Malware

SPOTLIGHT ON SECURITY

An Insider Betrayed Ashley Madison – Go Figure

When the giant data breach at infidelity website Ashley Madison made headlines last month, the CEO of the site's owner was quick to claim the caper was an inside job. He had the attacker's profile and work credentials, Avid Life Media's CEO Noel Biderman told ace cybersecurity blogger Brian Krebs. Though not an employee, the individual had accessed the company's technical services.

When the giant data breach at infidelity website Ashley Madison made headlines last month, the CEO of the site’s owner was quick to claim the caper was an inside job.

He had the attacker’s profile and work credentials, Avid Life Media’s CEO Noel Biderman told ace cybersecurity blogger Brian Krebs. Though not an employee, the individual had accessed the company’s technical services.

Biderman is no longer at ALM — he resigned last week after emails stolen from Ashley Madison exposed his infidelities — but his inside-job assertion lives on.

More life was breathed into the idea by none other than John McAfee, the eccentric founder of a security firm that bears his name, although Intel now owns it and McAfee is no longer involved.

The data contains MySQL dumps, not copies of the data turned into a .csv file as is typical of an external data breach, McAfee pointed out.

In addition, the data includes lots of information that suggests inside access, such as employee stock options, the layout of the Ashley Madison offices, and the source code of every program ever written by the company’s employees.

Absence of Footprints

The insider angle has a number of adherents.

“The data tracks with an inside job,” said Tom Byrnes, CEO of ThreatSTOP.

“The data appears to have been dumped by someone who had console-level access to the database server,” he told TechNewsWorld..

With that kind of access, the database could be dumped with its internal structure intact, which is how it appeared on the Internet, Byrnes noted. “You can reconstruct the entire database properly from the dump.”

What’s more, the Impact Team, which claimed responsibility for the breach, left little trace of its raid.

“Exploit tools leave footprints in a data dump,” Byrnes explained. “There was no indication of that.”

The sheer volume of data also points to an inside job, he added.

“The way that much data gets out of a building without being noticed is not being FTP’d out some network pipe where it would cause congestion,” said Byrnes, “but by walking out of the building with it on a hard drive, just like Bradley Manning and Edward Snowden did.”

Spammers’ Delight

Although the operators of a site that’s all about lying and cheating can hardly be said to have public credibility, they may be straight shooters on the inside-job issue.

“The irony is that for the first time in their careers, the Ashley Madison executives are telling the truth, the whole truth and nothing but the truth,” Byrne said.

If the Ashley Madison breach was an inside job, that is a bit of good news for system defenders elsewhere.

“It doesn’t look like anything new has been done here,” Byrne said. “There isn’t any new zero day that we should be worried about here.”

However, that doesn’t mean there aren’t plenty of concerns for Internet travelers.

Spammers immediately began exploiting the new pool of email addresses available to them from the Ashley Madison data dump, noted Troy Gill, a senior security analyst with AppRiver.

The first spam campaigns were aimed at luring Web surfers to dubious background-check sites, he told TechNewsWorld. The second wave has been more malicious.

Curiosity Infects the Cat

Cybercriminals have started using the wealth of details about Ashley Madison users in the data dumped on the Net to craft extortion emails. The emails threaten to expose users’ participation in Ashley Madison by sending letters to their homes, unless two bitcoins (about US$450) are paid to the blackmailers.

“The odds are very slim they’ll send the letter, but I don’t think people being blackmailed will think about this rationally,” AppRiver’s Gill said.

“There isn’t any benefit to sending the letter,” he pointed out.”They won’t be getting any money, and they’ll be creating a paper trail that could lead back to them.”

Web bandits also have exploited curiosity about what’s in the Ashley Madison data by setting up “watering holes” designed to lure dirty laundry seekers to malicious websites.

“Anyone trying to get a copy of the data dump needs to be careful, because those sites will infect visitors with malware,” Gill said.

Malvertising Cure

As if online advertisers needed another headache, Cyphort Labs gave them one: security.

Malicious advertising has increased 325 percent over the past year, according to a report Cyphort released last week. Cybercriminals use it to push malware to Net trippers who have the misfortune of clicking on an infected ad — or in some cases, merely visiting a website that hosts one.

One way consumers can protect themselves from the scourge of malvertising sends shivers down the spine of advertisers: ad blockers.

“When you load a Web page, a bunch of JavaScript is sent to the browser to be executed. That’s the framework that’s doing the tracking for the advertisers and being exploited by the hackers,” said David Thompson, senior director of product management for LightCyber.

“The ad blocker basically tells the browser not to download and execute that JavaScript,” he told TechNewsWorld.

As with most solutions, though, ad blockers aren’t perfect, said Rahul Kashyap, chief security architect at Bromium.

“Ad blockers can reduce the attack surface, but they’re not 100 percent foolproof,” he told TechNewsWorld, “although they will definitely help.”

