Why should enterprises care about the Ashley Madison breach?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/why-should-enterprises-care-about-the-ashley-madison-breach/article/448362/

It went from bad to worse for Ashley Madison this summer. In market terms,
the adultery dating website had always been considered a toxic asset. When
it announced its plans for a London IPO in the spring of this year, the
City met the news with reticence. Undoubtedly, it would have found an
investor base, even though most – for ethical reasons – wouldn't have
touched it. But that's all conjecture now. After the litany of security
issues that have dogged the company, Ashley Madison has well and truly
kissed the prospect of a flotation good bye.

The first nail in the coffin was when a hacking collective called the
Impact Team stole 9.7 gigabytes of customer data, including credit card
details and addresses, and posted it on the dark web. Of course, the
fall-out from this breach has been enormous, but the impact mainly affected
users on a personal level.

What happened next was to seriously compromise the security of thousands of
corporates and other organisations, from multi-nationals through to
government departments.

When allegations of stolen customer data were first leaked, Avid Life Media
– Ashley Madison's mother company – claimed that passwords were secure due
to a common encryption practice called “hashing.” This entails passwords
being run through an algorithm a number of times to generate a unique
string of characters that represents the original string. Apparently this
procedure is failsafe unless the algorithm is flawed. In Ashley Madison's
case it was.

When news of the data breach first broke, a few attempts were made to crack
the users' passwords using brute force hacking, which didn't work. But in
mid-September a group of hobby password crackers calling themselves
CynoSure Prime made a breakthrough using a different approach. They combed
the source code, which had been published online by the Impact Team and
detected a major flaw in how passwords were protected online. They claimed
this error helped them to crack more than 11 million of the 36 million
password hashes stored in the website's database.

This exposure of passwords causes major security problems for Ashley
Madison users. People often use the same passwords again and again, for
online banking transactions, e-commerce purchases and to access email
accounts. And lots of people use those very same passwords for work
purposes.

This is where the problem for corporates arises. A massive 76 per cent of
corporate data breaches involve weak or stolen passwords, which means that
in the Ashley Madison case, the revelation of 11.2 million passwords causes
serious security implications for the employers of users. The hackers have
held the door wide open for any disgruntled employees or other opportunist
hackers who might have a grudge against the organisations users work at.

The worrying thing is that some organisations are still reliant on
passwords alone for security, when they are just not good enough on their
own to protect business systems. They are too easily cracked, hashed,
phished, stolen, bought online or in some cases, guessed. Take the Ashley
Madison case. In addition to cracking them, CynoSure Prime compiled a list
of the top 100 of users' passwords. “123456” came out top closely followed
by “12345” and “password.” “abc123” and “11111” also featured highly. Never
mind the days and weeks of password cracking – it wouldn't take a genius to
come up with that list.

When employees hand out business cards, which feature email addresses, they
are usually giving away their user names. Even if hackers don't have access
to stolen data and employee passwords, as the Ashley Madison list
demonstrates, often the next step is simple guesswork, or a so called
“dictionary attack”. An easy to remember password for users is often the
last line in defence for corporates and in this case, the company's
security is only as good as its employees' weakest password.

Most organisations, wise to this, have two factor authentication methods,
usually using tokens. But hackers have developed sophisticated methods to
circumvent even these. Some more advanced pharming, phishing or “pass the
hash” hacks take users to imposter websites, use malware to capture
usernames, passwords and even time-based token codes, and sends the
information to the hacker. Many organisations are unaware traditional
hardware tokens can be compromised.

In addition to the passwords and a token, card or fingerprint that might
comprise two-factor authentication, multi factor authentication (MFA) adds
more factors to validate a users' identity. This might be a user's unique
session identification, their geographic location, the time of day etc. But
what is really important is the context they are used in – for example,
it's not worth capturing the GEO-IP of the user if this isn't relevant in
determining trust at the point of log in. The right blend of variables is
down to the individual organisation.

The Ashley Madison case should be setting alarm bells ringing for IT
departments and security teams around the world because hackers have
effectively been handed the back door keys to thousands of organisations.
IT managers need the right authentication in place to give them the
additional layer of security to keep their organisations locked down.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!