#CyberFLASH: Buyer Beware . . . Lessons Learned From The Ashley Madison Hack

internet-privacy.jpg.size.xxlarge.letterbox“Life is short. Have an affair®.” This is the (in)famous marketing slogan used by Ashley Madison, a Canadian web site founded in 2008 and operated by Avid Life Media Inc. with the explicit mission statement of helping married individuals chat, connect and ultimately have affairs with one another. The site assured users that use of its services would be “anonymous” and “100 per cent discreet,” but, unfortunately, this was not to be the case.

Between July 15 and Aug. 20, 2015, a person/group identifying itself as “The Impact Team” hacked ALM and published details, initially on the Darkweb and eventually on the open web, of approximately 36 million user accounts. Leaked data included profile information (user names, addresses, passwords, phone numbers, the types of experiences they were looking for on the site, gender, height, weight, ethnicity, body type); account information used to facilitate access to the Ashley Madison service (e-mail addresses, security questions, hashed passwords); and billing information (billing addresses and the last four digits of credit card numbers); in addition to ALM internal documents and the CEO’s private e-mail messages. User information was quickly disseminated through several public web sites. Despite the best efforts of ALM’s counsel to quickly shut down the spread of data using DMCA copyright notices after the material appeared on Twitter and other social media sites, the breached information continued to be publicly searchable.

The fallout was swift. Reports of suicides in Canada and the U.S., myriad job resignations and marital breakups surfaced, arising from the data exposure and related public shaming. In Alabama, editors at one newspaper decided to print all the names of people from the region who appeared on the Ashley Madison database. Scammers and extortionists have also targeted Ashley Madison’s users (and alleged users) on a global basis, falsely claiming they could remove a user’s information from published data or threatening to publicly shame users online unless they sent a ransom payoff in Bitcoins to the blackmailers. Malware may have also been delivered through web sites offering to scrub user information from stolen data lists.

Read more here

#CyberFLASH: AshleyMadison security protocols violated privacy laws, watchdog says

ashley-madison-hack-20150720AshleyMadison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs, the Office of the Privacy Commissioner of Canada says.

In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers.

The hack stole correspondence, identifying details and even credit card information from millions of the site’s users. At the time of the breach in July 2015, AshleyMadison claimed to have 36 million users and took in more than $100 million in annual revenue.

The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts.

Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn’t do enough to guard against being hacked. The company even adorned its website with the logo of a “trusted security award” — a claim the company admits it fabricated.

Read more here

#CyberFLASH: Canadian data breaches in 2015: Big firms weren’t the only targets


Of all the publicly-disclosed data or privacy breaches in this country in 2015, one topped them all by a wide margin: Ashley Madison.

With over 30 million records exposed from the dating site, a $578 million class action suit filed against parent Avid Life Media, the CEO resigning after his emails were published, the attack is easily one of the largest reported in Canadian history.

But it’s easy for infosec pros to sit back and think, ‘Thank Gawd my company isn’t such a big fat target.’ Instead, they should remember all of the smaller breaches that happened this year as a lesson that corporations and government departments aren’t the only targets. Here’s just three of them:

— A successful phishing attack in September against the Association of Professional Engineers and Geoscientists of Alberta (APEGA) yielded members’ names, email addresses and association ID numbers. The vehicle was an email supposedly from CEO Mark Flint. The association has 75,000 members, but it didn’t say how many names were exposed;

–This month a Calgary wine store had to pay $500 in Bitcoin to meet a ransomware demand or lose access to its database. According to the CBC, after paying the company an unofficial receipt thanking it for the involuntary “purchase;”

–Worried about insider threats? Here’s one you weren’t thinking about: Senior bureaucrats at British Columbia’s District of Saanich approved the installation of monitoring software on certain computers — including the mayor’s. Somehow he didn’t get told. Among other things, staff were afraid he might discover IT security shortcomings.

These are some of incidents involving better-known organizations:

–A Rogers Communications staffer was the victim of a phishing attack that led to the loss of a “small number” of business agreements, which included business name, address, phone number and pricing details of the corporate customers, but not personal or financial information;

Read more here

#CyberFLASH: Security expert believes Ashley Madison website hack was an inside job


John McAfee thinks he knows who hacked Ashley Madison.

In an article for the International Business Times, the eccentric creator of McAfee antivirus software alleges that the extramarital relationship website was breached by a “lone female who worked for Avid Life Media.”

Last month, a group calling itself the Impact Team leaked private data of more than 30 million users along with internal company documents and emails.

It’s those internal documents — including such mundane items as maintenance schedules and an office layout — that McAfee claims led to him to conclude the breach was an inside job, not the work of outside hackers to whom the information would be of little value.

As for the notion that the hacker was a female, McAfee references lines from manifestos released by the Impact Team that refer to men as “scumbags” and name two site users who joined Ashley Madison the day after Valentine’s Day.

