Whatyouneed2know

What you need to know – Ashley Madison’s affair with cyber security

Jul 21, 2015 By Amit Ashbel

37 million users have had their most sensitive details harvested in the latest Ashley Madison hack. A team named the “Impact team” claimed responsibility for the attack however there is no clear knowledge yet as to how the attack was performed. Some of the data was immediately published online by the hackers, however ALM (The Toronto based company which owns the website amongst other websites of similar nature) were able to take down the links/websites pointing to the stolen data.

 

A few interesting points in this attack:

 

  1. The hackers seem to have attacked due to ideological reasons rather than for personal gain. They asked the owners to shut down the site and other sites the company owns, or else they will publish all the data they got.
  2. The data stolen affects not only the user’s bank accounts or privacy, it can also affect their families in the most personal level possible. Naked pictures and information about affairs are at risk of being exposed.
  3. Ashley Madison seems to have misled their customers when they offered a paid service which should ensure that customer data is not retained on their servers. I guess the imminent lawsuit will settle this piece.

 

Based on ALM’s statement they have always used top security solutions from around the world to protect their user’s data. If this statement is true it would be very interesting and crucial for other organizations to find out how the hackers were able to infiltrate the layers of security. Was there a zero day vulnerability exploit? Was it an insider job or perhaps a piece of insecure source code that made it through to the live environment and exposed the whole system.

 

All too often organizations invest a lot in securing their network layer with firewalls and intrusion detection systems  however if the application code is not validated for vulnerabilities and the application goes live with vulnerable code, a hack with potentially devastating impact is inevitable.

 

Ashley

 

ALM have released the following announcement:

 

We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.”

 

“We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”

 

“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”

 

“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”

 

“Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.”

The following two tabs change content below.

Amit Ashbel

Cyber Security Evangelist at Checkmarx
Amit Ashbel has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.