Breach Diary

  • Aug. 24. U.S. Appeals Court in Phildelphia rules in case involving Wyndham Worldwide, a hotel and time-share operator, that the SEC has authority to punish companies that fail to protect their customers’ data.
  • Aug. 25. Online infidelity site Ashley Madison has been targeted by at least four lawsuits linked to data breach that led to theft of personal information of millions of the webstop’s users, Wired reports.
  • Aug. 25. SEC announces it will not impose penalties on Target for 2013 data breach that resulted in theft of personal and payment card information of more than 100 million customers.
  • Aug. 25. California State Auditor releases report on cybersecurity at state agencies that finds they inadequately protect “an extensive range of confidential and sensitive data,” leaving critical information systems vulnerable to cyberattack. Seventy-three of 77 state entities admitted they could not comply with security standards.
  • Aug. 26. U.S. Defense Department publishes in Federal Register proposed rules governing data breach reporting by defense contractors. Deadline for comment is Oct. 26.
  • Aug. 27. FBI reports that from October 2013 to August 2015 email scams resulted in U.S. businesses losing nearly $750 million.
  • Aug. 28. Noel Biderman, CEO of Avid Life Media, which owns the hacked assignation website Ashley Madison, resigns.
  • Aug. 28. South Dakota School of Mines and Technology reveals that an email containing an attachment with personal information of 350 students was accidentally sent to the school’s graduate students. Students who received the email were told to delete it.

Upcoming Security Events

  • Sept. 9-10. Intelligence and National Security Summit. Walter E. Washington Convention Center, 801 Mt. Vernon Pl. NW, Washington, D.C. Registration: academic, $195; military and government, $50; AFCEA/INSA members, $595; nonmembers, $695.
  • Sept. 9-11. 2015 Cybersecurity Innovation Forum. Walter E. Washington Convention Center, 801 Mt. Vernon Pl. NW, Washington, D.C. Registration: $270; students, $95.
  • Sept. 10. The Sky Is Not Falling: Understanding the Privacy Panic Cycle. 9:00 a.m. Information Technology and Innovation Foundation, 1101 K Street NW, Suite 610A, Washington, D.C. Free with registration.
  • Sept. 12. B-Sides Augusta. GRU Harrison Education Commons Building, 1301 R.A. Dent Blvd., Augusta, Georgia. Free.
  • Sept. 12-21. SANS Network Security 2015. Caesars Palace, Las Vegas, Nevada. Long Courses: $3,145 – $6,295. Short Courses: $1,150 – $2,100.
  • Sept. 16. ISMG Data Breach Prevention and Response Summit. The Westin San Francisco Airport, 1 Old Bayshore Highway, Millbrae, California. Registration: $695.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 17. 6th Annual Billington Cybersecurity Summit. Ronald Reagan Building and International Trade Center, 1300 Pennsylvania Avenue Northwest, Washington, D.C. Registration: corporate rate, $595; academic, $145; military and government, free.
  • Sept. 18. B-Sides Cape Breton. The Verschuren Centre, Cape Breton University, Sydney, Nova Scotia, Canada. Free.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31 — member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31 — member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1 — member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
  • Sept. 30-Oct. 1. Privacy. Security. Risk. 2015. Conference sponsored by IAPP Privacy Academy and CSA Congress. Bellagio hotel, Las Vegas. Registration: Before Aug. 29 — member, $1,195; nonmember, $1,395; government, $1,045; academic, $495. After Aug. 28 — member, $1,395; nonmember, $1,595; government, $1,145; academic, $495.
  • Oct. 2-3. B-Sides Ottawa. RA Centre, 2451 Riverside Dr., Ottawa, Canada. Free with registration.
  • Oct. 6. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Sharonville, Ohio. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 6. UK Cyber View Summit 2015. 6 a.m. ET. Warwick Business School, 17th Floor, The Shard, 32 London Bridge, London, UK. Registration: 550 euros plus VAT.
  • Oct. 9-11. B-Sides Warsaw. Pastwomiasto, Anders 29, Warsaw, Poland. Free with registration.
  • Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.
  • Oct. 15. SecureWorld Denver. The Cable Center, 2000 Buchtel Blvd., Denver, Colorado. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 19-21. CSX Cybersecurity Nexus Conference. Marriott Wardman Park, 2660 Woodley Rd. NW, Washington, D.C. Registration: before Aug. 26 — member, $1,395; nonmenber, $1,595. Before Oct. 14 — member, $1,595; nonmenber, $1,795. After Oct. 14 — member, $1,795; nonmember, $1,995.
  • Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Oct. 28-29. Securing New Ground. Conference sponsored by Security Industry Association. Millennium Broadway Hotel, New York City. Registration: Before Sept. 8 — member, $895; nonmember, $1,395; CISO, CSO, CIO, $300. After Sept. 7 — member, $1,095; nonmember, $1,495; CISO, CSO, CIO, $300.
  • Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Nov. 10. FedCyber 2015 Annual Summit. Tyson’s Corner Marriott, 8028 Leesburg Pike, Tyson’s Corner, Virginia. Registration: $395; academic, $145; government and military, free.
  • Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

  • An insider breached the "secure" site. It really doesn’t matter who hacks, the point is that everything is hackable with little if any exceptions.

    Get used to it!

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels