Thursday, August 20, 2015

Ashley Madison, the list is finally out, and it is awesome

Someone could make a living writing about Ashley Madison, as it appears to be an endless source of mind blowing news.

Years from now, university professors will still be using this case, as the case to use when teaching aspiring security professionals AND senior managers how NOT to handle a security incident.

The list of screw ups is long as are the life lessons.

Here is the top stupid thing they have said or done in the last month.

Told the world not to worry, we hired the BEST security firm and have the BEST working on the problem.

Reality: The statements and their current security enhancements and posture indicate they have only mastered bold stupid statements.

They have removed their false or "made up" security certification claim, and changed their main landing page.  Oooohhh  Aaaaah impressive.

If I recall, this same bunch of BEST experts helped you make another bold claim.  A claim that made even the elderly burst in laughter.  The claim that you had located ALL your leaked information and taken it off the Internet.

First off, sending out DMCA notices only works for people who give a crap, and the underground hacking community doesn't really respond well to legal requirements.   Perhaps the fine folks at Ashley Madison have not read a paper since the Apollo moon landings.  

So yesterday, big news.  The list was leaked, as promised by the initial attackers.

One download Torrent alone has had north of 170,000 downloads.

Here it is on Pirate Bay as a Torrent Download.  (Link provided for research purposes):

Strange, the security experts at Ashley Madison had removed all their data from the Internet.....  

Perhaps Ashley Madison has the same problem that 4 year olds have.  They have an imaginary security friend !

The phase will pass (I guess...) and they will eventually have a REAL security professional.

For the time being, they have suspended sending weekly email updates since it was brought to their attention anyone intercepting all these juicy emails could get into everyones account....(thank you for reading my blog Ashley).

What they failed to do, is expire the links on all the old emails.  (I feel cheated here, like I'm giving you free consulting....).

So anyone with access to any of the old emails, can still click on any of the links within and get right into them accounts without ever being asked for a username and password.

Bravo !!  nice fix.

Feels like Microsoft in the early 90's.

Now looking through the Ashley Madison data, should reveal even more interesting things......  If someone had "access" to the actual Ashley Madison data dump.....

Oh wait, that would be illegal, and also, Ashley might show up in the middle of the night to hand me a DMCA take down notice.

Am I dreaming....


Let the public shaming begin.  People are going to be looking up not their friends, but their mortal enemies.

A fine example:  

Family Values Activist Josh Duggar Had a Paid Ashley Madison Account

So to all the fine clients of Ashley Madison who have no mortal enemies, sleep tight.

For the rest..... there is a billion dollar pharmaceutical industry waiting to calm your nerves.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...