What’s at Stake for Ashley Madison? Rumours say there is 300GB of data to come.
When asked about the cheaters website security, the team said, "Nobody was watching. No security"when it broke into Ashley Madison's servers repeatedly over the past few years. One hacker said, "[We] got in and found nothing to bypass."
FOR A SITE that touted itself as the premier cheating site for married people seeking partners for infidelity, Ashley Madison was relatively unknown until hackers broke into its servers and released more than 30 gigabytes of customer and company data this week, propelling it into the spotlight.
The site, owned by Canadian firm Avid Life Media, has been online since 2001 and claims to have about 40 million users, though that figure is almost certainly inflated, considering a former employee’s claim that the company paid her to create false female accounts to attract male customers.
After hackers who call themselves the Impact Team released their first big data dump from Ashley Madison and its parent company on Tuesday, journalists and others have been poring over it, exposing reality TV star Josh Duggar as a confirmed customer, as well as several unidentified government workers who accessed their Ashley Madison accounts from government IP addresses.
But the latest dump, released Thursday and today, could prove to be more embarrassing and harmful to Ashley Madison’s business than its customers. It appears to contain an email spool for Avid Life Media CEO Noel Bidman. A version of email file hackers distributed Thursday turned out to be corrupted and couldn’t be opened, but they reposted a new version today, which is still being downloaded by journalists. But other files released yesterday include some 73 git repositories exposing what appears to be source code for the Ashley Madison web site and mobile property. Though the content of these will be of little interest to most journalists, they pose a threat to what’s left of ALM’s business, since other attackers can now study the code for vulnerabilities they could use to exploit and further subvert the site, making it difficult for ALM to ensure continuing customers that their data is secure. The release of source code is also problematic for another reason—it exposes the company’s intellectual property to anyone who wants to design a similar business. For a company that had hoped to raise $200 million for an IPO on the London Stock Exchange this fall, that’s a potentially big blow.
“With this second data dump, I believe Impact Team wants to destroy Ashley Madison and Avid Life Media,” says Per Thorsheim, a security researcher in Norway who has been analyzing the data.
And it’s only bound to get worse. In an interview with Motherboard, the hackers said they have 300 GB of employee emails in their possession, plus tens of thousands of Ashley Madison user pictures as well as user messages.
“1/3 of pictures are dick pictures and we won’t dump,” they told Motherboard. “Not dumping most employee emails either. Maybe other executives.”
None of this bodes well for other companies who may engage in practices that hackers don’t like. The Impact Team, asked if they planned to target other web sites, told Motherboard they would target “any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians [too].”
But before we get ahead of the headlines, let’s examine some of the most important lingering questions about Ashley Madison and the hack.
Ashley Madison reportedly made $115 million last year, a 45 percent jump from 2013. Although anyone could register on the site for free, users who wanted to seek partners for hook-ups and read and send messages had to pay a fee, starting at $49. For that minimum price, you got 100 credits, which were redeemed each time you read a message, at five credits per message, or for other activities. For 30 credits, you got a 30-minute chat session with potential sex partners. Premium customers who paid $250 also reportedly got a money-back “affair guarantee”: If you didn’t have an affair within three months, you were promised your money back.
The most common way web sites get hacked is through what’s called a SQL-injection attack. This kind of attack targets a vulnerability in a software application running on the site in order to cause the site’s backend SQL databases to spill their data. AshleyMadison.com, however, was not hacked in this way, according to Joel Eriksson, CTO of Cycura, which is helping investigate the breach.
Eriksson wouldn’t say how the hackers got in, due to the ongoing investigation, but he noted “there is no indication of any software vulnerability being exploited during this incident.”
The hackers from Impact Team told Motherboard, “We worked hard to make fully undetectable attack, then got in and found nothing to bypass….Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.”
In an initial interview after the breach was first reported in July, Avid Life Media CEO Noel Biderman suggested the perpetrator may have been a former contractor or someone else who had legitimate access to the company’s networks at one time.
