Adam Englander, profile picture
Uploaded byAdam Englander
PPTX, PDF1,101 views

Ashley Madison - Lessons Learned

The Ashley Madison hack revealed major security issues that compromised millions of users' personal data. Hackers were able to access Ashley Madison's entire network over several years, collecting database, email, code, and other files. They were ultimately able to crack passwords due to the site storing an MD5 hash of usernames and unhashed passwords. The hack demonstrated the importance of securely storing and handling sensitive user data, using strong password hashing, encrypting data at rest and in motion, and carefully monitoring networks for intrusions.

Embed presentation

Download to read offline
Ashley Madison Lessons Learned Security lessons learned from the most famous PHP site ever to be hacked
Who Am I? • Director of Engineering at LaunchKey • Founder/Co-Organizer of Las Vegas PHP UG • Co-Organizer of Las Vegas Developer UG • National Junior Basketball Coach
What is LaunchKey • Security as a Service Provider • Anonymous distributed password-free multi- factor authentication and authorization platform • PHP SDK • WordPress Plugin • Drupal Plugin
What is Ashley Madison • Online Community with over 40 million members • Targets married men looking for an affair • Offers a “paid delete” option to remove all of a members data for a price
What Happened • The network containing the Ashley Madison Site was breached • Hackers claimed to have data they would release and gave a shutdown or else choice • Ashley Madison refused saying the hackers claims were not possible • Hackers release 30 GB of data
What Was Released • Names, email addresses, personal details, GPS coordinates and passwords of users • Executive emails • Website source code • Credit card transaction details and limited credit card numbers
How Did It Happen • Hackers claimed “You could use Pass1234 from the internet to VPN to root on all servers” • Once inside, the hackers spent years collecting data from inside the network • Collected file, database, email, and chat data right off of the network • Had full access to version control software for website code
How Could It Happen? • Even security conscious companies aren’t very good at it • Security is rarely at the forefront of decisions related policies and procedures • Most do only what is necessary to comply with regulation • Data inside the network itself is rarely secured
What About PHP? • Site used PHP 5.5+ based password hashing • Most password crackers gave up after trying common passwords. Common passwords accounted for approximately 0.1% • Password scheme was too costly to bother as passwords would be reset before they were cracked.
But The Passwords Were Cracked • Site used its own algorithm for a “login key” that was simply an MD5 of the username and un-hashed password. • Code was updated but not the database • 11.7 million passwords were cracked using this vulnerability
Why Was It Such A Big Deal • Passwords were cracked after password resets • 68% of individuals in a LaunchKey password survey say they share the same password with multiple sites • Many users have the same email address password as other websites • Once hackers have your email, the rest comes with it
What Did We Learn Not To Do • Do not store passwords • Do not assume that the network is secure • Do no assume that the database is secure • Do not roll your own crypto
What Did We Learn To Do • Protect user data like it was your own • Hash data that does not need to be read • Use PHP Password Hashing to hash data • Encrypt data at rest, especially PII • Encrypt data in motion • Use honeypots to detect intruders
Further Reading • The Impact Team Interview: http://motherboard.vice.com/read/ashley- madison-hackers-speak-out-nobody-was- watching • CynoSure Prime Password Crack Explanation: http://cynosureprime.blogspot.com/2015/09/ how-we-cracked-millions-of-ashley.html • LaunchKey Password Survey: https://blog.launchkey.com/passwords- survey.html
Further Reading • PHP Password Hashing: http://php.net/manual/en/book.password.ph p • PHP Social Login: http://hybridauth.sourceforge.net/ • LaunchKey Password Free Login:https://docs.launchkey.com/developer/ web-desktop/sdk/php.html • Honeynet: https://www.honeynet.org/
Rate My Talk http://spkr8.com/t/63961
Contact Me • Twitter: @adam_englander • IRC: #launchkey or #vegastech on freenode.net • Email: adam@launchkey.com

More Related Content

PPTX
Hacking 2018
byJosephSuresh6
 
PPTX
Keeping you and your library safe and secure
byLYRASIS
 
PPTX
Weaponizing Corporate Intel: This Time, It's Personal!
byBeau Bullock
 
PDF
Devbeat Conference - Developer First Security
byMichael Coates
 
PPTX
Securing Passwords
byMandeep Singh
 
PDF
Top 10 web application security risks akash mahajan
byAkash Mahajan
 
PPTX
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
PPTX
Python and the internet of things
byAdam Englander
 
