Today it has been confirmed that AshleyMadison.com, a "discrete" dating website for married men and women to have extramarital affairs has been targeted by a group of hackers calling themselves the "Impact Team."
The Impact Team are demanding that Ashley Madison and its partner site Established Men be shut down, having already posted some of the stolen data online.
We've asked our Forensic Manager, James Allman-Talbot, about what happened, what this means for Ashley Madison's future, and how it could have been prevented.
1. The Ashley Madison case has hit the media today. This was clearly a very targeted attack – how often are attacks like this seen against individual companies?
You’ll usually see targeted attacks such as this one when a hacking group has a specific motivation for doing so. In this case, the group responsible is stating that they do not agree with Ashley Madison’s policy of charging users to delete their profile — a policy which, as a result of this attack, they have decided to revoke. When it comes to payment card data breaches, hackers are somewhat unlikely to target a specific company and will instead pick their targets at random, usually using a piece of software that will scan all web servers on the internet for known vulnerabilities that they can subsequently exploit. Websites with higher visitor numbers are at slightly higher risk of attack, purely because attackers will want the best “bang for their buck” and will go for targets where there is a potential for a large cache of payment card data to be found - other than that, they don’t often discriminate between targets.
2. Now that the data is in the hands of the attackers, how would Ashley Madison be able to firefight against the data leaking online?
Ultimately, there isn’t really a lot that can be done. Once the data is outside of their area of control, it is impossible to determine where it may end up or what may happen with it. Ashley Madison have stated that they are using the Digital Millennium Copyright Act (DMCA) in order to serve takedown notices to anyone found to be hosting the leaked data online, although this will only be effective with law-abiding websites that will act on the notice. It also relies on Ashley Madison being able to identify every single copy of the data hosted online, which is an unlikely scenario. Although they may be able to limit the exposure, it is certainly impossible to guarantee that the data will never be leaked online - only the attackers that obtained the data will be able to do that.
3. Could this attack have been prevented? If so, what were Ashley Madison doing wrong?
It’s difficult to say without knowing the details of the attack itself or of the Ashley Madison infrastructure, but certainly there are steps that any website can take to reduce the risk of successful breach. Things like file integrity monitoring, malware scanning and a web application firewall can give websites the controls they need to either prevent a breach, or detect a potential breach as soon as it occurs. With the appropriate monitoring and policies in place to govern the reaction to any detected events, just those security controls alone will detect the vast majority of breaches that we see every day.
For more information on protecting your website with File Integrity Monitoring, Malware Scanning and a Web Application Firewall, visit www.foregenix.com/fgxweb.php