The IT Nerd

The Ashley Madison hack and data breach was a huge story in 2015. A total of 37 million people were outed as cheaters and lawsuits started to fly. Not to mention the damage to careers and relationships. Now Ruby Corp who owns Ashley Madison is serving up $11.8 million to make this go away. But let’s do some math here. There are 37 million victims and there’s a pot of $11.8 in play. That works out to about $2 a person.

#Fail

Now to be fair, victims who have suffered what the company terms a “valid loss” will be eligible for a compensation payout of up to $3,500. But let’s think about this. Considering that this company’s beyond half-assed IT security literally ruined lives, these dollar amounts seem incredibly lame to me.

Seeing that according to the press release that I linked to above that a court has to sign off on this, I for one am hoping that this deal is not approved by said court and people affected by said half-assed IT security are able to make this company pay and pay big time. It won’t fix what happened in their lives, but it will send a message that companies of all stripes need to be completely and totally responsible for customer data or very bad things will happen to them.

The company behind Ashley Madison, who you’ll remember got hacked in epic fashion last year, has agreed to pay a $1.6 million settlement to the U.S. Federal Trade Commission. The hack exposed account details of 36 million users which made it one of the biggest hacks in history. But there’s more:

The agency also found that Ashley Madison had managed to attract customers, including 19 million from the U.S., partly through fake profiles of women designed to entice them into becoming paying members.

Fascinating. Now, $1.6 million doesn’t sound like a lot. And frankly it isn’t a lot. But here’s why they got off…. Sorry, poor choice of words…. with a $1.6 million settlement:

U.S. investigators initially wanted Ruby to pay $17.5 million in the settlement, but the remaining amount was suspended based on the company’s inability to pay, New York Attorney General Eric Schneiderman said in a statement.

It sounds like these guys won’t be around for much longer. I doubt they’ll be missed. On top of paying out this cash, Ruby is required to institute a comprehensive data security program to protect customers’ information. On top of that, it must also undergo third-party audits to check for compliance. But seeing as they likely will not be around for much longer, I can’t see either of those ever happening. But I am a cynic by nature. Finally, the company admits nor denies anything that the FTC said.

Of course, there’s still numerous lawsuits that are floating around out there regarding this hack, so this story is far from over.

I’ve been saying for a very long time that you should have different passwords for all your services for the simple reason that if a service gets attacked by hackers, they only get the password for that service. The reality is that most people use variants of a single password on all their services…. If they do that much. Thus they’re wide open to having all their online services pwned by hackers. Here’s a case in point. It has now come to light that millions of Ashely Madison passwords have now been cracked. The details on how this was done can be found here. But the bottom line is that a lot of people are now going to have to change just about every password that they have to protect themselves.

In related news, Amazon and GoDaddy have been sued because they host websites that allow people to search for users of the site. The suit, which the people who filed it want it to be classified as a class action, is asking for at least $3 million for receiving “stolen property” and infliction of emotional distress. I’m not sure if that’s going to fly, but good luck to them. In the same story, security blogger Brian Krebs is being threatened with a libel lawsuit because he blogged about the fact that Ashley Madison employees hacked rival websites. Krebs is sticking by his story and I don’t blame him seeing as there’s an e-mail trail from the last data dump that backs him up on that.

Days after this look at the Ashley Madison data dump showed that almost no females frequented the site and this look at the Ashley Madison source code shows an effort to create “bots” or software that would pretend to be women, comes this press release that had a few interesting tidbits:

Recent media reports predicting the imminent demise of Ashley Madison are greatly exaggerated. The company continues its day-to-day operations even as it deals with the theft of its private data by criminal hackers. Despite having our business and customers attacked, we are growing. This past week alone, hundreds of thousands of new users signed up for the Ashley Madison platform – including 87,596 women.

Some journalists have turned the focus of the criminal act against Ashley Madison inside out, attacking us instead of the hackers. Last week, a reporter who claimed to analyze the stolen data made incorrect assumptions about the meaning of fields contained in the leaked data. This reporter concluded that the number of active female members on Ashley Madison could be calculated based on those assumptions. That conclusion was wrong.

Last week alone, women sent more than 2.8 million messages within our platform. Furthermore, in the first half of this year the ratio of male members who paid to communicate with women on our service versus the number of female members who actively used their account (female members are not required to pay to communicate with men on Ashley Madison) was 1.2 to 1. These numbers are the main reason that Ashley Madison is the number one service for people seeking discreet relationships.

Okay. Except that anything said in this press release is unverifiable because they are a private company who doesn’t have to produce proof about anything they say. So I take this statement with a grain of salt. Besides, if Ashley Madison did have fake women on the site and an army of “bots” to make it look like there were women on the site, that would be fraud on a massive scale. And the last time I checked, fraud was illegal. Thus the need to make some sort of statement to introduce some degree of uncertainty. What seems to make this plausible is the fact that this leaked e-mail from the last Ashley Madison data dump shows how much money they were making off of “bots.”

