AshleyMadison.com was hacked last week by a group called Impact Team who have threatened to release very private and personal data on its 37 million members if the company doesn’t close its doors and shut down. This is a bad situation for any company, but as this is a company that is built around helping people cheat on their spouses, this is a really bad situation for both the company and its users.
The group responsible claimed that they attacked the website because of it sold a “Full Delete” option to completely delete your account for a mere $19. I have to agree, that’s pretty shady. Especially for a website that seems like the ultimate source of blackmail material. The hackers claimed that the full delete fee netted the parent company nearly $2 million last year!
Let’s talk about the lessons learned from this attack from my comfortable armchair.
Know When to Go Extreme
When securing a website, you should ask yourself how much damage would your users suffer if their information were to be released. For example a website for train enthusiasts that stores names and emails probably wouldn’t cause much damage to your users and in turn, you don’t have to take your security to the extremes. Instead if you’re a bank, reseller of adult toys or a website that helps adults cheat on each other, there is no level of security too extreme.
AshleyMadison should have had, at the very minimum, a compartmentalized system where only a few employees have access to all user data. The reason is that many of these hacks start out through social engineering where an unsuspecting employee hands over the keys to the kingdom. But creating small groups of employees who only have access to specific pieces of the users’ data, you limit the amount of data any one employee could give out.
For example I would structure the employees into groups such as:
- Customer Service – Ability to manage general user data and subscription options, but unable to see the user’s sexual preferences, photos or hookups.
- Account Compliance – These employees can view and update the users’ sexual preferences and internal messages, but cannot see what account they are tied to.
- Photo Compliance – These would be employees who can browse photos that have been reported by users without knowing which accounts they are tied to. They have the ability to delete the photo or ban the user, but again it would all be abstracted so that they don’t see the connection between user and photo.
- System Administrators – These would be one of the few users who can access all customer data, with training to detect and avoid social engineering attacks. Access to customer data should require two factor authentication and their sessions should expire after 10 to 15 minutes. All access to customer accounts should be logged and available to management in an easy to access format.
The entire company should have been structured around securing customer data.
Man the Walls
What good is a castle if you don’t have soldiers manning the ramparts? Your firewall is the first line of defense against all attacks. However if you don’t have an Intrusion Detection System (IDS) running, you will never know when an attack is taking place.
Snort is one of the oldest and, in my opinion, still the best IDS you can find. It’s not simple to configure but it is extremely powerful and allows you to set up alerts based on whatever inputs you desire offering almost an infinite number of configurations. With an IDS installed you can be notified by email, phone and SMS simultaneously when an attack is taking place so that you can take action when the attack is happening, not the day or week after.
Your web server should only have three ports open max, HTTP, HTTPS and SSH hidden on a random port. An even better idea is to not have a public facing SSH port but instead only allow connections from your local network. Your IDS should then be configured to watch for mundane probes such as port scans, however its true value is monitoring for brute force password attacks and XSS/SQL injection attacks.
With Snort I have an alert set up to notify me in the case that a SQL injection attack is successful. The unsuccessful attempts don’t interest me in the least. If I’m able to be notified instantly, I can fix the security hole before it can be exploited further.
Again, from my airchair and not knowing how their database is constructed, I would make it as difficult as possible for a hacker to find any value in the stolen data.
The only information that is human readable in the database should be the users’ numerical ID, username and encrypted password. I would then break down the information into encrypted sections that are decrypted on the fly and only when necessary. Thus if a hacker were to gain raw access to the database, the information leaked would be minimal and of low value.
A company as big as AshleyMadison could afford reverse proxies that do only that.
What the AshleyMadion and AdultFriendFinder attacks teach us is that your security policies should match the value of your customers’ data. Another criminal might have never said anything, but instead created a massive blackmail campaign that gives the users the opportunity to keep their data safe for a payoff.
Protect your customers’ data because once you lose the trust of your users, it’s very possible your business won’t survive.