Monday, July 20, 2015

AshleyMadison - 5 things that should haunt their clients and many of our senior executives

UPDATE:   Ashley Madison is now telling lies !  Seems they have taken down ALL the

 Big news this morning, if you have an account at www.ashleymadison.com

 Wether the breach turns out to be true or not, one thing is certain, we can all learn a lot from this breach.  You can also tell a lot about a company and its values by how they manage a breach.

 Also, did you know that your profile on this website can be accessed without a username and password..... read on.....

 One thing is certain, we, as a people, are entirely too trusting and easily fooled by flashing lights and cool looking websites.
1- FAILURE TO TELL THEIR CLIENTS
24 hours after the news has hit, still no notice to their clients.  The front page still looks the same, nothing is telling me that a breach has taken place or that I should change my password, or prepare my wife for some shocking news.   

This breach is all over the Internet, yet nothing on their website talks to the client. Public statements by management are being made to downplay the breach as the act of a trusted insider or saboter, yet no message has been made visible to their users, all 37 million of them must rely on CNN and FOX news to understand what is happening to their personal data.  


2-FALSELY CLAIMING TO BE SECURE
The web site still displays three important and inspiring security elements to ensure that users "feel" secure.  Websites need to stop doing this.  It is FALSE ADVERTISING.

First off, TRUSTED SECURITY AWARD is meaningless.  You cannot click on the icon and "see" who is putting their reputation on the line that the RIGHT level of security testing has been performed.  When will a journalist skin this cat alive!

Secondly, 100% DISCREET SERVICE is a self made claim.  How discreet is the service if I do not require a username and password to access my profile ?   Yes, you read that correctly (more further down).

SSL SECURE SITE, is yet another "out of context" claim.  Sure, the communications over the internet are secured, yet someone who reads my emails can access my profile without my username and password, and they access it securely via SSL.

Security testing means it is audit-able, verifiable and heck.. true.  OWASP is the gold standard for web applications.  

Over all, this web site, along with the entire infrastructure is not operating as a secure ecosystem and having these logos displayed if your not doing it, or not doing it ADEQUATELY is FALSE ADVERTISING.

So CEO's check your websites for little logos, and if you cannot click on them and get transferred over to the third party who did the testing and get some details on what the heck was tested...... your guilty of "security advertising"!


3-FAILURE TO TAKE RESPONSIBILITY  
Their senior executives have come forward telling us that it is NOT an employee but a trusted contractor (or something of the sorts).  Why would I, the client, CARE !  Why would you tell anyone this!

 Telling the world that you KNOW who it is doesn't make things better.  Telling the world that it isn't one of your employees but a contractor tells us entirely too much about your poor security practices.  Are you telling me that your application developers have access to production data?  No.... then who is this contractor and why did he have access to MY data?   

As a client, I expect you to take responsibility, but above all I expect you to take action. 

 This story will die down in the media, and people will forget.  It is the first thing your crisis management team will tell you.  What is surprising is that this "news" should kill a company that did not take the steps to secure such sensitive data, yet chances are, it will simply be a blimp on the radar and business as usual soon there after.

In this case, at BEST, they are pointing the finger at someone, shifting the blame (poor us, a disgruntled or crazy contractor did this), or at WORST, completely damaging an ongoing investigation by divulging that they suspect a contractor.  

 In short, the information handed out to the media so far, damages the investigation.  This incident is not being handled correctly.

 4-FAILURE TO PROVIDE A SECURE SERVICE (THE REALLY BIG NEWS HERE)
Did you know that you DO NOT NEED your username and password to access YOUR profile.  If you are a client, you should be very VERY upset about this.

 So get this.....every week users of the site get a friendly email showing them their weekly "matches".  This email shows you new profiles that you might want to click on and see more information.  When you click, you are redirected to the website and you see the profile you wanted to see. You are also logged into your account, no username, no password required.  I wish banking systems worked like that.  So this means that anyone listening on the internet that can intercept emails (emails are like postcards by the way) can collect these LINKS and connect to the users account.

STEP BY STEP:

1- Intercept an email (the network techs at large telcos must be having a blast)


2- Click on the sexy lady (or guy) that is being offered.... and BOOM, your in.

From here, one can view your profile, you correspondence with friendly girls and boys, the ratings that you have attributed to "mates", etc... etc... you get the picture....

5-FAILURE TO ACT AS CONTRACTED - TO BE CONFIRMED
It seems, and this one remains to be proven, that they charged $20 to have your account deleted.  Some articles talk about 1.7 million in revenue from these charges. 

Some other articles are claiming that they DID NOT ACTUALLY DELETE ALL your data after taking your money.  This breach, if the data is retrieved and analyzed, might expose this fact.   

 Offering a paid deletion service is a dangerous thing.  It is almost impossible to do unless the data is individually encrypted (client by client, using a unique key for each client) and the keys are extremely well secured, not duplicated or backed up past the resilient architecture.  This means that the encryption key is deleted when a client PAYS to have his data deleted.  This results in the clients data becoming impossible to access. 

Why do it this way?  Simple, data gets backed up.  Deleting data from a production system is easy, deleting it from all known backups is a much more complexe task.  If you delete the key, the encrypted data on the backups is unretrievable.

The pay to delete service was more then likely "sold" to management as a great new feature and money grab, since I doubt that the actual architecture provides compelling evidence that the data actually is DESTROYED.  This breach might shed light on all this.

IN CONCLUSION

Having a nice policy statement like the one below is not enough.  If you are going to state that INDUSTRY STANDARD PRACTICES has been respected, shouldn't you do it?

SecurityWe treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to "firewalls", encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.

 The take away here....
  
AshleyMadison should:

  • Have their architecture reviewed by REAL professionals
  • Have an independent third party perform security testing and have the results summary accessible for all to see (The good old put your money where your mouth is)
  • Get a new incident handling team lead that will tell them what to do, and what to say next time the shit hits the fan.
  • And for the love of which ever God they pray too, take responsibility and tell your clients the truth and actually do something about it.
Chances are, this is what is going to happen;  Hire a big reputation firm, get some auditing done, get some fixes done, get a report that says they have done something and off they go to get more funding.  After all, they can now rely on the fact that they paid a lot of money to have a reputable firm tell them they have done what needs to be done.  Rare are the cases that actually end with the hire of a true security professional that will write up an optimization plan for the long run and actually bring security value to the business process.

Chances are, this will be a short term fix. Unless the owners of Ashley Madison and their executives actually want to optimize security, take charge of the issue, and safeguard their CLIENTS data.

...pause..... my phone isn't ringing... ;-)

 If you think your significant other would find a brief walk through your profile mildly amusing, remember that the site also tracks details that perhaps... are harder to navigate when you get home after this breached data gets published:





_______________________________________________

 Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

 Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com

 ------------
Follow up posts of interest:
http://mashable.com/2015/07/20/ashleymadison-is-fucked/

 UPDATE:   Ashley Madison is now telling the INTERNET that they have successfully used DMCA requests to take down ALL, read that again.... ALL.. of its leaked customer data from the Internet.  Wow.... what a bold statement....  
http://media.ashleymadison.com/statement-from-avid-life-media-inc-july-20-1225pm/

 BLOGPOST:  Who is coaching these idiots!
at

1 comment:

Subscribe to: Post Comments (Atom)

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...