Hacking 2018
byJosephSuresh6
 
Keeping you and your library safe and secure
byLYRASIS
 
Weaponizing Corporate Intel: This Time, It's Personal!
byBeau Bullock
 
Devbeat Conference - Developer First Security
byMichael Coates
 
Securing Passwords
byMandeep Singh
 
Top 10 web application security risks akash mahajan
byAkash Mahajan
 
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
Python and the internet of things
byAdam Englander
 

Viewers also liked

PDF
Gettiing Started with IoT using Raspberry Pi and Python
byMartin Christen
 
PDF
How to Connect MQTT Broker on ESP8266 WiFi
byNaoto MATSUMOTO
 
PDF
動かしながら学ぶMQTT
byEiji Yokota
 
PPTX
Mqttの通信を見てみよう
bySuemasu Takashi
 
PDF
MQTT meetup in Tokyo 機能概要
byshirou wakayama
 
PDF
MQTTS mosquitto - cheat sheet -
byNaoto MATSUMOTO
 
PDF
IoT時代を支えるプロトコルMQTT技術詳解
byNaoto MATSUMOTO
 
PDF
20150726 IoTってなに?ニフティクラウドmqttでやったこと
byDaichi Morifuji
 
PPT
19. atmospheric processes 2
byMakati Science High School
 
PPTX
Mqttで始めるIoT
byShintaro Hosoai
 
PPTX
M-6 MQTTの使いどころ (JJUG CCC 2015 Spring)
byKoji YUSA
 
Gettiing Started with IoT using Raspberry Pi and Python
byMartin Christen
 
How to Connect MQTT Broker on ESP8266 WiFi
byNaoto MATSUMOTO
 
動かしながら学ぶMQTT
byEiji Yokota
 
Mqttの通信を見てみよう
bySuemasu Takashi
 
MQTT meetup in Tokyo 機能概要
byshirou wakayama
 
MQTTS mosquitto - cheat sheet -
byNaoto MATSUMOTO
 
IoT時代を支えるプロトコルMQTT技術詳解
byNaoto MATSUMOTO
 
20150726 IoTってなに?ニフティクラウドmqttでやったこと
byDaichi Morifuji
 
19. atmospheric processes 2
byMakati Science High School
 
Mqttで始めるIoT
byShintaro Hosoai
 
M-6 MQTTの使いどころ (JJUG CCC 2015 Spring)
byKoji YUSA
 

Similar to Ashley Madison - Lessons Learned

PDF
Refugees on Rails Berlin - #2 Tech Talk on Security
byGianluca Varisco
 
PDF
In the Wake of Ashley Madison - Jim Salter
byIT-oLogy
 
ODP
Quality of Life, Multiple Lines of Defense
byMichal Špaček
 
PDF
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating ...
byQAFest
 
PPTX
Cyber crime &_info_security
byEr Mahendra Yadav
 
PDF
Getting users to care about security
byAlison Gianotto
 
PPTX
Cyber Security By Preetish Panda
byPreetish Panda
 
PDF
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
byJeremiah Onaolapo
 
PPTX
Password Cracking
bySagar Verma
 
PPTX
Understanding word press security wwc-4-7-17
byNicholas Batik
 
PPTX
Word press security 101
byKojac801
 
PPTX
Don't Pick the lock
byDavid Maloney
 
PPTX
So whats in a password
byRob Gillen
 
PPTX
USG_Security_Awareness_Primer (1).pptx
byssuser59e4b8
 
PPTX
USG_Security_Awareness_Primer.pptx
bysumita02
 
PPTX
Awareness Security 123.pptx
byRajuSingh730938
 
PPTX
USG_Security_Awareness_Primer.pptx
byBilmyRikas
 
PDF
Basic Security for Digital Companies - #MarketersUnbound (2014)
byJustin Bull
 
PPT
secure php
byRiyad Bin Zaman
 
PPTX
User security awareness
byK. A. M Lutfullah
 
Refugees on Rails Berlin - #2 Tech Talk on Security
byGianluca Varisco
 
In the Wake of Ashley Madison - Jim Salter
byIT-oLogy
 
Quality of Life, Multiple Lines of Defense
byMichal Špaček
 
QA Fest 2015. Per Thorsheim. Lessons learned: When the worlds largest dating ...
byQAFest
 
