Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Ashley Madison :
Lessons (to be) Learned
Per Thorsheim
Security Adviser
@thorsheim
Article 12:
“No one shall be subjected to arbitrary interference with
his privacy, family, home or correspondence, nor to
...
About Ashley Madison
Ashley Madison hacked
July 15
The threat
Data Dumps Online
Number of traveling man purchases.docx
SQL queries to investigate high-travel user's purchases.
q2 2013 summary compensati...
TL;DR :
• The leak contains lots of source code (nearly
3M lines of code according to sloccount)
• 73 different git reposi...
Media
9,000+ articles – and counting….
Password analysis
123456
password
12345
qwerty
12345678
ashley
baseball
abc123
696969
111111
football
fuckyou
madison
asshole
superman
fuckm...
Statements from Avid Life Media
We immediately launched a thorough investigation
We apologize
No company’s online assets are safe from cyber-vandalism
Des...
#2, July 20, 2015
Using the Digital Millennium Copyright Act (DMCA), our team has now successfully
removed the posts relat...
August 18, 2015
No current or past members’ full credit card numbers were stolen
from Avid Life Media. Any statements to t...
Effective today, Noel Biderman, in mutual agreement with the
company, is stepping down as Chief Executive Officer of Avid ...
CEO
Search sites
Scams
Suicide
Two individuals associated with the leak of
Ashley Madison customer details are reported
to have taken their lives, accord...
Hunting Hackers
«If they only did as we ….»
Oh, really?
No HTTPS =
No Security
No Privacy
Account enumeration =
Security design weakness
Profiteering
http://www.troyhunt.com/2015/08/heres-what-ashley-madison-members-have.html
Questions for Ashley Madison
Current Terms and Services @ Ashley Madison (September 2015):
However, in the terms and services of the site, it explicitl...
February 2015: Terms and Services @ Ashley Madison:
“The profiles we create are not intended to resemble or mimic any actu...
1. How many actual users did it have?
2. Did it make fake accounts?
3. Was it aware of prostitution on the site?
4. It pro...
The Law
is changing for the better.
37 565 000
Over 42 195 000 anonymous members!
¯_(ツ)_/¯
Article 12:
“No one shall be subjected to arbitrary interference with
his privacy, family, home or correspondence, nor to
...
PasswordsCon.org
University of Cambridge, December 7-9, 2015
per@godpraksis.no
www.godpraksis.no
+47 90 99 92 59
@thorsheim
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked
Upcoming SlideShare
Loading in …5
×

QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked

429 views

Published on

Ashley Madison, the adultery-promoting dating site got hacked in july 2015. More than 30 million users had their most intimate details exposed when hackers released their data in August 2015, after the service owners refused to close down business.
As the biggest public breach of of sensitive personal information ever, there are many lessons to be learned in terms of data protection, hacktivism, crisis management, business continuity, and ʺquality of serviceʺ, so to speak. This talk will explain what happened, lessons learned and practical tips on how to avoid making the same mistakes.

