiple extortion attempts against Ashley Madison customers.

To say that Information security at Ashley Madison was lacking would be polite.  In one of the leaked emails, the CTO of the company said “With what we inherited with Ashley [Madison], security was an obvious afterthought and I didn’t focus on it either”.  After the Sony breach, someone suggested encrypting customer messages (the hackers claim to have gigabytes of messages and pictures and if they choose to release those, it could start this mess all over again), but CEO Biderman said that he needed to understand what the ‘business opportunity’ of doing that was.  He apparently viewed it as an expense, not anything critical to the business.

I have no inside information, but I have to assume that the company’s revenue numbers for this month have dropped precipitously and likely won’t recover for a while and maybe ever.

So while, as I said, this is a pretty unusual case, it certainly serves as a poster child for the potential consequences of a data breach.

Other companies with sensitive information – such as doctors or mental health professionals – are in a similar situation.  If patients feel their privacy is not safe, then they will sue and find other providers.

For businesses where their intellectual property is what they sell (pharmaceutical companies come to mind), losing control of that IP can cost them a lot of money.

For critical infrastructure providers, losing control of information regarding details of that infrastructure would allow terrorists to more easily attack that infrastructure, causing outages and other consequences.

While for a lot of us, a breach is an inconvenience and a small business liability, as attackers move on from mode 1 (credit card hacks) to modes 2 and 3 (information collection and business damage), WHO is a potential target changes.

This might be a good time for businesses to review their situations.


Hackers Drop 10 Gigabytes Of Ashley Madison Data

UPDATE August 19, 2015 – As I predicted, there are now web sites which allow you to search the Ashley Madison data.  Check this Wired article for links:

http://www.wired.com/2015/08/check-loved-one-exposed-ashley-madison-hack/  .

The hackers who broke into the Ashley Madison web site last month threatened to make the data that they stole public if Ashley Madison’s parent company did not shut the site down.  Well, they didn’t and the hackers did.

Today about 10 gigabytes of data, representing over 30 million customers, was dumped on the dark web for anyone who cares to look to see.   Researchers and gawkers are downloading the data furiously.  A directory listing of some of the files was posted on Ars technica and reproduced below.


Ashley Madison’s parent company has not confirmed that the data is theirs, but they also haven’t denied it.   Here is how the hackers explained what they were doing:

time is up

The data includes emails, profiles, credit card information and other data.  While the passwords were included, the encryption algorithm that they used (bcrypt) makes it computationally intensive to brute force crack millions of passwords.  This doesn’t mean that people won’t try, but it does mean that it will be hard.

Still, there is other identifying information – credit card information and email addresses.  I am sure some people used burner cards and email addresses, but there have already been 15,000 .mil and .gov addresses found.  Really.  You use your government email address at a site like Ashley Madison?  Interesting, but not too smart.

Ashley Madison attempted to use all sorts of laws to take down the data when the hack first happened, but the way the hackers dumped this data (via TOR) means that there are likely hundreds if not thousands of copies floating around the internet already.  Not to mention that many people have likely downloaded it to their own computers.

Ashley Madison is putting on a brave face by saying that they will continue to put forth “substantial effort” to remove any information posted.  That likely might work with some traditional news sites – who probably would not post the data anyway – but it will be totally ineffective on the dark web.

Just like Ashley Madison is not based in the U.S. making it outside the reach of many U.S. laws, many of the dark web sites are based in countries you would say are not too friendly towards the west.  What do you think Putin would say if Ashley Madison sent a Russian web site a take down notice?  After he got up from the floor where he fell down laughing, he might use it to light one of his cigars.

Sorry boys, the cat is out of the bag.

Probably, a lot of the data is made up – supposedly most of the women on the site are fictitious;  most of the people looking for extra marital affairs are apparently guys.  There was no verification of the data customers provided – I assume on purpose – so if I wanted to call my self Sam Spade, I could as long as that name wasn’t already taken.  To prove that point, Tony Blair’s name was in the dump and I suspect the former prime minister was not a customer.

The part of the data that can be validated could be used by divorce attorneys and blackmailers.

Now let’s forget, for the moment, that this is Ashley Madison and people might say that the business is sleazy and people who use it got what they deserved.

Let’s say that this was your company and your customer data, credit card transactions, customer profiles, names and addresses were leaked.  What would the impact be on your business?  Do you have a plan for dealing with that situation?

No company has zero enemies.  Not even Mickey Mouse and Donald Duck.  That means that someone might be out to get you.  Could be a customer, employee, supplier, contractor  or someone completely unrelated to the company.