Cyber crime &_info_security
byEr Mahendra Yadav
 
Getting users to care about security
byAlison Gianotto
 
Cyber Security By Preetish Panda
byPreetish Panda
 
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
byJeremiah Onaolapo
 
Password Cracking
bySagar Verma
 
Understanding word press security wwc-4-7-17
byNicholas Batik
 
Word press security 101
byKojac801
 
Don't Pick the lock
byDavid Maloney
 
So whats in a password
byRob Gillen
 
USG_Security_Awareness_Primer (1).pptx
byssuser59e4b8
 
USG_Security_Awareness_Primer.pptx
bysumita02
 
Awareness Security 123.pptx
byRajuSingh730938
 
USG_Security_Awareness_Primer.pptx
byBilmyRikas
 
Basic Security for Digital Companies - #MarketersUnbound (2014)
byJustin Bull
 
secure php
byRiyad Bin Zaman
 
User security awareness
byK. A. M Lutfullah
 

More from Adam Englander

PPTX
Making PHP Smarter - Dutch PHP 2023.pptx
byAdam Englander
 
PDF
Practical API Security - PyCon 2019
byAdam Englander
 
PDF
Threat Modeling for Dummies
byAdam Englander
 
PDF
ZendCon 2018 - Practical API Security
byAdam Englander
 
PDF
ZendCon 2018 - Cryptography in Depth
byAdam Englander
 
PDF
Threat Modeling for Dummies - Cascadia PHP 2018
byAdam Englander
 
PDF
Dutch PHP 2018 - Cryptography for Beginners
byAdam Englander
 
PDF
php[tek] 2108 - Cryptography Advances in PHP 7.2
byAdam Englander
 
PDF
php[tek] 2018 - Biometrics, fantastic failure point of the future
byAdam Englander
 
PDF
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
byAdam Englander
 
PPTX
Practical API Security - PyCon 2018
byAdam Englander
 
PDF
Practical API Security - Midwest PHP 2018
byAdam Englander
 
PDF
Cryptography for Beginners - Midwest PHP 2018
byAdam Englander
 
PDF
Cryptography for Beginners - Sunshine PHP 2018
byAdam Englander
 
PDF
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the Future
byAdam Englander
 
PDF
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
byAdam Englander
 
PDF
ZendCon 2017 - Cryptography for Beginners
byAdam Englander
 
PDF
ZendCon 2017: The Red Team is Coming
byAdam Englander
 
PDF
ZendCon 2017 - Build a Bot Workshop - Async Primer
byAdam Englander
 
PDF
Symfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
byAdam Englander
 
Making PHP Smarter - Dutch PHP 2023.pptx
byAdam Englander
 
Practical API Security - PyCon 2019
byAdam Englander
 
Threat Modeling for Dummies
byAdam Englander
 
ZendCon 2018 - Practical API Security
byAdam Englander
 
ZendCon 2018 - Cryptography in Depth
byAdam Englander
 
Threat Modeling for Dummies - Cascadia PHP 2018
byAdam Englander
 
Dutch PHP 2018 - Cryptography for Beginners
byAdam Englander
 
php[tek] 2108 - Cryptography Advances in PHP 7.2
byAdam Englander
 
php[tek] 2018 - Biometrics, fantastic failure point of the future
byAdam Englander
 
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
byAdam Englander
 
Practical API Security - PyCon 2018
byAdam Englander
 
Practical API Security - Midwest PHP 2018
byAdam Englander
 
Cryptography for Beginners - Midwest PHP 2018
byAdam Englander
 
Cryptography for Beginners - Sunshine PHP 2018
byAdam Englander
 
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the Future
byAdam Englander
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
byAdam Englander
 
