Lessons Learned: Ashley Madison Hack

AshleyMadison.com was hacked last week by a group called Impact Team who have threatened to release very private and personal data on its 37 million members if the company doesn’t close its doors and shut down.  This is a bad situation for any company, but as this is a company that is built around helping people cheat on their spouses, this is a really bad situation for both the company and its users.


The group responsible claimed that they attacked the website because of it sold a “Full Delete” option to completely delete your account for a mere $19.  I have to agree, that’s pretty shady.  Especially for a website that seems like the ultimate source of blackmail material.  The hackers claimed that the full delete fee netted the parent company nearly $2 million last year!

Let’s talk about the lessons learned from this attack from my comfortable armchair.

Know When to Go Extreme

When securing a website, you should ask yourself how much damage would your users suffer if their information were to be released.  For example a website for train enthusiasts that stores names and emails probably wouldn’t cause much damage to your users and in turn, you don’t have to take your security to the extremes. Instead if you’re a bank, reseller of adult toys or a website that helps adults cheat on each other, there is no level of security too extreme.

AshleyMadison should have had, at the very minimum, a compartmentalized system where only a few employees have access to all user data.  The reason is that many of these hacks start out through social engineering where an unsuspecting employee hands over the keys to the kingdom.  But creating small groups of employees who only have access to specific pieces of the users’ data, you limit the amount of data any one employee could give out.

For example I would structure the employees into groups such as:

  • Customer Service – Ability to manage general user data and subscription options, but unable to see the user’s sexual preferences, photos or hookups.
  • Account Compliance – These employees can view and update the users’ sexual preferences and internal messages, but cannot see what account they are tied to.
  • Photo Compliance – These would be employees who can browse photos that have been reported by users without knowing which accounts they are tied to.  They have the ability to delete the photo or ban the user, but again it would all be abstracted so that they don’t see the connection between user and photo.
  • System Administrators – These would be one of the few users who can access all customer data, with training to detect and avoid social engineering attacks.  Access to customer data should require two factor authentication and their sessions should expire after 10 to 15 minutes.  All access to customer accounts should be logged and available to management in an easy to access format.

The entire company should have been structured around securing customer data.

Man the Walls

What good is a castle if you don’t have soldiers manning the ramparts?  Your firewall is the first line of defense against all attacks.  However if you don’t have an Intrusion Detection System (IDS) running, you will never know when an attack is taking place.

Snort is one of the oldest and, in my opinion, still the best IDS you can find.  It’s not simple to configure but it is extremely powerful and allows you to set up alerts based on whatever inputs you desire offering almost an infinite number of configurations.  With an IDS installed you can be notified by email, phone and SMS simultaneously when an attack is taking place so that you can take action when the attack is happening, not the day or week after.

Your web server should only have three ports open max, HTTP, HTTPS and SSH hidden on a random port.  An even better idea is to not have a public facing SSH port but instead only allow connections from your local network.  Your IDS should then be configured to watch for mundane probes such as port scans, however its true value is monitoring for brute force password attacks and XSS/SQL injection attacks.

With Snort I have an alert set up to notify me in the case that a SQL injection attack is successful.  The unsuccessful attempts don’t interest me in the least.  If I’m able to be notified instantly, I can fix the security hole before it can be exploited further.

Encrypt Everything

Again, from my airchair and not knowing how their database is constructed, I would make it as difficult as possible for a hacker to find any value in the stolen data.

The only information that is human readable in the database should be the users’ numerical ID, username and encrypted password.  I would then break down the information into encrypted sections that are decrypted on the fly and only when necessary.  Thus if a hacker were to gain raw access to the database, the information leaked would be minimal and of low value.

A company as big as AshleyMadison could afford reverse proxies that do only that.


What the AshleyMadion and AdultFriendFinder attacks teach us is that your security policies should match the value of your customers’ data.  Another criminal might have never said anything, but instead created a massive blackmail campaign that gives the users the opportunity to keep their data safe for a payoff.

Protect your customers’ data because once you lose the trust of your users, it’s very possible your business won’t survive.


Top 3 Chrome Security Extensions Everyone Should Have

The Internet can be a dangerous place, but there are simple ways to protect yourself to prevent someone from stealing your information or getting into your computer.  These are three extensions for Chrome and Firefox that everyone should have installed.

HTTPS Everywhere

Download: https://www.eff.org/https-everywhere

HTTPS Everywhere

Created by the Electronic Frontier Foundation whose mission is to protect our online rights, this is the quintessential tool that everyone should have installed to secure their browsing experience.  Many websites have an SSL certificate installed but more often than not their homepage is served up unencrypted.

HTTPS Everywhere fixes this by checking if there’s an HTTPS version of the website available, and if so it will forward you to that version.  This protects you from snoops on your network who could otherwise see all of your traffic.

Adblock Plus

Download: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

Adblock Plus

One of the reasons Apple and Facebook are cheering for the death of Flash is because it has traditionally been a prime avenue for attacking computers.  That coupled with the fact that advertising networks gladly accept Flash banner ads means that someone with a nasty disposition can launch an attack using someone else’s delivery system.

Adblock Plus will remove almost all ads from every website you visit.  Imagine being able to read an article without a popup, popunder, content locking ad or some other annoyance.  Be careful, you will get spoiled.

Web of Trust

Download: https://chrome.google.com/webstore/detail/wot/bhmmomiinigofkjcapegjjndpbikblnp?hl=en-US

Web of Trust

I highly recommend it to anyone who isn’t sure that they can tell a real site from a fake attack website.  This extension displays an icon in your toolbar that will alert if you if the website that you’re viewing is fake or dangerous.  It also asks your option on how much you trust the website and uses that information to help all of their users.

Even if you’re technically inclined and able to identify a fake website just by the clues presented on the page or in your browser, this is a good addition to your browser just in case you’re not paying close enough attention.

Finally, a Tip from a Pro

Keep the number of extensions installed in your browser to the bare minimum.  The more extensions you have installed, the slower your browser will perform and your entire experience while using the Internet will degrade.

I have a dozen or so extensions installed, but the vast majority are deactivated because they’re useful but very infrequently needed.  Just like putting your toys away as a kid, I open the “Manage Extensions” page in Chrome and activate the extension that I need.  Once I’m done with it, I deactivate it again until the next time it’s needed.