Posts

Hackers Want to Know What Your Sexual Kinks are, and Dating Sites are Telling Them

If you are a frequent user of online dating platforms, be warned: the way they are getting relentlessly hacked, soon the only thing you’ll be kissing is your sensitive data goodbye.

It’s no coincidence that popular dating sites, such as Ashley Madison, OKCupid, and BeautifulPeople.com are being constantly attacked by hackers.

Private data really doesn’t get any more private than the stuff you share on dating websites. Could you imagine having your list of sexual fetishes leaked? Or maybe all the cringey, flirty messages you’ve sent over the years?

It is clear that dating websites have data security systems in place that are greatly disproportionate to the sensitivity of the data their users trust them to safeguard.

So what can dating websites, or any business tasked with the protection of sensitive data, do to keep their customers’ data secure?

 

header 1

 

In the recent Rosebuttboard.com hack, more than 100,000 members’ accounts were exposed.

Rosebuttboard is a forum for people who partake in the devastation of the derriere. Can you imagine how crappy it would be to have the world know about your private desires?

Rosebuttboard used out-of-date software and security strategies with known vulnerabilities, making them easy picking for cybercriminals.

What you should do: Avoid being the butt of hackers’ jokes by keeping all of your software patched, and up-to-date, ensuring that the versions you use have no known flaws. This instantly makes it harder for hackers to breach your system.

 

header 2

 

In addition to using an out-of-date forum system, Rosebuttboard also used an archaic and easily-crackable encryption method to store their users’ personal information.

And in OKCupid’s big hack of 2014, it was revealed that users’ passwords were saved in plain text.

Using outdated encryption methods (or not using any at all) is about as safe as leaving the key to your house under the doormat on your front porch.

What you should do: Encrypt all your sensitive data! That way, even if hackers somehow find their way into your network and steal your encrypted data, they will have the equivalent of a safe they don’t know the combination to.

 

header 3

 

Adult dating site Fling.com has also been a victim of a data breach, with information such as sexual preferences, emails and old passwords being hawked on the dark web. Mysteriously, even the personal information of people who had deleted their accounts was found amongst the data.

Even worse is the now-infamous Ashley Madison hack. It aired the dirty laundry of 32-million cheating spouses, and even lead to multiple suicides.

 

Ashley Madison’s story is a classic example of why data security should be taken seriously: post-breach, their web traffic plummeted by 82%, and they are still fighting against a $567 million lawsuit.

 

Among Ashley Madison’s poor security practices, the worst was their “Full Delete” option that didn’t even work. The option promised complete removal of users’ traces on the site, for a small fee of $19.

Ashley Madison reportedly netted $1.7 million USD from this service. Yet, from the data leaked, even sensitive information from those that had paid for this service was found.

What you should do: If you don’t need it, fling it! Preventing data buildup will ensure that there is less data for hackers to steal.

 

The Business-As-Usual Approach

All these tips point to the importance of engaging in BAU security practices. In today’s data-centric world, integrating security tactics in your everyday business is critical in ensuring that your company stays safe from prying eyes.

Vulnerabilities must be patched as soon as they are discovered, network intruders have to be detected quickly, and data must be carefully monitored and safeguarded.

Keeping an eye on your company’s sensitive data buildup is no small feat, ordinarily. Extraordinarily, Ground Labs’ Enterprise Recon software helps customers manage sensitive data across their entire network, and aligns perfectly with the goal of making security a BAU process.

Real-time scanning, role delegation, scan scheduling — these features make it incredibly easy for any business to take control of their data, and ensure that no sensitive data goes undiscovered. It’s both the easiest and the safest way to ensure that even if hackers break into your network, there will be nothing for them to steal.

Sign up for a free trial of Enterprise Recon today for a first-hand look at how easy it can be to manage sensitive data across your entire company.

Soon-To-Be Ex-CEOs: Lose Data In Hacks, Get The Axe.

The aftermath of the Ashley Madison hack that aired the details of its 37 million users has been anything but pretty. News of divorces, lawsuits, and even suicide relating to the hack are being reported on a daily basis, and in a completely understandable move, Ashley Madison’s parent company CEO no longer holds his title.

Noel Biderman, the Founder of Ashley Madison, stepped down on August 28. Although the press release states that he left the company in a ‘mutual agreement’, it’s a statement that really leaves you wondering if that’s how it really went down.

One thing’s for certain: if not for the hack, Noel would still be running the company he founded, which reported a $115 million profit last year.

Regardless of what kind of business Ashley Madison is, Biderman clearly put a great deal of effort into making the company what it is today. For more than 14 years, it has been a company that he literally created from the ground up. And then, he witnessed how quickly hard work can come crashing down based on over less than 30 gigabytes of information leaked.

And he’s far from being the only one.

Noel-Biderman

Ashley Madison’s ex-CEO, Noel Biderman

As many have seen or heard many times over, Target’s ex-CEO, Gregg Steinhafel, resigned shortly after the notorious Target data breach that has cost the company $148 million, and counting.

Ten years ago, such a thing would have been unheard of. Punishment for a breach would go right over the heads of the executive management, and strike at the hearts of their IT security teams.

Today, whilst IT security team members still get the axe when things turn to custard, the ultimate sacrifice must be made by the people where the buck stops — the CEO and the executive team.

The lesson for all CEOs and founders: Allowing a huge data breach happen is now a big enough of a mistake to cost you your job, even if you’re the one who started the company to begin with.

The general public will light their torches and brandish their pitchforks at your castle gates. Your supporters will dwindle in number, and soon you will be forced to make a decision — leave the company with some of your dignity intact, or wait for your board members to hit the eject button.