ZendCon 2017 - Cryptography for Beginners
byAdam Englander
 
ZendCon 2017: The Red Team is Coming
byAdam Englander
 
ZendCon 2017 - Build a Bot Workshop - Async Primer
byAdam Englander
 
Symfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
byAdam Englander
 

Recently uploaded

PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 

Ashley Madison - Lessons Learned

  • 1.
    Ashley Madison Lessons Learned Securitylessons learned from the most famous PHP site ever to be hacked
  • 2.
    Who Am I? •Director of Engineering at LaunchKey • Founder/Co-Organizer of Las Vegas PHP UG • Co-Organizer of Las Vegas Developer UG • National Junior Basketball Coach
  • 3.
    What is LaunchKey •Security as a Service Provider • Anonymous distributed password-free multi- factor authentication and authorization platform • PHP SDK • WordPress Plugin • Drupal Plugin
  • 4.
    What is AshleyMadison • Online Community with over 40 million members • Targets married men looking for an affair • Offers a “paid delete” option to remove all of a members data for a price
  • 5.
    What Happened • Thenetwork containing the Ashley Madison Site was breached • Hackers claimed to have data they would release and gave a shutdown or else choice • Ashley Madison refused saying the hackers claims were not possible • Hackers release 30 GB of data
  • 6.
    What Was Released •Names, email addresses, personal details, GPS coordinates and passwords of users • Executive emails • Website source code • Credit card transaction details and limited credit card numbers
  • 7.
    How Did ItHappen • Hackers claimed “You could use Pass1234 from the internet to VPN to root on all servers” • Once inside, the hackers spent years collecting data from inside the network • Collected file, database, email, and chat data right off of the network • Had full access to version control software for website code
  • 8.
    How Could ItHappen? • Even security conscious companies aren’t very good at it • Security is rarely at the forefront of decisions related policies and procedures • Most do only what is necessary to comply with regulation • Data inside the network itself is rarely secured
  • 9.
    What About PHP? •Site used PHP 5.5+ based password hashing • Most password crackers gave up after trying common passwords. Common passwords accounted for approximately 0.1% • Password scheme was too costly to bother as passwords would be reset before they were cracked.
  • 10.
    But The PasswordsWere Cracked • Site used its own algorithm for a “login key” that was simply an MD5 of the username and un-hashed password. • Code was updated but not the database • 11.7 million passwords were cracked using this vulnerability
  • 11.
    Why Was ItSuch A Big Deal • Passwords were cracked after password resets • 68% of individuals in a LaunchKey password survey say they share the same password with multiple sites • Many users have the same email address password as other websites • Once hackers have your email, the rest comes with it
  • 12.
    What Did WeLearn Not To Do • Do not store passwords • Do not assume that the network is secure • Do no assume that the database is secure • Do not roll your own crypto
  • 13.
    What Did WeLearn To Do • Protect user data like it was your own • Hash data that does not need to be read • Use PHP Password Hashing to hash data • Encrypt data at rest, especially PII • Encrypt data in motion • Use honeypots to detect intruders
  • 14.
    Further Reading • TheImpact Team Interview: http://motherboard.vice.com/read/ashley- madison-hackers-speak-out-nobody-was- watching • CynoSure Prime Password Crack Explanation: http://cynosureprime.blogspot.com/2015/09/ how-we-cracked-millions-of-ashley.html • LaunchKey Password Survey: https://blog.launchkey.com/passwords- survey.html
  • 15.
    Further Reading • PHPPassword Hashing: http://php.net/manual/en/book.password.ph p • PHP Social Login: http://hybridauth.sourceforge.net/ • LaunchKey Password Free Login:https://docs.launchkey.com/developer/ web-desktop/sdk/php.html • Honeynet: https://www.honeynet.org/
  • 16.
  • 17.
    Contact Me • Twitter:@adam_englander • IRC: #launchkey or #vegastech on freenode.net • Email: adam@launchkey.com

Editor's Notes

  • #6 The hackers object to the site's business practices, specifically a "paid delete" option that allows people to pay to remove all their information but, they say, does not actually do that.
  • #7 Personal information was particularly problematic due to the private nature of the site Executive emails showed that founding Ashley Madison CTO had hacked a competitor and stolen the user data
  • #10 Big win for PHP Password Hashing with a string algorithm. Even with the included salt and iterations
  • #11 The vulnerability was discovered in the VCS dump that showed the change and the date.
  • #13 There are many options for not storing passwords with services like LaunchKey or social logins Security is made with layers. Keep your layer secure as it there were not other layers Event if you are a cryptographer or a security expert, do not roll you own crypto. Use an open source library
  • #14 If you do not send users email but keep it only for password resets, hash that data. Assume that the user has used the same password for that email address. PHP Password Hashing was the shining star in this debacle Encrypt data in the session, in the database, in the file system, in the cache. SSL is not good enough. SSL all the things: Every step of the way for HTTP, database connections, cache connections, VCS data.