Published in: Education
  • Be the first to comment

QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating site got hacked

  1. 1. Ashley Madison : Lessons (to be) Learned Per Thorsheim Security Adviser @thorsheim
  2. 2. Article 12: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” The Universal Declaration of Human Rights, United Nations
  3. 3. About Ashley Madison
  4. 4. Ashley Madison hacked
  5. 5. July 15
  6. 6. The threat
  7. 7. Data Dumps Online
  8. 8. Number of traveling man purchases.docx SQL queries to investigate high-travel user's purchases. q2 2013 summary compensation detail_managerinput_trevor-s team.xlsx Per-employee compensation listings. AVIDLIFEMEDIA (primary corporate domain) user information and hashes.txt Noel's loan agreement.pdf A promissory note for the CEO to pay back ~3MM in Canadian monies. Areas of concern - customer data.docx Appears to be a risk profile of the major security concerns that ALM has regarding their customer's data. And yes, a major user data dump is on the list of concerns. A listing of all ALM associated bank account numbers and the biz which owns them. Rev by traffic source rebill broken out.docx Rebill Success Rate Queries.docx Copies of Option Agreements.pdf All agreements for what appears all of the company's outstanding options. paypal accounts.xlsx Various user/passes for ALM paypal accounts (16 in total) ARPU and ARPPU.docx A listing of SQL commands which provide revenue and other macro financial health info.
  9. 9. TL;DR : • The leak contains lots of source code (nearly 3M lines of code according to sloccount) • 73 different git repositories are present • Ashley Madison used gitlab internally • The 13GB compressed file which could contain AM CEO’s emails seems corrupted. Is it a fake one? • The leak contains plain text or poorly hashed (md5) db credentials
  10. 10. Media
  11. 11. 9,000+ articles – and counting….
  12. 12. Password analysis
  13. 13. 123456 password 12345 qwerty 12345678 ashley baseball abc123 696969 111111 football fuckyou madison asshole superman fuckme hockey 123456789 hunter harley 202 105 99 32 31 28 27 27 23 21 20 20 20 19 19 19 19 19 18 18 Passwords found
  14. 14. Statements from Avid Life Media
  15. 15. We immediately launched a thorough investigation We apologize No company’s online assets are safe from cyber-vandalism Despite investing in the latest privacy and security technologies. We have always had the confidentiality of our customers’ information foremost in our minds We have been able to secure our sites, and close the unauthorized access points. July 20, 2015
  16. 16. #2, July 20, 2015 Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online. We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.
  17. 17. August 18, 2015 No current or past members’ full credit card numbers were stolen from Avid Life Media. Any statements to the contrary are false. Avid Life Media has never stored members’ full credit card numbers. …. BUT ALL OUR MEMBERS MOST INTIMATE SEXUAL PREFERENCES ARE FULLY AVAILABLE ONLINE FOR FREE, FOR ANYONE TO READ!
  18. 18. Effective today, Noel Biderman, in mutual agreement with the company, is stepping down as Chief Executive Officer of Avid Life Media Inc. (ALM) and is no longer with the company. August 28, 2015
  19. 19. CEO
  20. 20. Search sites
  21. 21. Scams
  22. 22. Suicide
  23. 23. Two individuals associated with the leak of Ashley Madison customer details are reported to have taken their lives, according to police in Canada. Ashley Madison's Canadian parent company Avid Life Media is offering a C$500,000 (£240,000) reward for information on the hackers, they added. Police have set up a Twitter account, @AMCaseTPS, and hashtag, #AMCaseTPS, in a bid to gather information about the hack from members of the public.
  24. 24. Hunting Hackers
  25. 25. «If they only did as we ….» Oh, really?
  26. 26. No HTTPS = No Security No Privacy
  27. 27. Account enumeration = Security design weakness
  28. 28. Profiteering
  29. 29. http://www.troyhunt.com/2015/08/heres-what-ashley-madison-members-have.html
  30. 30. Questions for Ashley Madison
  31. 31. Current Terms and Services @ Ashley Madison (September 2015): However, in the terms and services of the site, it explicitly warns would- be cheaters that many users of the site subscribe “for purely entertainment purposes”. It continues: “You acknowledge and agree that any profiles of users and Members, as well as, communications from such persons may not be true, accurate or authentic and may be exaggerated or based on fantasy. You acknowledge and understand that you may be communicating with such persons and that we are not responsible for such communications.”
  32. 32. February 2015: Terms and Services @ Ashley Madison: “The profiles we create are not intended to resemble or mimic any actual persons. We may create several different profiles that we attach to a given picture. You understand and acknowledge that we create these profiles and that these profiles are not based on or associated with any user or Member of our Service or any other real person. You also acknowledge and agree that the descriptions, pictures and information included in such profiles are provided primarily for your amusement and to assist you navigate and learn about our Site. As part of this feature, the profiles may offer, initiate or send winks, private keys, and virtual gifts. Any one of these profiles may message with multiple users at the same or substantially the same times just like our users. Our profiles message with Guest users, but not with Members. Members interact only with profiles of actual persons. Guests are contacted by our profiles through computer generated messages, including emails and instant messages. These profiles are NOT conspicuously identified as such.”
  33. 33. 1. How many actual users did it have? 2. Did it make fake accounts? 3. Was it aware of prostitution on the site? 4. It promised security to its customers. What did it do to ensure this? 5. Its CEO said the leak was an inside job. What made him think that? Has he changed his mind? 6. Why did the «full delete» not fully delete a customer’s profile? Why did it keep location information for a fully deleted account? 7. Given it took card payments for a full delete, why didn’t it make clear that payment information has to be retained? 8. Why didn’t it disclose the hack to customers as soon as it happened? Why did they have to find out from the press? 9. Why did it make a specific, narrow denial about storing card numbers? 10. Why is it still implying the leak is not real?
  34. 34. The Law is changing for the better.
  35. 35. 37 565 000
  36. 36. Over 42 195 000 anonymous members!
  37. 37. ¯_(ツ)_/¯
  38. 38. Article 12: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks – even members of Ashley Madison.” The Universal Declaration of Human Rights, United Nations
  39. 39. PasswordsCon.org University of Cambridge, December 7-9, 2015
  40. 40. per@godpraksis.no www.godpraksis.no +47 90 99 92 59 @thorsheim

×