37 million users have had their most sensitive details harvested in the latest Ashley Madison hack. A team named the “Impact team” claimed responsibility for the attack however there is no clear knowledge yet as to how the attack was performed. Some of the data was immediately published online by the hackers, however ALM (The Toronto based company which owns the website amongst other websites of similar nature) were able to take down the links/websites pointing to the stolen data.
A few interesting points in this attack:
- The hackers seem to have attacked due to ideological reasons rather than for personal gain. They asked the owners to shut down the site and other sites the company owns, or else they will publish all the data they got.
- The data stolen affects not only the user’s bank accounts or privacy, it can also affect their families in the most personal level possible. Naked pictures and information about affairs are at risk of being exposed.
- Ashley Madison seems to have misled their customers when they offered a paid service which should ensure that customer data is not retained on their servers. I guess the imminent lawsuit will settle this piece.
Based on ALM’s statement they have always used top security solutions from around the world to protect their user’s data. If this statement is true it would be very interesting and crucial for other organizations to find out how the hackers were able to infiltrate the layers of security. Was there a zero day vulnerability exploit? Was it an insider job or perhaps a piece of insecure source code that made it through to the live environment and exposed the whole system.
All too often organizations invest a lot in securing their network layer with firewalls and intrusion detection systems however if the application code is not validated for vulnerabilities and the application goes live with vulnerable code, a hack with potentially devastating impact is inevitable.
ALM have released the following announcement:
We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.”
“We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”
“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”
“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”
“Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.”
Latest posts by Amit Ashbel (see all)
- ROI of Shifting Left - February 9, 2017
- Do Hackers Use Source Code Analysis? - April 27, 2016
- White Box vs. Black Box Testing Tools: How Would You Treat Your Symptoms? - March 28, 2016