It went from bad to worse for Ashley Madison this summer. In market terms, the adultery dating website had always been considered a toxic asset. When it announced its plans for a London IPO in the spring of this year, the City met the news with reticence. Undoubtedly, it would have found an investor base, even though most – for ethical reasons – wouldn't have touched it. But that's all conjecture now. After the litany of security issues that have dogged the company, Ashley Madison has well and truly kissed the prospect of a flotation good bye.
The first nail in the coffin was when a hacking collective called the Impact Team stole 9.7 gigabytes of customer data, including credit card details and addresses, and posted it on the dark web. Of course, the fall-out from this breach has been enormous, but the impact mainly affected users on a personal level.
What happened next was to seriously compromise the security of thousands of corporates and other organisations, from multi-nationals through to government departments.
When allegations of stolen customer data were first leaked, Avid Life Media – Ashley Madison's mother company – claimed that passwords were secure due to a common encryption practice called “hashing.” This entails passwords being run through an algorithm a number of times to generate a unique string of characters that represents the original string. Apparently this procedure is failsafe unless the algorithm is flawed. In Ashley Madison's case it was.
When news of the data breach first broke, a few attempts were made to crack the users' passwords using brute force hacking, which didn't work. But in mid-September a group of hobby password crackers calling themselves CynoSure Prime made a breakthrough using a different approach. They combed the source code, which had been published online by the Impact Team and detected a major flaw in how passwords were protected online. They claimed this error helped them to crack more than 11 million of the 36 million password hashes stored in the website's database.
This exposure of passwords causes major security problems for Ashley Madison users. People often use the same passwords again and again, for online banking transactions, e-commerce purchases and to access email accounts. And lots of people use those very same passwords for work purposes.
This is where the problem for corporates arises. A massive 76 per cent of corporate data breaches involve weak or stolen passwords, which means that in the Ashley Madison case, the revelation of 11.2 million passwords causes serious security implications for the employers of users. The hackers have held the door wide open for any disgruntled employees or other opportunist hackers who might have a grudge against the organisations users work at.
The worrying thing is that some organisations are still reliant on passwords alone for security, when they are just not good enough on their own to protect business systems. They are too easily cracked, hashed, phished, stolen, bought online or in some cases, guessed. Take the Ashley Madison case. In addition to cracking them, CynoSure Prime compiled a list of the top 100 of users' passwords. “123456” came out top closely followed by “12345” and “password.” “abc123” and “11111” also featured highly. Never mind the days and weeks of password cracking – it wouldn't take a genius to come up with that list.
When employees hand out business cards, which feature email addresses, they are usually giving away their user names. Even if hackers don't have access to stolen data and employee passwords, as the Ashley Madison list demonstrates, often the next step is simple guesswork, or a so called “dictionary attack”. An easy to remember password for users is often the last line in defence for corporates and in this case, the company's security is only as good as its employees' weakest password.
Most organisations, wise to this, have two factor authentication methods, usually using tokens. But hackers have developed sophisticated methods to circumvent even these. Some more advanced pharming, phishing or “pass the hash” hacks take users to imposter websites, use malware to capture usernames, passwords and even time-based token codes, and sends the information to the hacker. Many organisations are unaware traditional hardware tokens can be compromised.
In addition to the passwords and a token, card or fingerprint that might comprise two-factor authentication, multi factor authentication (MFA) adds more factors to validate a users' identity. This might be a user's unique session identification, their geographic location, the time of day etc. But what is really important is the context they are used in – for example, it's not worth capturing the GEO-IP of the user if this isn't relevant in determining trust at the point of log in. The right blend of variables is down to the individual organisation.
The Ashley Madison case should be setting alarm bells ringing for IT departments and security teams around the world because hackers have effectively been handed the back door keys to thousands of organisations. IT managers need the right authentication in place to give them the additional layer of security to keep their organisations locked down.
Contributed by Torben Andersen, CCO of SMS PASSCODE