“We’re on the doorstep of [confirming] who we believe is the culprit,…” Biderman told KrebsonSecurity last month. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
Eriksson wouldn’t go into detail, but told WIRED that even though there is no evidence that the attackers used a software vulnerability to get in, “all ALM source code is being audited for vulnerabilities and backdoors.” He added that “all aspects of their network and server environment are now being thoroughly reviewed in order to determine how they may be hardened further, and the amount and granularity of monitoring is being increased in order to detect and handle any anomaly as soon as possible.”
With the site’s source code and network blueprints already released by the hackers, however, the company is now in a race to find and close vulnerabilities before other attackers can find and exploit them.
In the initial manifesto the attackers published last month, and in the interview with Motherboard, they said they had been in Avid Life Media’s servers for years.
“We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here,” they wrote. “And it was easy. For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.”
Eriksson wouldn’t tell WIRED exactly when the hackers struck, but timestamps around the released files suggest a lot of the data theft occurred recently, rather than over a number of years—if the timestamps are reliable.
News of the Ashley Madison breach broke July 19, and dates in the files leaked Tuesday suggest they were stolen during the three weeks prior. The attackers, for example, appear to have run some of the commands that extracted data from ALM servers on July 1. And records indicating the last login dates for Ashley Madison customers show July 11 as the final day they signed in, suggesting the hackers grabbed no customer data after this.
The recent dates don’t mean the hackers weren’t in the company’s network for longer than this, however—the amount and variety of data grabbed and the number of servers from which they took it indicate they did extensive reconnaissance to map the network and figure out where valuable data was located.
It’s also interesting to note that the compressed files released Tuesday had already been prepared for distribution a month ago, when the Impact Team made their initial threat to release data if ALM didn’t take down AshleyMadison.com and another site it owns, ExceptionalMen.com. The ReadMe file that accompanied the data dump this week, for example, has a July 19 timestamp.
“It looks to me that they got everything together on July 19 but didn’t release it until a month later, if we are to believe the timestamps,” says Erik Cabetas of Include Security, who wrote an analysis about the metadata in the files. The hackers released the data, after ALM failed to meet their demands, exactly 30 days later on August 18.
Other than the initial statement from CEO Biderman that investigators were on to the perpetrator, there have been no other clues about who might be behind the hack.
The hackers have been good so far about operational security around their release of the data, according to Cabetas. They released .txt files in the first batch of data, which contain little metadata compared to other types of files. And they published the data via a Tor server, which gives them anonymity as long as they didn’t make mistakes. “If the attacker took proper OPSEC precautions while setting up the server, law enforcement and AM may never find them,” Cabetas observed in his blog post.
But the data files aren’t the only public evidence investigators will be examining.
“If [the hackers are] going to get popped by law enforcement, it’s going to be analysis of their multiple manifestos,” Cabetas suspects. “If they did not scrub the dialect of those releases, identifying speech patterns and dialect patterns could help law enforcement narrow down the dialect,” he told WIRED. “And they might be able to match semantic patterns with other writing patterns found online.” He notes in particular that among the documents the hackers released were a couple of ‘zines, including one written in Polish, for which the hackers also supplied a rough translation that was likely run through Google translate.
“The more information you put out, the more patterns can be detected,” Cabetas says.
The hackers may already have left one clue about who they are. In an initial message to ALM they wrote: “For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.” The comment suggests, perhaps, that someone with a personal beef with the company might be behind the attack.
The Impact Team implied that they hacked ALM because they were morally outraged at the behavior its web sites condoned. But they focused their attention on only two of ALM’s many sites—AshleyMadison.com and ExceptionalMen.com. The latter purports to connect beautiful young women with sugar daddies, which the hackers saw as prostitution and human trafficking. They didn’t take issue, however, with CougarLife, which is designed to connect older women with younger men.