“To call an act the day after Valentines Day “spiteful” is a thought that would enter few men’s minds. If this does not convince you then you need to get out of the house more often,” he wrote.

McAfee said he reached his conclusions after spending more than a week combing through over 40 gigabytes of leaked Ashley Madison data.

Read more here

#CyberFLASH: Suicides And Extortion Linked To Ashley Madison Data Hack

tech-computer-web-marriageTwo people in Canada with personal information allegedly associated with the Ashley Madison Data Hack are reported to have committed suicide as a result of the leak from the adultery website. Toronto police’s acting staff Superintendent, Bryce Evans, said on Monday morning, that while the deaths were as yet unconfirmed, fallout from the Ashley Madison hack had already led to extortion attempts.

The “Impact Team,” the group of hackers responsible for the hack and subsequent release of over 33 million users’ details, had accused Ashley Madison of operational incompetence, deceit, and gaining “profits on the pain of others.” The hackers broke into Ashley Madison’s website in July, and stole the information then, giving Ashley Madison a month to close down site. Ashley Madison did not comply with the order.

“This is affecting all of us,” said Bryce. “The social impact behind this leak. We’re talking about families, we’re talking about children, we’re talking about wives, their male partners.” Evans also stated that there have been several confirmed attempts by criminal fraternities to extort and expose Ashley Madison clients unless money was handed over.

Avid Life Media, Ashley Madison’s Canadian based parent company has offered a $378k reward for information on the hackers, but so far there have been no takers.

Read more here

#CyberFLASH: Ashley Madison hackers Impact Team could face long list of charges

Close up of wooden gavel at the computer keyboardThe hacker or hackers responsible for the Ashley Madison data breach could face a shopping cart of charges. But first the police must identify and arrest them.

In the meantime, adultery-promoting website AshleyMadison.com and parent company Avid Life Media are themselves the targets of legal action.

Much depends on what actually happened and will happen in the case, but for now the most probable charges include extortion, theft and mischief to property.

On Monday, Toronto police said two unconfirmed suicides are linked to the breach. Prominent criminal lawyer Michael Lacy says even if those deaths are confirmed, no charges in Canada against the so-called Impact Team hackers as a result of those possible suicides are likely.

The Canadian Criminal Code Section 241 covers the offence of counselling or aiding suicide, but Lacy says it requires actively encouraging or suggesting someone kill themselves, which doesn’t seem to be the case in this situation.

“It requires more than simply putting something out there that causes someone to believe that they have no choice but to take their own life,” he says.

Read more here

#CyberFLASH: Canadian public servant email addresses on hacked Ashley Madison list

cpt104287884.jpg.size.original.promoThe apparent email addresses of hundreds of Canadian federal, provincial and municipal government employees are contained in a massive leaked list of names purported to be users of Ashley Madison, a matchmaking website for cheating spouses.

Ashley Madison does not send verification emails, meaning the accounts might not belong to actual users of the site and could simply be the work of disgruntled tricksters. Further, the data goes back to 2004, suggesting some email addresses may no longer be operational.

In a statement, Toronto-based Ashley Madison’s parent company, Avid Life Media, said it was actively monitoring and investigating the leak to determine the validity of any information posted online.

It did not immediately respond to a question about why people can register for Ashley Madison with unverified or fake email addresses.

Federally, more than 170 addresses associated with the Canadian Armed Forces are on the list, and hundreds more from other departments and agencies, including justice, public works, the Canada Revenue Agency and the RCMP.

At least one MP was registered by name. Several email addresses attached to the Senate were registered although not under any sitting senators’ names.

According to data on AshleyMadison.com, there were more than 55,000 users on the website living in Ottawa in 2013, making it the most infidelity-friendly city in Canada.

Read more here

#CyberFLASH: Canadian companies have no incentive to report cyber attacks


Canadians are clueless about the vast majority of corporate data hacks because companies suffer greater financial losses when they reveal they’ve lost data than when they keep consumers in the dark.

Wednesday’s cyber attack on infidelity site Ashley Madison shone a spotlight on a risk that usually lurks in the shadows because of a lack of regulation, experts say.

“The security at Canadian organizations today is inadequate,” said Claudiu Popa, CEO of cybersecurity firm Informatica Corp.

“We don’t have a law that is prescriptive enough to tell companies that they absolutely need to buy this or that type of technology.”

Sometimes, he said, companies don’t even know they’ve been targeted.

Although the government must report data breaches such as last year’s Heartbleed attack at the Canada Revenue Agency, private companies have no such requirement.

The Ashley Madison data leak might not have come to light if hackers hadn’t announced it, Popa said. The 2013 Target Corp. breach, which also affected Canadian customers, was revealed partly because of reporting requirements in the United States, which imposes fines on companies that allow consumers’ files to be exposed.

“It’s in their best interest to play along and to invest in more sophisticated technology for detection and prevention,” Popa said.

“That’s really what’s lacking in Canada today.”

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.