Life is short, secure your data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.canadait.com/index.php/columnists/eric-jacksch/1319-life-is-short-secure-your-data

Ashley Madison compromise stories are everywhere. There have been articles
on the hack itself, and analyses of data stolen and published by hackers.
Noel Biderman, Chief Executive Officer of parent company Avid Life Media
Inc. (ALM), stepped down late last week. So what can other businesses learn
from the Ashley Madison breach?

At the risk of stating the obvious, the Ashley Madison hack is receiving a
lot of attention due to the nature of the business. The majority of large
data compromises during the past few years have been payment card related.
While it is certainly undesirable to have financial information
compromised, it’s not nearly as scandalous as a massive data breach
involving a business with the motto, “Life is short. Have an affair.”

ALM was clearly the target of this attack. To date there have been no
reports of payment card fraud, and credit card numbers were not included in
the data dump released by the hackers. The criminals responsible could have
attempted to extort money from ALM, but instead they demanded that the site
be shut down or all data would be released. When it wasn’t shut down, they
followed through on their threat. The perpetrators could have easily
profited by directly contacting members of the site. Even if one tenth of
one per cent of the site’s reported thirty million users paid a $50
extortion, the hackers would have netted $1.5 million. But they didn’t.

There are three likely attackers: A former employee with a score to settle,
an unhappy customer, or a competitor. The Ashley Madison hackers complained
that the company charged customers $20 to delete their profile, but the
deletion was allegedly incomplete. According to Ars Technica, the site may
have been, “raking in somewhere between $152,000 and $342,000 each month,
just from the Full Delete option alone.” The very fact this issue was
raised suggests that the hackers had intimate knowledge of the service.

Based upon released data, the attack on Ashley Madison went far beyond a
database compromise, and included credit card transaction information going
back to 2008. Data included the name and address associated with each
transaction, but only the last few digits of the credit card number. The
database dumps suggest that the site stored all information in a few MySQL
databases with hashed passwords, but no other encryption. The dumps also
suggest that the hackers compromised the SQL database server at the
operating system level, as well as other corporate systems.

Businesses that hold sensitive personal information can learn three
important lessons from Ashley Madison:

First, a major security breach can be fatal. Ashley Madison is pursuing a
“business as usual” approach, but is unlikely to succeed due to loss of
customer confidence. One might not expect Ashley Madison customers to
identify themselves and take legal action, but class action suits have
already commenced. Should this happen to an organization that holds
personal information with less of a social stigma associated, such as
medical records, litigation may be even more damaging.

Second, databases do not provide sufficient security controls for personal
information. If an application with read access to the database is
compromised, credentials may be stolen. If the intruder is able to log on
to the operating system of the database itself, taking a database dump is
trivial. Encryption using keys not stored on the database server should be
considered mandatory.

Third, processing sensitive personal information requires stronger system
and network-level security architectures. Controls such as two-factor
authentication are required to protect critical assets such as databases.
In most organizations, attacking a system administrator’s workstation with
targeted malware will reveal passwords and ssh keys required to seize
control of the organization’s Windows and Linux systems.

Many companies don’t implement controls such encryption and two-factor
authentication because of the cost, but, as the Ashley Madison hack
demonstrates, those dealing with sensitive information can’t afford not to.
Life is short. Secure your data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!