But their writings also suggest they were equally outraged at the company’s privacy and security claims. In their initial manifesto, they wrote: “Trevor [Stokes], ALM’s CTO once said ‘Protection of personal information’ was his biggest ‘critical success factors’ and ‘I would hate to see our systems hacked and/or the leak of personal information.'”
In truth, they implied, ALM’s security and privacy protections were laughable, and the company “made it easy for anyone to hack them.”
Hackers often taunt victims about their security after an attack, whatever the initial motive, so anger over the company’s security practices might not have been a motive. But oddly, the Impact Team gave a nod to the company’s CSO. “Our one apology is to Mark Steele (Director of Security). You did everything you could, but nothing you could have done could have stopped this,” they wrote. This suggests they may have observed efforts by Steele to better secure the network that ultimately were fruitless or were thwarted by others at the company.
They also took issue with how Ashley Madison promised to delete customer data for a fee, then failed to delete it all. For a $19 fee, Ashley Madison said it would erase all “traces” of a customer’s activity on the site. The company made more than $1.7 million through this service in 2014 alone, but, according to the hackers, never fully deleted customer data. Instead they deleted it from the public-facing parts of the site, but retained it on backend servers.
ALM denied this charge to a degree, saying in a statement to Vocative on Thursday that the “paid delete” process did what it claimed and involved “a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes.” The statement, however, didn’t address whether all traces of the customer’s activity were erased from backend databases and logs, including the transaction records for requesting the deletion. If a record remained on servers showing a credit card charge for the deletion request, that would still be a trace of the user’s activity on the site and confirmation that they had once maintained an account on the cheating site.
Whether any of these issues were motive for the hack remains to be seen. Robert Graham, CEO of Errata Security, thinks the moral outrage expressed by the hackers is posturing. “[I]n all probability, their motivation is that #1 it’s fun and #2 because they can,” he wrote in a blog post.
But Thorsheim thinks the Impact Team was motivated by an urge to destroy ALM with as much aggression as they could muster. “It’s not just for the fun and ‘because we can,’ nor is it just what I would call ‘moralistic fundamentalism,'” he says. Given that the company had been moving toward an IPO right before the hack went public, the timing of the data leaks was likely no coincidence.
The hackers implied that the site’s security was poor. But Ashley Madison actually did a few things right. This includes not storing full credit card numbers in its database. Although the leak exposed credit card transaction data—such as the name and billing address on cards—Ashley Madison had only the last four digits of card numbers in its database. The company also hashed customer passwords, unlike a lot of other companies caught in breaches in recent years that stored their customer passwords in plaintext. The bcrypt algorithm it used to hash the passwords is one of the strongest ways to do so, Graham, of Errata Security, told WIRED. Graham also noted that the company stored customer email addresses and passwords in separate tables, which meant a little more work for any hackers who would want to grab them.
Little of this matters, however, to the people who had their names, addresses, email accounts, and details about their sexual preferences exposed in the files that got released.
Aside from the fact that the company didn’t adequately protect the credit card transactions of customers and other personally identifiable information, the company also recorded the IP address of paid accountholders and stored these addresses for at least five years. This made it fairly easy for the Associated Press to uncover accounts opened by government employees and, using the stored IP addresses, determine who had used their work networks to log into the cheating service on government and taxpayer time. AP was able to determine, for example, that hundreds of US government employees, some of them holding sensitive jobs in the White House, Congress and law enforcement agencies, used government web connections to access their Ashley Madison accounts, including two assistant US attorneys, a trial attorney in the Justice Department, and a government hacker working for the Department of Homeland Security.
Although these workers would have been exposed by their credit card transactions in the Ashley Madison database, many of them had taken care to use personal email addresses instead of work ones, which would have made it harder for someone to connect them to their jobs. The fact that the site retained their IP addresses made it much easier to do so. That’s a major privacy fail for a web site that insisted its customers’ privacy was a top priority.