Avid Life Media is privately held and not U.S. based, so it is highly unlikely that we will find out what the financial impact is on the company, but I can’t imagine that anyone is signing up for their service.

By way of example, two years after the Target breach, it appears that Target and Visa kissed and made up in exchange for a $67 million check and the agreement that individual banks can still sue Target.  Right now, the cost of the breach is above $200 million, after insurance and it is far from over.  They will still be dealing with it for years to come and when I mention Target to average people, the general response is that they avoid shopping there.


Information for this post came from Ars Technica and Wired.

Why NOT Reading Those License Agreements Can Be Hazardous

After the Ashley Madison breach, CNN read through the Ashley Madison license agreement.  Here are a few tidbits from their reading of the agreement.

1.  They can sell your personally identifiable information in connection with the sale of the business or sale of the assets.  If this was Facebook, we might not care.  If we are cheating on our spouse, we might.

2. You have to provide accurate information like name, age and financial information.  Of course, I am not sure that they have any way to know unless you mess up.

3. They cannot ensure the security or privacy of your information.  Nice.  How’s that for an out?  You have to give them all this truthful information but they don’t guarantee that we will protect it.

4. While they repeatedly say they won’t share your data with marketers, they don’t guarantee that they won’t disclose the information they collect “to third parties”.

5.  They say that they will not be liable to you for any damages – even if they disclose your private data.

You may have noticed that there have not been any lawsuits filed.   For one thing, they are not a U.S. company.  For another, given this agreement that their customers willingly signed, they did not breach any promises or make any lies.

The Federal Trade Commission likely does not have jurisdiction.  Unless they can be shown to have broken any U.S. or Canadian laws, they will likely get off scot-free.

Which is why reading those crappy license agreements might be more important than you think.

Information for this post came from CNN.

The Ultimate Hack – Shut Down Or We Will Expose Your Customer Data

The Ashley Madison web site, where people go to cheat on their spouses, was hacked last week.  This is an interesting situation for a number of reasons.

First, a little background.  The Ashley Madison web site is owned by Avid Life Media (ALM), which also runs several other web sites – Cougar Life and Established Men.

The attackers, which the company says they think were insiders or ex-insiders, claims to have taken the entire customer database – names, addresses, credit card information, sexual preferences, financial information , company emails, etc.

They seem to be particularly peeved at the fact that the company charged $19 for a service which supposedly deleted your transgressions on the site, but in fact did not do that.  Here is a little piece of the hackers manifesto (click to enlarge):


So why is this hack interesting?

First, the hackers say that if the company does not shut down the site completely and forever, they are going to dump the data on 37 million customers.  Are you going to shut down a multi-million dollar business just because hackers ask you to?  Probably not.

You have to assume that some of the people who are cheating on their spouses are high profile  people – maybe government, maybe business.  What do they do now?  Unfortunately for them, there is not much that they can do.  Hopefully they used prepaid credit cards and fake names. I suspect most did not.

At this point, the hackers have only released a very small piece of the data they claim to have.  Ashley Madison, for their part, has been using the DMCA to ask sites to take down their stuff and that has been moderately effective.

Ashley Madison says they are closing in on the hackers.  Whether this is true or smoke we don’t know.  We also don’t know if catching them will stop – or trigger – a release of the full dataset.  For example, if the hackers had help, they could say to their buddies that they will send them an email every day and if they don’t get it, release the data as widely as possible.  If they were to release the data using offshore web sites, the DMCA take down notices have no meaning or effect since that is a U.S. law.

So what are the lessons here?

1. No site is bullet proof.  Bullet resistant maybe, but not bullet proof.  The only bullet proof one is the one that is turned off.

2.  If you are a user of a web site and the site promises you anonymity,  consider that promise carefully.  What is the consequence to you (and in the case of Ashley Madison, to your family) if they don’t keep that promise?  What can you do to mitigate that breached promise?  What is the consequence to the site if they break their promise to you?  You can use this thinking on any web site – from Amazon to Ashley Madison.  Maybe you don’t really care if it is breached.  So what if someone knows that I bought jeans in a size XXL?  It is useful, however,  to have the conversation with yourself before you sign up.

3. Lastly, as a web site owner, what is your business plan if this happens.  My guess is that no one is signing up for Ashley Madison right now – or probably for the (at least) near future.  What does that do to your cash flow.  On top of it, people are likely cancelling their memberships so your recurring revenue numbers just went in the toilet.  How do you stop the rats from abandoning the sinking ship?  I have a suspicion that their financial plan for this year just got thrown in the trash.

Most company’s business model is not as controversial as Ashley Madison’s is, but no company has zero enemies.  Planning for the worst and working for the best is not always a bad idea.