Welp. It’s getting pretty funny, really. At some point it’s going to get sad. In the interim, the Ashley Madison hack can be rather informative. Right off the bat I feel like I should put up a couple of links to some database search tools, as if you found this post inexplicably well indexed off of the net, that’s probably all you really care about. You’ll note that neither of those servers are located in the US (this is what happens to those that are) so maybe be careful about the addresses you put in there. That said, given how quickly these went up, it’s probably as safe as anything to run a query. However, outing people isn’t really what interests me the most. Of course there’s always schadenfreude and this vague sense that justice is somehow being served here… but I think there’s a lot more to be gleaned from this hack than that.
There have been a few hacks like this of late… for instance the Mt. Gox hack wherein an as-of-yet unidentified hacker made off with almost half a billion dollars in bitcoins, or of course the more recent Sony Pictures Entertainment hack in which private e-mails, salaries, and just about anything you could possibly want to know about the company was leaked. Data miners have a field day with shit like this. In the case of Mt. Gox, it was revealed that they had slapped the entire bitcoin exchange together with shitty code by what/who was clearly the lowest bidder. The exchange simply wasn’t secure, so of course it would get hacked. Hubris is a common executive failure in my experience. The asshole that ran that exchange, Mark Karpelès, just didn’t give a shit. Corporate laws being what they are, Mt. Gox filed for bankruptcy protection and is not liable for the loss beyond that. Typical. For Sony Pictures, the fallout was a little bigger. The group responsible, the ironically named “Guardians of Peace” was likely a North Korean backed group that demanded a halt to publishing “The Interview” which depicted the death of Kim Jong-un. There’s actually another movie in the works about the hack itself. At over 100 terabytes, the hack included everything from unreleased movies, screenplays, e-mails, personnel records (salaries, resumes, projects, everything), contracts, legal paperwork, tax records, you name it. Liabilities aside, what a treasure trove of information for the unscrupulous! One could read up on all hiring contracts, to get an idea of who gets paid and who gets screwed. You could paruse the legal documents and learn about entertainment industry contracts as they apply to IP (such documents are usually sealed under NDAs). You could build a map of resource and personnel allocation for large companies, just to get an idea how it all works if nothing else. You could cross reference professional development/training with internal promotions to see if there’s even a correlation with continuing education and pay. I could go on and on. To put it another way, Sony had years upon years of careful OPSEC… I’m sure many have been fired for OPSEC violations, and it was all for naught with this one hack. Unlike previous disruptive DDoS attacks Sony has faced in the past, this one was probably an inside job, and likely to generate significant litigation. Of course Sony’s lawyers are probably getting pretty good at these types of class action suits… but in the case of Sony Pictures, the liability may be higher.
…and so it is with Ashley Madison. The CEO said he suspected a contractor was involved. Apparently this contractor was named to police, but they came up with nothing and no arrests have been made. It’s unlikely The Impact Team going to get caught. Security sites all over the place are noting how well the data was scrubbed for clues about it’s origin, and how carefully the Tor network (the backbone of the so-called “dark web” which hosts sites like the former Silk Road, a site where you could contract a killing and buy a bunch of drugs with Bitcoins) was used in that even the stage 1 server was not logging very much. As for Avid Life Media (ALM), the company that owns the site, well… they are pretty much fucked. This is bigger than the news stories yesterday were reporting. For starters, personal client information is just the tip of the iceberg on this one. Yesterday’s data dump included everyone who had set up an account w/ Ashley Madison. That in itself sucks for ALM. Once all the divorces work their way through the system, you can bet ALM is going to get hit with suits. There’s another angle on that too: you see, ALM gave their clients the “opportunity” to opt for a total account wipe / data scrub when closing an account that was supposed to completely remove your information from the servers. ALM made around $1.9 million (estimates vary) doing this. Guess what never got done? Yup. Those names, message traffic, pics, card numbers, etc… are all still in the system. I’d call that a breach of contract. Not only that, consider this: You work for some asshole, and know he’s been cheating on his wife for years. You want that assholes job… so you use his e-mail addresses and, shocker, he’s got an account. You load up the evidence and shoot an anonymous e-mail to his wife and the corporate e-mail list. Bam! The position is now available. There’s more you could do with the client list. BUT WAIT! There’s a lot more unreleased data to come, people, because The Impact Team isn’t done. Today they released a 20GB file (yesterday’s staggering leak was only ~10GB) which may contain Avid Life Media CEO Noel Biderman’s personal e-mail. Yikes! Is that guy sweating yet? …because he needs to start if he hasn’t. It’s also rumored to contain the entirety of the core website’s design, which I would be totally fascinated to pour over.
Still, not everyone is a loser here. A quote from Divorce Lawyer, Steve Mindel: “We’re all saying: ‘It’s going to be Christmas in September.’ Pretty soon all of this stuff is going to surface and there’s going to be a lot of filings for divorce directly as a result of this.”
There’s going to be a lot more to come…
Ashley Madison Faces $578M Canadian Class-Action Lawsuit
Ashley Madison leak includes defense department, House of Commons credit card data
Ashley Madison Hackers Release an Even Bigger Batch of Data
Blackmailers target members of hacked dating site
Wife starts first Ashley Madison divorce proceedings
Update 2: 8/24/15 – Now for the sad and the more…
‘Suicides’ over Ashley Madison hack
Ashley Madison hack: Photos and private chats are next to leak
$500,000 Reward Offered In Ashley Madison Breaches