What’s Changed?

So why have data breaches become a blunder worth punishing the head of a company for? The biggest reason is the scale of breaches have grown exponentially- losing millions of records has become commonplace, and if a million people lose their personal information thanks to a mistake made by your company, that’s a million of your customers you just aggravated.

Another reason is the amount of attention hacking receives from the media. For weeks prior, the Ashley Madison story was making headlines all around the world, and once the leak went public it was covered endlessly by every news source. Its not as easy to brush the issue under the carpet like it was many years ago.

 

An 'Ashley Madison' google search now shows a flood of news stories surrounding the hack, to the point where it's hard to find a link to the actual website.

An ‘Ashley Madison’ google search now shows a flood of news stories surrounding the hack, to the point where it’s hard to find a link to the actual website.

 

How to Avoid Being Next

The obvious solution is to simply avoid losing data. However, it’s really not as easy as it sounds. Many companies see thousands of inbound attacks daily- you can defend as much as you want, but the sad truth that it only takes one attacker to break in to bring your entire fortress crashing down.

The less obvious but much more critical solution is to avoid, as far as possible, storing any information worth stealing. In Ashley Madison’s case, accounts that should have been deleted, as well as email logs from years prior had no place on their systems. The more sensitive data you hold on to, the more you stand to lose in a data breach.

Today’s Security professionals are promoting a new strategy: If you don’t need it, don’t store it. Because if  an outsider does find a way into your IT network (and statistically speaking, they will find a way), then your valuable data assets in storage will be reduced to a bare minimum. Furthermore, if your security team have taken the right steps and focussed on protecting what remaining information you do need to store with Encryption, or other obfuscation technologies, there’s hopefully little to zero data left that’s easy to steal.

So our message to all you CEO’s out there — listen to your security guys. They too have a vested interest in your longevity.

But if you don’t and the worst case happens, they can always leave and get another job. You on the other hand won’t be able to escape being seen as ultimately responsible for a very public data breach, regardless of who internally was at fault.

If you’re wondering how much easily stealable data you have right now, Try Enterprise Recon out for free, and get started on cleaning up your systems.
(Image sources: 1, 2)

ashley madison hack

Everything You Need to Know About the Ashley Madison Hack

On July 19, well-known security blogger Brian Krebs reported that the online cheating site AshleyMadison.com had been compromised. A group known as The Impact Team released a cache of data stolen from Avid Life Media (ALM), the parent company of Ashley Madison and two other hookup sites, Cougar Life and Established Men.

The data released includes snippets of account details from ALM’s users, maps of internal company servers, employee network account information, company bank account data, and salary information.

The Impact Team released the information in protest of ALM’s “lies” regarding it’s full delete function. Users were told that they could completely wipe their profiles and information from the ALM databases at the cost of $19. However, when Impact Team compromised ALM servers and inspected looked into their databases, they found that the information was not being deleted even after the delete fee had been charged.

The Impact Team’s demands were simple- either shut down Ashley Madison and Established Men, or have the full information of all 37 million users leaked. Needless to say, this was a cause of great stress for many of its users- Krebs reported that he receives a frequent stream of emails from Ashley Madison users who were afraid that the leak was going to go through.

Unfortunately for them, it just did. The Wired reported earlier today that a 9.7gb data dump was posted to the dark web containing the account details and log-ins for 32 million of the sites users, along with seven years worth of credit card and other payment transaction details.

 

AshleyMadisonDatabase

The leak statement posted by The Impact Team

 

A short while later, Krebs posted again to his blog, questioning the credibility of the leaked data. Raja Bhatia, Ashley Madison’s original founding Chief Technology Officer, told Krebs that there had been a slew of fake data dumps popping up, and there was no reason to believe that this one was legitimate.

Bhatia examined the data, and concluded that the data from the original release was real, but everything else was nothing more than generic and fake SQL files. He also said that “There’s definitely not credit card information, because we don’t store that. We use transaction IDs, just like every other PCI compliant merchant processor.”

However, Krebs has recently edited his original post with this new information:

“I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.”

So it would seem, at least for now, that the leaked data is indeed legitimate.

 

romney_ashley_madison

A cheeky billboard put up in Boston by Ashley Madison

 

From a data security standpoint, what’s interesting is that The Impact Team managed to acquire credit card data from a database that was allegedly not storing credit card information. Since multiple sources have confirmed that their credit card information was found in the leaked data, we can only conclude that ALM was storing credit card information- they just didn’t know it.

This is a common problem that many companies are alarmingly unaware of.

We have worked with many CSOs and IT compliance managers who have assured us that there was no cardholder data to be found in their systems. In one particular incident, Ground Labs software found over 100 million cardholder data records that were being backed up on a partition they didn’t even know existed, and this is one of many examples.

The entire situation highlights, once again, the importance of understanding your data. The larger your environment, the more data you’ll have, and the more locations you’ll have to store it. In today’s data-driven workplace, it’s impertinent that every company understand what it is that hackers want, and how to keep it away from them.

As of now, the dumped data is making its rounds on the web, with sites like checkashleymadison.com going up (and getting taken down by a cease and desist by ALM) to make the information more accessible for the everyday spouse.

Play It Safe

The situation at Ashley Madison is still developing, but regardless of how it plays out for ALM, The Impact Team, or the gentlemen involved in the hack, this incident is but one of many examples of why having a strong data security system in place is integral for any modern-day business.  

Are you interested in finding rogue data in your network? Take a free trial of Data Recon and find out if the same unknown risk exists within your environment.