Ashley Madison :
Lessons (to be) Learned
Per Thorsheim
Security Adviser
@thorsheim

Article 12:
“No one shall be subjected to arbitrary interference with
his privacy, family, home or correspondence, nor to
attacks upon his honour and reputation. Everyone has the
right to the protection of the law against such interference
or attacks.”
The Universal Declaration of Human Rights,
United Nations

About Ashley Madison

Ashley Madison hacked

July 15

The threat

Data Dumps Online

Number of traveling man purchases.docx
SQL queries to investigate high-travel user's purchases.
q2 2013 summary compensation detail_managerinput_trevor-s team.xlsx
Per-employee compensation listings.
AVIDLIFEMEDIA (primary corporate domain) user information and hashes.txt
Noel's loan agreement.pdf
A promissory note for the CEO to pay back ~3MM in Canadian monies.
Areas of concern - customer data.docx
Appears to be a risk profile of the major security concerns that ALM has regarding their customer's data. And yes, a major user data
dump is on the list of concerns.
A listing of all ALM associated bank account numbers and the biz which owns them.
Rev by traffic source rebill broken out.docx
Rebill Success Rate Queries.docx
Copies of Option Agreements.pdf
All agreements for what appears all of the company's outstanding options.
paypal accounts.xlsx
Various user/passes for ALM paypal accounts (16 in total)
ARPU and ARPPU.docx
A listing of SQL commands which provide revenue and other macro financial health info.

TL;DR :
• The leak contains lots of source code (nearly
3M lines of code according to sloccount)
• 73 different git repositories are present
• Ashley Madison used gitlab internally
• The 13GB compressed file which could contain
AM CEO’s emails seems corrupted. Is it a fake
one?
• The leak contains plain text or poorly hashed
(md5) db credentials

Media

9,000+ articles – and counting….

Password analysis

123456
password
12345
qwerty
12345678
ashley
baseball
abc123
696969
111111
football
fuckyou
madison
asshole
superman
fuckme
hockey
123456789
hunter
harley
202
105
99
32
31
28
27
27
23
21
20
20
20
19
19
19
19
19
18
18
Passwords found

Statements from Avid Life Media

We immediately launched a thorough investigation
We apologize
No company’s online assets are safe from cyber-vandalism
Despite investing in the latest privacy and security technologies.
We have always had the confidentiality of our customers’ information foremost in our minds
We have been able to secure our sites, and close the unauthorized access points.
July 20, 2015

#2, July 20, 2015
Using the Digital Millennium Copyright Act (DMCA), our team has now successfully
removed the posts related to this incident as well as all Personally Identifiable
Information (PII) about our users published online. We have always had the
confidentiality of our customers’ information foremost in our minds and are pleased
that the provisions included in the DMCA have been effective in addressing this
matter.

August 18, 2015
No current or past members’ full credit card numbers were stolen
from Avid Life Media. Any statements to the contrary are false. Avid
Life Media has never stored members’ full credit card numbers.
…. BUT ALL OUR MEMBERS MOST INTIMATE SEXUAL PREFERENCES
ARE FULLY AVAILABLE ONLINE FOR FREE, FOR ANYONE TO READ!

Effective today, Noel Biderman, in mutual agreement with the
company, is stepping down as Chief Executive Officer of Avid Life
Media Inc. (ALM) and is no longer with the company.
August 28, 2015

CEO

Search sites

Scams

Suicide

Two individuals associated with the leak of
Ashley Madison customer details are reported
to have taken their lives, according to police in Canada.
Ashley Madison's Canadian parent company Avid Life
Media is offering a C$500,000 (£240,000) reward for
information on the hackers, they added.
Police have set up a Twitter account, @AMCaseTPS,
and hashtag, #AMCaseTPS, in a bid to gather
information about the hack from members of the public.

Hunting Hackers

«If they only did as we ….»
Oh, really?

No HTTPS =
No Security
No Privacy

Account enumeration =
Security design weakness

Profiteering

http://www.troyhunt.com/2015/08/heres-what-ashley-madison-members-have.html

Questions for Ashley Madison

Current Terms and Services @ Ashley Madison (September 2015):
However, in the terms and services of the site, it explicitly warns would-
be cheaters that many users of the site subscribe “for purely
entertainment purposes”. It continues:
“You acknowledge and agree that any profiles of users and Members, as
well as, communications from such persons may not be true, accurate or
authentic and may be exaggerated or based on fantasy. You
acknowledge and understand that you may be communicating with such
persons and that we are not responsible for such communications.”

February 2015: Terms and Services @ Ashley Madison:
“The profiles we create are not intended to resemble or mimic any actual
persons. We may create several different profiles that we attach to a
given picture. You understand and acknowledge that we create these
profiles and that these profiles are not based on or associated with any
user or Member of our Service or any other real person. You also
acknowledge and agree that the descriptions, pictures and information
included in such profiles are provided primarily for your amusement and
to assist you navigate and learn about our Site. As part of this feature,
the profiles may offer, initiate or send winks, private keys, and virtual
gifts. Any one of these profiles may message with multiple users at the
same or substantially the same times just like our users.
Our profiles message with Guest users, but not with Members. Members
interact only with profiles of actual persons. Guests are contacted by our
profiles through computer generated messages, including emails and
instant messages. These profiles are NOT conspicuously identified as
such.”

1. How many actual users did it have?
2. Did it make fake accounts?
3. Was it aware of prostitution on the site?
4. It promised security to its customers. What did it
do to ensure this?
5. Its CEO said the leak was an inside job. What
made him think that? Has he changed his mind?
6. Why did the «full delete» not fully delete a
customer’s profile? Why did it keep location
information for a fully deleted account?
7. Given it took card payments for a full delete,
why didn’t it make clear that payment
information has to be retained?
8. Why didn’t it disclose the hack to customers as
soon as it happened? Why did they have to find
out from the press?
9. Why did it make a specific, narrow denial about
storing card numbers?
10. Why is it still implying the leak is not real?

The Law
is changing for the better.

37 565 000

Over 42 195 000 anonymous members!

¯_(ツ)_/¯

Article 12:
“No one shall be subjected to arbitrary interference with
his privacy, family, home or correspondence, nor to
attacks upon his honour and reputation. Everyone has the
right to the protection of the law against such interference
or attacks – even members of Ashley Madison.”
The Universal Declaration of Human Rights,
United Nations

PasswordsCon.org
University of Cambridge, December 7-9, 2015

per@godpraksis.no
www.godpraksis.no
+47 90 99 92 59
@thorsheim