Big news this morning, if you have an account at www.ashleymadison.com
Wether the breach turns out to be true or not, one thing is certain, we can all learn a lot from this breach. You can also tell a lot about a company and its values by how they manage a breach.
Also, did you know that your profile on this website can be accessed without a username and password..... read on.....
One thing is certain, we, as a people, are entirely too trusting and easily fooled by flashing lights and cool looking websites.
1- FAILURE TO TELL THEIR CLIENTS
24 hours after the news has hit, still no notice to their clients. The front page still looks the same, nothing is telling me that a breach has taken place or that I should change my password, or prepare my wife for some shocking news.
2-FALSELY CLAIMING TO BE SECURE
The web site still displays three important and inspiring security elements to ensure that users "feel" secure. Websites need to stop doing this. It is FALSE ADVERTISING.
3-FAILURE TO TAKE RESPONSIBILITY
Their senior executives have come forward telling us that it is NOT an employee but a trusted contractor (or something of the sorts). Why would I, the client, CARE ! Why would you tell anyone this!
Telling the world that you KNOW who it is doesn't make things better. Telling the world that it isn't one of your employees but a contractor tells us entirely too much about your poor security practices. Are you telling me that your application developers have access to production data? No.... then who is this contractor and why did he have access to MY data?
As a client, I expect you to take responsibility, but above all I expect you to take action.
This story will die down in the media, and people will forget. It is the first thing your crisis management team will tell you. What is surprising is that this "news" should kill a company that did not take the steps to secure such sensitive data, yet chances are, it will simply be a blimp on the radar and business as usual soon there after.
In this case, at BEST, they are pointing the finger at someone, shifting the blame (poor us, a disgruntled or crazy contractor did this), or at WORST, completely damaging an ongoing investigation by divulging that they suspect a contractor.
In short, the information handed out to the media so far, damages the investigation. This incident is not being handled correctly.
4-FAILURE TO PROVIDE A SECURE SERVICE (THE REALLY BIG NEWS HERE)
Did you know that you DO NOT NEED your username and password to access YOUR profile. If you are a client, you should be very VERY upset about this.
So get this.....every week users of the site get a friendly email showing them their weekly "matches". This email shows you new profiles that you might want to click on and see more information. When you click, you are redirected to the website and you see the profile you wanted to see. You are also logged into your account, no username, no password required. I wish banking systems worked like that. So this means that anyone listening on the internet that can intercept emails (emails are like postcards by the way) can collect these LINKS and connect to the users account.
STEP BY STEP:
1- Intercept an email (the network techs at large telcos must be having a blast)
2- Click on the sexy lady (or guy) that is being offered.... and BOOM, your in.
From here, one can view your profile, you correspondence with friendly girls and boys, the ratings that you have attributed to "mates", etc... etc... you get the picture....
5-FAILURE TO ACT AS CONTRACTED - TO BE CONFIRMED
It seems, and this one remains to be proven, that they charged $20 to have your account deleted. Some articles talk about 1.7 million in revenue from these charges.
Some other articles are claiming that they DID NOT ACTUALLY DELETE ALL your data after taking your money. This breach, if the data is retrieved and analyzed, might expose this fact.
Offering a paid deletion service is a dangerous thing. It is almost impossible to do unless the data is individually encrypted (client by client, using a unique key for each client) and the keys are extremely well secured, not duplicated or backed up past the resilient architecture. This means that the encryption key is deleted when a client PAYS to have his data deleted. This results in the clients data becoming impossible to access.
Why do it this way? Simple, data gets backed up. Deleting data from a production system is easy, deleting it from all known backups is a much more complexe task. If you delete the key, the encrypted data on the backups is unretrievable.
The pay to delete service was more then likely "sold" to management as a great new feature and money grab, since I doubt that the actual architecture provides compelling evidence that the data actually is DESTROYED. This breach might shed light on all this.
Having a nice policy statement like the one below is not enough. If you are going to state that INDUSTRY STANDARD PRACTICES has been respected, shouldn't you do it?
SecurityWe treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to "firewalls", encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.
The take away here....
- Have their architecture reviewed by REAL professionals
- Have an independent third party perform security testing and have the results summary accessible for all to see (The good old put your money where your mouth is)
- Get a new incident handling team lead that will tell them what to do, and what to say next time the shit hits the fan.
- And for the love of which ever God they pray too, take responsibility and tell your clients the truth and actually do something about it.
If you think your significant other would find a brief walk through your profile mildly amusing, remember that the site also tracks details that perhaps... are harder to navigate when you get home after this breached data gets published:
Eric Parent is a senior security expert, specialized in coaching senior executives. He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.
Follow Eric on:
Follow up posts of interest:
UPDATE: Ashley Madison is now telling the INTERNET that they have successfully used DMCA requests to take down ALL, read that again.... ALL.. of its leaked customer data from the Internet. Wow.... what a bold statement....
BLOGPOST: Who is coaching these idiots!