Ashley Madison - Lessons Learned
•Download as PPTX, PDF•
0 likes•991 views
The Ashley Madison hack revealed major security issues that compromised millions of users' personal data. Hackers were able to access Ashley Madison's entire network over several years, collecting database, email, code, and other files. They were ultimately able to crack passwords due to the site storing an MD5 hash of usernames and unhashed passwords. The hack demonstrated the importance of securely storing and handling sensitive user data, using strong password hashing, encrypting data at rest and in motion, and carefully monitoring networks for intrusions.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (12)
Similar to Ashley Madison - Lessons Learned
Similar to Ashley Madison - Lessons Learned (20)
More from Adam Englander
More from Adam Englander (20)
Recently uploaded
Recently uploaded (20)
Ashley Madison - Lessons Learned
- 1. Ashley Madison Lessons Learned Security lessons learned from the most famous PHP site ever to be hacked
- 2. Who Am I? • Director of Engineering at LaunchKey • Founder/Co-Organizer of Las Vegas PHP UG • Co-Organizer of Las Vegas Developer UG • National Junior Basketball Coach
- 3. What is LaunchKey • Security as a Service Provider • Anonymous distributed password-free multi- factor authentication and authorization platform • PHP SDK • WordPress Plugin • Drupal Plugin
- 4. What is Ashley Madison • Online Community with over 40 million members • Targets married men looking for an affair • Offers a “paid delete” option to remove all of a members data for a price
- 5. What Happened • The network containing the Ashley Madison Site was breached • Hackers claimed to have data they would release and gave a shutdown or else choice • Ashley Madison refused saying the hackers claims were not possible • Hackers release 30 GB of data
- 6. What Was Released • Names, email addresses, personal details, GPS coordinates and passwords of users • Executive emails • Website source code • Credit card transaction details and limited credit card numbers
- 7. How Did It Happen • Hackers claimed “You could use Pass1234 from the internet to VPN to root on all servers” • Once inside, the hackers spent years collecting data from inside the network • Collected file, database, email, and chat data right off of the network • Had full access to version control software for website code
- 8. How Could It Happen? • Even security conscious companies aren’t very good at it • Security is rarely at the forefront of decisions related policies and procedures • Most do only what is necessary to comply with regulation • Data inside the network itself is rarely secured
- 9. What About PHP? • Site used PHP 5.5+ based password hashing • Most password crackers gave up after trying common passwords. Common passwords accounted for approximately 0.1% • Password scheme was too costly to bother as passwords would be reset before they were cracked.
- 10. But The Passwords Were Cracked • Site used its own algorithm for a “login key” that was simply an MD5 of the username and un-hashed password. • Code was updated but not the database • 11.7 million passwords were cracked using this vulnerability
- 11. Why Was It Such A Big Deal • Passwords were cracked after password resets • 68% of individuals in a LaunchKey password survey say they share the same password with multiple sites • Many users have the same email address password as other websites • Once hackers have your email, the rest comes with it
- 12. What Did We Learn Not To Do • Do not store passwords • Do not assume that the network is secure • Do no assume that the database is secure • Do not roll your own crypto
- 13. What Did We Learn To Do • Protect user data like it was your own • Hash data that does not need to be read • Use PHP Password Hashing to hash data • Encrypt data at rest, especially PII • Encrypt data in motion • Use honeypots to detect intruders
- 14. Further Reading • The Impact Team Interview: http://motherboard.vice.com/read/ashley- madison-hackers-speak-out-nobody-was- watching • CynoSure Prime Password Crack Explanation: http://cynosureprime.blogspot.com/2015/09/ how-we-cracked-millions-of-ashley.html • LaunchKey Password Survey: https://blog.launchkey.com/passwords- survey.html
- 15. Further Reading • PHP Password Hashing: http://php.net/manual/en/book.password.ph p • PHP Social Login: http://hybridauth.sourceforge.net/ • LaunchKey Password Free Login:https://docs.launchkey.com/developer/ web-desktop/sdk/php.html • Honeynet: https://www.honeynet.org/
- 17. Contact Me • Twitter: @adam_englander • IRC: #launchkey or #vegastech on freenode.net • Email: adam@launchkey.com
Editor's Notes
- The hackers object to the site's business practices, specifically a "paid delete" option that allows people to pay to remove all their information but, they say, does not actually do that.
- Personal information was particularly problematic due to the private nature of the site Executive emails showed that founding Ashley Madison CTO had hacked a competitor and stolen the user data
- Big win for PHP Password Hashing with a string algorithm. Even with the included salt and iterations
- The vulnerability was discovered in the VCS dump that showed the change and the date.
- There are many options for not storing passwords with services like LaunchKey or social logins Security is made with layers. Keep your layer secure as it there were not other layers Event if you are a cryptographer or a security expert, do not roll you own crypto. Use an open source library
- If you do not send users email but keep it only for password resets, hash that data. Assume that the user has used the same password for that email address. PHP Password Hashing was the shining star in this debacle Encrypt data in the session, in the database, in the file system, in the cache. SSL is not good enough. SSL all the things: Every step of the way for HTTP, database connections, cache connections, VCS data.