Extortion R Us - Ashley Madison, OPM and the Changing Face of Data Breaches
On July 19th security blogger Brian Krebs broke a story on a security breach at adultery hookup site AshleyMadison.com. Actually AM is just the largest of three “adult” web properties owned by Avid Life Media (ALM), all having to do with hooking people up for sexual encounters.
Credit was claimed by the “Impact Team” who have threatened to publish data on millions of users unless the Ashley Madison site is shut down. To date neither has happened, except for the identification of two hapless users, one in the US and one near Toronto (where ALM is based). While ALM’s websites remain online, their planned London IPO is said to be in trouble.
Because of the nature of ALM’s business, there has been a fair amount of sniggering about the data breach, as well as a lot of Schadenfreude in the comments sections of the blogs that cover it. Interestingly enough the Impact Team seemed less upset by the hookup business than they were about ALM’s service that allowed user to pay a fee to have their profiles completely erased, which the Impact Team claimed was still accessible. (That service is now free.) The Ashley Madison breach has not resulted in a huge dump of credit card data on the usual “carder” sites, so these intruders are playing a longer game. Releasing the cards would identify the victims, drawing attention to them at their banks and, more importantly, with the people with whom they share a mailbox and a telephone — precisely whom they may have been cheating on. For the present there are two extortionate threats on the table, one to Ashley Madison’s customers and the other to their very existence.
It’s easy to write this off as affecting a bunch of cheaters who deserve what they get, but The Verge’s Russell Brandome reminds us that the data security privacy lessons are important to a lot of other (and less sensational) web businesses.
Collecting and retaining user data is the norm in modern web businesses, and while it’s usually invisible, the result for Ashley Madison has been catastrophic. In hindsight, we can point to data that should have been anonymized or connections that should have been less accessible, but the biggest problem is deeper and more universal. If services want to offer genuine privacy, they have to break away from those practices, interrogating every element of their service as a potential security problem. Ashley Madison didn’t do that. The service was engineered and arranged like dozens of other modern web sites — and by following those rules, the company made a breach like this inevitable.
The entire article is worth reading. The data breach had a lot of enablers and the industry has a lot of takeaways.
The ALM breach came right on the heels of (our knowledge of) two breaches at the government’s Office of Personnel Management (OPM). The first (discovered in April and announced in June) was an “ordinary” breach of some 4.2 million personnel records, with personal information such as names and addresses, social security numbers, and such. In the course of investigating that breach, OPM discovered a much worse breach of the system used for background investigations for security clearances.
Security background investigations can involve information about people’s private lives, and theDaily Beast went straight for that point in their coverage:
A senior U.S. official has confirmed that foreign hackers compromised the intimate personal details of an untold number of government workers. Likely included in the hackers’ haul: information about workers’ sexual partners, drug and alcohol abuse, debts, gambling compulsions, marital troubles, and any criminal activity. Those details, which are now presumed to be in the hands of Chinese spies, are found in the so-called “adjudication information” that U.S. investigators compile on government employees and contractors who are applying for security clearances. The exposure suggests that the massive computer breach at the Office of Personnel Management is more significant and potentially damaging to national security than officials have previously said.
The government has claimed that no intelligence agents remained in the OPM database, but that is of small comfort. In particle physics, what’s missing from a set of tracks can tell you as much as what’s there; it’s a way of detecting particles that don’t trigger your detectors. Similarly holes in mined data could tell the (presumed Chinese) attackers a lot, as the NY Times pointed out
The C.I.A. and other agencies with undercover officers would be cautious about immediately withdrawing spies from China because that would raise suspicions among Chinese counterintelligence operatives. A C.I.A. spokesman declined to comment.
The C.I.A. and other agencies typically post their spies in American embassies, where the officers pose as diplomats working on political affairs, agricultural policy or other issues. The American Embassy in Beijing has long housed one of the largest C.I.A. stations in the world, with intelligence officers gathering information on China’s political maneuvering, economic development and military modernization.
In addition, there may be a lot of information that people revealed as part of the security check process that they would rather not want generally known. The breach could make some of those people vulnerable to extortion, as the Ashley Madison customers are.
While the potential for online embarrassment has been with us for a long time, judging by the constant stream of selfies and sex tapes that get released, these two breaches would indicate that some cyber threats may be evolving. The threat actors may be moving away from quick gain on the credit card market to a long game exploiting people’s darkest secrets. Hacking by nation states has been around for quite a while, but this goes to a whole new level. For both spies and blackmailers, secrets about sex have long been a staple of their craft, but with breaches like these they can now get it wholesale. This will make the net a scarier place.
Please note, though, that this trend does not spell the end of quick buck ransomware, as evidenced by a fake Windows 10 upgrade email now in play. So you can’t let your guard down there, either.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.