It looks like to me that Ashely Madison is circling the drain at the moment.

Here’s an interesting twist. In the last two dumps of data were e-malls that may prove to be incriminating. Brian Krebs on his blog has reported that there’s evidence to suggest that Ashley Madison’s competitors were hacked by Ashely Madison:

A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.

At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.

“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

Now this doesn’t exactly cast this company in the most positive light. Thus you can expect that a lot of questions will be asked about this topic over the coming days.

Speaking of vulnerabilities, it seems that Ashley Madison were aware of theirs:

Interestingly, less than a month before that episode, AshleyMadison executives seemed very keen on completing a series of internal security assessments, audits and security awareness training exercises for employees.

“Given our open registration policy and recent high profile exploits, every security consultant and their extended family will be trying to trump up business,” wrote Ashley Madison employee Mark Steele to Biderman in an email dated May 25, 2015. “Our codebase  has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging” [links added].

Lovely. I’m sure the lawyers behind the class action lawsuit will be interested in this information.

The rest of this blog entry by Krebs is interesting. I encourage you to read it as it sheds new light on what goes on at Ashley Madison.

Clearly the “Impact Team” are out for the kill as a third dump of data has taken place late yesterday. According to Motherboard, this dump is to make up for the fact that the second dump of data which contained e-mails associates with ALM CEO Noel Biderman were corrupt. As for future dumps, the hackers said this:

The Impact Team, the hackers who are releasing the data and claiming responsibility for the breach, gave an update: “No guarantees on further dumps. But this 7z is corrupted so maybe another noel email dump. 40GB uncompressed.”

You can bet that Biderman is not at all thrilled at that prospect.

It was only a matter of time before extortion artists started targeting those who used Ashely Madison. Security expert Brian Krebs broke this story on his blog. Here’s some details:

According to security firms and to a review of several emails shared with this author, extortionists already see easy pickings in the leaked AshleyMadison user database.

Earlier today I heard from Rick Romero, the information technology manager at VF IT Services, an email provider based in Milwaukee. Romero said he’s been building spam filters to block outgoing extortion attempts against others from rogue users of his email service. 

Lovely. The letters say that their activities on Ashley Madison will be outed to the victim’s spouse if they don’t pay up. Here’s the kicker, they want to be paid in Bitcoin. That makes them somewhat untraceable. I have to admit that if it weren’t a crime, I’d be impressed. But as it is, the damage that the Hacking Team has unleashed upon the world has begun.

I got 24…. Yes 24 questions from people (for the record, some male, some female) asking how to check to see if they were part of the Ashley Madison hack. Most came minutes after I posted this story on the huge data dump that happened last night. Now, I’ll just say up front that what you do is your own business and I don’t care if you were cheating or not. Which makes it very easy for me to recommend an ethical means to find out if you were part of this hack.

What I would do is sign up for a site called haveibeenpwned.com using the e-mail address that you used on Ashley Madison. You’ll get a confirmation e-mail and you’ll know right away if you are part of this or not. Here’s why I am recommending this site via a blog post posted by Troy Hunt who operates the site:

I don’t believe it’s responsible to make all the AM accounts discoverable by anyone. Yes, they will be through various other routes anyway, but I’m not prepared for HIBP to be the avenue through which a wife discovers her husband is cheating or something even worse happens

And:

There are other ways of handling this so that those who need to know can find out. What they then do with the data is up to them, of course, but there won’t be a construct on HIBP where someone’s spouse or kids or co-workers can randomly pull records.

This to me seems like a very rational and sensitive way of dealing with this. I applaud Mr. Hunt for taking this approach. People’s lives are likely to be impacted if not ruined by this as this not just a hack, it is a massive invasion of privacy. The Impact Team might have had some sort of “beef” with the people who run Ashley Madison, but this is not the way they should have dealt with it. Sure their actions have likely killed this company once and for all, but they’ve done untold amounts of damage too. I hope they can sleep at night.

UPDATE: Another Option is CheckAshleyMadison.com which will tell you if you if a phone number or e-mail address is in the leaked database without revealing any personal info.

UPDATE #2: CheckAshleyMadison.com has been served with a DMCA takedown notice by Ashley Madison’s legal team. Thus your best outlet at present is haveibeenpwned.com. Another option is https://ashley.cynic.al. At least for now as I expect those sites to be served with takedown notices by Ashley Madison’s legal team who are clearly interested in covering up their craptastic IT security as quickly as possible.

UPDATE #3: Another option is allaboutashley.cr which appears to be hosted out of Costa Rica. Likely to avoid a DMCA takedown notice. If you serve up an e-mail address that was used on the site, it will give you information on user names, addresses, profile taglines and what payments they have made. I suspect that this is aimed at spouses looking for dirt on their significant others.