Never mind sophisticated hackers and nation-state cybercriminals: Suspicions concerning this week’s hack of a dating service that encourages infidelity suggests all it may take to destroy a corporation (and the lives of potentially millions of customers) is a disgruntled IT guy.
In light of the apparent compromise of Ashley Madison, a site whose slogan is “Life is short. Have an affair,” state-sponsored cyberattacks may pale in comparison with what the chief executive at the latest high-profile target to be hacked is calling an inside job.
Hackers styling themselves as the Impact Team have taken credit for infiltrating the computer network of Ashley Madison’s parent company, Avid Life Media, and acquiring a trove of sensitive user data purported to pertain to some 37 million account holders.
On Sunday, the group said it would publish the data unless Ashley Madison goes offline for good, blaming ALM for keeping customer records that it had promised to purge and the clientele for its own immorality.
“Too bad for ALM, you promised secrecy but didn’t deliver,” the hackers wrote in a statement first obtained by security reporter Brian Krebs. “And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
The ALM hack comes on the heels of the Sony hack last year and the recent massive security breach at the Office of Personnel Management, suggesting that anyone with a digital footprint may want to consider that any information is vulnerable to disclosure.
Forensics specialists, security professionals and law enforcement agencies have been summoned to investigate the dating site breach, according to ALM.
But the Impact Team reportedly has posted evidence of its hack that suggests it very well may follow through with promises of publishing the rest of its pilfered cache, “including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.”
Noel Biderman, the chief executive officer of ALM, told Mr. Krebs that while the hacker “definitely … was not an employee,” it “certainly” was someone “here” who “had touched our technical services.”
Squadrons of elite cyberwarriors backed by the budgets of nation states such as North Korea and China are, as far as the U.S. government is concerned, responsible for two of the biggest security breaches to unfold over the Internet in recent years.
The regime of Kim Jong-un orchestrated the Sony Pictures Entertainment hack estimated to have cost Hollywood more than $15 million, according to government officials, and Beijing is being considered by and large in Washington to be the most likely culprit behind the recent breach of the OPM that is said to have compromised the Social Security numbers, biometric records and home addresses of tens of millions of people who worked for the government, applied to do so or, in some cases, were merely used as personal references.
If Mr. Biderman is right, however, then what remains of his multimillion-dollar company’s reputation — and those of potentially millions of adulterers — may have been squashed not be a cyberarmy operating out of a bunker in Pyongyang with blacked-out windows, but an information technology worker who may just have had a hard day or, in this specific case, might have been angry at a spouse’s adultery.
According to AlgoSec, a New Jersey-based security firm, entities across the board are becoming increasingly concerned about threats posed by insiders and privileged third parties when it comes to protecting user data or proprietary records.
Whereas 62 percent of organizations polled by AlgoSec in 2013 said that insider threats posed the greatest risk, that number surged to 73 percent last year.
With respect to organizations who outsourced their IT work, only 12 percent said they were “very confident” with the protection being offered, the latest poll found, with half of the respondents acknowledging being either “not confident” or “somewhat confident” in third parties.
The results of a separate poll conducted by SolarWinds and Market Connections and published this year similarly found that IT stakeholders were becoming increasingly concerned about the risks of insider threats.
Before the OPM hack, two of the biggest breaches against the U.S. government — the loss of State and Defense Department materials to WikiLeaks and the intelligence documents pilfered by National Security Agency contractor Edward Snowden — were the work of credentialed personnel who disclosed sensitive information that they accessed legitimately.
“Third-party insiders constitute an underestimated threat to U.S. critical infrastructure,” the Department of Homeland Security concluded in a 2013 report.
“The common feature of all malicious insiders is tactical advantage. Sometimes the insiders are organizational vulnerabilities — adversarial force multipliers — who can operate relatively unfettered. Malicious insiders are not only aware of an organization’s vulnerabilities; they also may have purposefully created the very vulnerabilities they intend to exploit,” Homeland Security warned.
“If this turns out to be, in fact, an insider job,” said New York security researcher Hector Monsegur, “it really shines on reality that there’s very little security.
“Yes, you can have a very secure infrastructure and, yes, you can have your entire database encrypted and hidden,” Mr. Monsegur said.
However, he said, any rogue systems administrator, data center operator or intern with administrative credentials could render all of those supposed safeguards to be entirely meaningless.
“Remember, ‘the cloud’ is just someone else’s computer,” said British security researcher Zammis Clark. “If something gets stored online anywhere, no matter how private you think it is, it will get exposed at some point in the future,” Mr. Clark said, adding that improving operational security — or protecting personal presentation, in real life and in the digital sphere — is key to keeping personal and potentially marriage-ruining details from being leaked.
Absent any evidence that would infer attribution, Mr. Monsegur said the Ashley Madison hack is “definitely a rude awakening for people who think their data is secure.”
He also raised concerns about Mr. Biderman’s inside-job theory and suggested that the hackers may have had motives other than embarrassing ALM and its users.
If the hackers were taking aim at ALM’s supposed unwillingness to delete user records upon request, Mr. Monsegur said, then why didn’t they expunge that evidence themselves after infiltrating the network?
“Obviously [their] intention wasn’t to safeguard these people’s privacy,” he said.
A media representative for ALM deferred all questions Monday to a statement published earlier in the day in which the firm promised that “Any and all parties responsible for this act of cyber-terrorism will be held responsible.”
The website for Ashley Madison was still online Monday evening, although hackers had yet to publish personal details as promised.
In May, another adult-oriented dating site, AdultFriendFinder, suffered a similar breach in which details of 3.9 million — including online aliases, email addresses and sexual preferences — were leaked to the Web.
Analyses of the AdultFriendFinder dump quickly indicated that employees of the Homeland Security Department, the Federal Aviation Administration and the District of Columbia’s Metropolitan Police Department all had registered for the site using government-provided email addresses.