7Safe security expert says unencrypted storage of confidential data is “common problem”
Is your personal data being protected online, or has the rapid growth of internet companies led to a lack of understanding by senior managements of data protection and the cyber threat?
The publication online of an estimated 37 million user records ‘exfiltrated’ (the polite word for ‘hacked’) from the Ashley Madison extramarital affair dating site has raised fresh concerns about how confidential data is processed and stored by web companies as the fallout from the hack in July continues to make the global headlines. Today, 14 gigabytes worth of data, allegedly from the chief executive's email account, has been dumped on the part of the internet known as the ‘dark web’ – suggesting that the hackers enjoyed a high-level of access to Avid Life Media’s data servers, possibly over a long period of time, without being detected.
Confidential data should be protected
7Safe’s lead penetration tester, Aleksander Gorkowienko, has expressed his concern that a commercial organisation professing to provide anonymity to those having affairs should have stored the personal information about 37 million of its clients on an unencrypted server file - as reported by Mashable:
“It beggars belief”, said Aleksander. “This monumental compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder. In an industry that was already under attack from determined hackers, to carry on as though nothing had happened and fail to encrypt the contact information – and if reports are true – the sexual preferences of its clients, has to amount to economic suicide. When assessing the security implications of this breach, we should take a step back from the moral issues of what Ashley Madison was encouraging its customers to do and think firstly about the business implications of the theft: would any of us in industry trust a supplier that stored its sensitive data unencrypted on servers connected to the internet? And yet it appears from the uploaded data dumps that the dating website did just that, and also that people working for government, the police and large companies registered using their work email addresses. If this is true, it highlights an woeful level of ignorance about cyber security among senior management who allowed this to happen in so many organisations across the globe.”
AM users registered with .gov.uk and .police.uk emails
To quote The Register: “Unbelievably, it appears about 100 people used .gov.uk and .police.uk email accounts to sign up for Ashley Madison accounts. Thousands more used .gov and .mil addresses in the US, and it appears hundreds used work accounts at tech giants.”
The data theft was allegedly the result of an attack by an ‘insider’ – or at least someone who had access to Avid Life Media’s Ashley Madison data server: “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” [Noel] Biderman [CEO of Avid Life Media] said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.” [Source: KrebsOnSecurity].
[Source: Now Ashley Madison hackers reveal 'CEO's emails and source code', The Register]
Aleksander is sceptical about the attribution of the attack to a third party contractor based on what we know about the attack. I would have to see the forensic evidence of course, but I have personally encountered enterprises in this market that failed to keep even basic logs of network traffic from which it would be possible to detect the person responsible for a breach. These organisations also failed to encrypt personally-identifiable data and the problem is, I think, systemic. Despite all the media coverage of breaches like JP Morgan Chase, Target and The Home Depot, senior executives go on believing that they have the problem under control. This seems especially true ironically in the case of high growth internet services companies, who really should know better. The pressure to grow fast and be profitable means that cyber security is often not given a high priority. It may not be so here, but we shall no doubt find out.
Lack of cyber security procedures
Unfortunately, most organisations do not have elementary cyber security procedures and controls in place – like the ones set out in the UK’s Cyber Essentials Scheme - that would enable them to manage the data that they hold on their servers in a secure, responsible way. Their staff have only a basic understanding of ‘security in depth’ and rely on technology solutions when simple and cost effective measures like hardening their operating systems and removing unnecessary services that could assist a hacker would give them greater protection.
As a penetration tester, my team and I, regularly find evidence of vulnerabilities that match this description. And the code on many software as a service sites has only rarely – if ever - been reviewed and tested by security specialists. You get what you pay for and most internet firms are too busy making money to consider the risk of a serious security failure costing millions – perhaps one that takes them out. I estimate that by spending 10% of development costs on external security testing, online service providers could eliminate 95% of their risk. However, that sum rarely seems attractive to business owners achieving growth targets in the range of hundreds to thousands of percentage points. Until they get seriously hacked that is!
Ashley Madison has recently claimed that it does not store credit card numbers, however it appears that the transaction history for some users going back as far as 2009 was present. Needless to say, for some fun seekers, it will be evident that their interest in ex-marital affairs was not just a moment of indulgence but a regular feature of their online spending patterns.
Q&A with Aleks
Is the failure of Avid Life Media to encrypt the personal data of 37 million users acceptable? And how often as a pen tester do you find this?
In my view, it is unacceptable not to encrypt data files containing highly-confidential information of this type – if that is the nature of your business. Although bcrypt passwords are generally secure enough, given the time it would take to reverse engineer them, we don’t know how far the hackers got this time. Have they gained access to the password file and decrypted the whole password database for example – because if they have, and given that most users will use the same password on several systems, customers could be vulnerable wherever they use that password. Their bank account for example? The best advice is change your passwords asap.
Some payment card information going back to 2009 was stored on the database even if it did not include full credit card information like the expiry date and three-digit security code. Is this practice common?
Yes. However, it’s only a problem if, once again, the data is stored unencrypted, which the PCI DSS (Payment Card Industry Data Security Standard) does not allow. It’s unlikely that thieves will steal from your card if they get hold of the PAN [Primary Account Number] on its own, but it will certainly tell the customer’s partner that Don Juan 2009 or whatever alias they chose is using their payment card to have affairs. There will be quite a few guys shredding and burning their statements this month.
One good piece of news for Ashley Madison users affected by the breach is that passwords remain encrypted via a modern encryption standard called bcrypt. However, it is possible to "reverse engineer" those passwords, - although it would take a long while. Also, knowing a user's email address might allow hackers to try to get access to other accounts by testing lists of common passwords. What should Ashley Madison customers do to combat this?
Change your password. And don’t use the same password on two or more sites. This is something that most people find difficult to do, but there are ways to create several passwords that are strong enough and that you can remember more easily. First off though, change the one on your Ashley Madison account as a precaution.
The stolen data cannot easily by accessed by the public as it has been released onto the dark web, reachable only via encrypted browsers. However, some of the content is now being distributed more widely. Some individuals have already asked security researchers who have access to the data if their information is present. How easy will it be for criminals to find information that can be used for blackmail or to take over a user’s identity this way?
The dark web isn’t as inaccessible as it sounds. And what starts there ends up accessible using ordinary browsers as it copied to other servers. It will be embarrassing for some people.
What is your experience as a pen testers of the safeguards that web service put in place and what can be done to strengthen their systems from attack?
Okay, I would say this…. Regular penetration testing will help you to identify and prevent or mitigate the risks arising from software and hardware vulnerabilities that can lead to a costly hacking incident. Regular code reviews will help too if you are building your own software and don’t have an in-house team to match the team skills and technical capabilities of security services companies like 7Safe. Finally, they should a strategic view of security from the get go. Instead of the fatalistic approach, they should face the fact that every organisation connected to the internet is at risk of having confidential data stolen and put controls – and preferably a management system – in place that reduces, mitigates and/or transfers the risks that they identify. Rather than relying on one really clever guy to whom you pay large sums of money, do what I recommend, and you will have a much better chance of avoiding your own cyber-geddon! – And of course, find an independent cyber security supplier like 7Safe with a reputation that is based on thousands of penetration tests and forensics investigations for state and private sector organisations. You’ll be a whole lot safer!
Read Aleks’ in-depth blog article on the Ashley Madison hack – to be published 24/08.
Advice on dealing with identity theft and online fraud/blackmail can be found on the UK National Crime Agency’s (NCA) website:
NCA: Online safety guidance for the public