Tuesday, July 21, 2015

Ashley Madison - What the news rampage is missing. The lies! It's all about the lies!

After watching a report on CTV and one on CNN, I realized reporters are missing a really important fact with this story.

Normal (non tech) people are being lied to all the time.  Some call it marketing, some call it a business practice.  It is actually a pretty shady business practice and experts would call it fraud. 

The website shows you security related images, logos that make you feel good about the site and its security.  

The security certifications are made up, two of them don't really exist.  They are there to make you feel good about the site and not read the small print.

This claim probably tries to sell the idea that security is important, and that the website has been tested.  The cold hard fact is that you cannot click on this logo and be taken to a "real" security testing company who will vouch for the quality of the site, and the tests performed.  

A real attestation would show dates the analysis was performed, and what kind of testing was done.  

This is the most insulting type of made up rubber stamps.  Discretion is subjective it seems.  Users of the site get a weekly email with links they can click to see their matches.  If you click on any of these links, your taken directly into the users account.  No username is requested, no password is asked.  Emails are like post-cards as they travel across the Internet, anyone who can sniff (observe) the network can grab your emails.  That is why security standards dictate you do not send sensitive information by email.  This includes; credit card numbers, location you buried the dead body, information that discloses you like rubber hoses (access to Ashley Madison anyone).

This is the oldest type of bullshit rubber stamp.  What this means, is that the website uses encryption to secure the data in transit (while the data is transferred onto your screen).  Ask a regular person what SSL is, chances are you will hear their brain stop working.

As far as the rest of the web sites security, it is meaningless.  

It says nothing as to the :
  • Quality of management
  • Quality of the hiring and subcontracting process
  • Security of stored data
  • Security of backed up data
  • Security of the software development lifecycle
  • Quality of the testing and maturity of security and its integration
  • .... I could go on, and on....
Also, I love that their maturity is so high, that they are claiming to have searched through the entire Internet and have removed all their data.

So here is a valid question.  Who did handle their security ?
And who is this "world class IT-Security Company" that is handling this breach, as they reported.

From experience, when the names are hidden...... it's all smoke and mirrors.

My original blog posts really get into the details, including screen shots of my.... test... account.

The sad truth is that these marketing tricks are often used, security professionals know they are meaningless, and also mostly lies.  The general public however get a feeling that the site is SECURE, DISCREET and ok to share your most perverted stories with.


AshleyMadison - 5 things that should haunt their clients and many of our senior executives

Ashley Madison - Who is coaching these nut jobs!


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...