Technology

Ashley Madison Flaunts Discreet Relationship Falls for Sloppy Security

September 11, 2015 | By Editor 

Ashley Madison built their business empire on a Unique Selling Preposition (USP) that is as lucrative as it is hideous; they encouraged extra-marital affairs as a form of dating. Opponents were displeased with the idea of infidelity against the institution of marriage and they wished – or worse, predicted – that the business won’t be around for long. And as unique as their selling point may sound, it turns out that the Ashley Madison didn’t have so much of a unique security parameters in place to protect its website.

Ashley Madison (www.ashleymadison.com) was hacked by a group in 15th July, 2015 and the perpetrators – calling themselves as “The Impact Team” – behind the act threatened to leak the user database as a sign of vendetta if the website didn’t shut down immediately. When Ashley Madison failed to comply to the threats, the group released 60 gigabytes worth of data on 21st July, creating huge ripples across news and social media.

How was The Impact Team able to make a full breach of such magnitude? Information security experts say that Ashley Madison had a lax storage of their user data, hard-coded into the website’s source code. For professional hackers, obtaining information lying around in a website’s source code is a cake walk, which is what happened in the case of Ashley Madison.

The website’s business started going further into a downward spiral when critics such as the UK-based blogger Gabor Szathmari listed out website’s specific loopholes; source code containing database credentials, easy access to private keys for security certificate like SSL, AWS tokens, and so on.

According to Szathmari, one of the biggest goof-ups he found out in Ashley Madison’s source code was the password strength – or should we say password weakness. The database passwords, Szathmari claimed, were only between 5-8 characters and contained only two character classes!

On users’ part, experts who researched the matter found that majority of Ashley Madison members had basic passwords like ‘123456,’ ‘password,’ and ‘qwerty’ – the most vulnerable password sequences.

Lessons from Ashley Madison

  • Golden Rule #1: No matter if it’s your email or the secret account that enables you to launch a rocket to the moon, always create passwords that are uniquely complex, nonsensical and don’t exist in the dictionary.
  • Complicate hackers’ lateral movement across your network by not including passwords and credentials in your website’s source.
  • Clear your source code repository and Wiki pages of sensitive website data such as credentials, users’ information, credit card numbers, etc.

Posted in Technology

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory