Thursday, August 20, 2015

Ashley Madison: Random thoughts

* Prediction: The Ashley Madison data dump will feature the names of prominently hypocritical conservatives -- at first. In this way, the true political motive of this operation will be obscured.

* The latest torrent is 20GB in size, which is larger than previously-released torrents. I wonder why?

* The thought popped into my head that Ashley Madison might have been designed as a blackmail operation from the get-go. While I still would not deny that possibility, my research into the history of company founder Noel Biderman hasn't turned up anything obviously spooky. Before he started Avid Life (the company behind Ashley Madison) he was a sports attorney and a real estate wheeler-dealer.

Yes, I know that the guy is Jewish. That doesn't mean he's working with Mossad. A lot of people in Israel were unhappy with him.

* On the other hand, I'm not saying that Israeli intelligence is not involved with this. Did Biderman use ZoneAlarm (Checkpoint) to provide a firewall for his company? Checkpoint is an offshoot of Israel's Unit 8200. Also see here. I can easily see how Biderman might have trusted his company's security to an Israeli firm that I would have considered iffy.

* There's a good chance that we are dealing with an inside job:
In their announcement, Impact Team offered an apology to Mark Steele (ALM Director of Security).

"You did everything you could, but nothing you could have done could have stopped this."

ALM CEO Noel Biderman told journalist Brian Krebs that it's possible the attackers worked for his company at one point and had legitimate internal access.

"We're on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I've got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services," Biderman said.
"Not an employee" but still somehow involved with the company? Interesting. This seems to indicate a private contractor working with Avid.

* Mark Steele has been on the job at Avid for only a brief time. Here is his LinkedIn profile.

* Valerie Plame (remember her?) tries to put the Ashley Madison hack into perspective:
Plame’s covert identity was blown in 2003 by journalist Robert Novak, using information leaked by aides to George W. Bush. Given that history, she’s particularly concerned about the recently disclosed breaches of the Office of Personnel Management (OPM)--even if that’s been eclipsed this week by the more salacious-sounding hacker attack on Ashley Madison, the website for people seeking extramarital affairs.

“As long as you’re not involved with it, it sounds funny,” says Plame, who started laughing when informed of the Ashley Madison attack. “The things that keep me up at night are things like [hackers] getting into the software system of a nuclear site.”

But she later added by email: “THIS will get the public’s attention--even if the OPM hack doesn’t!”

That agency's data breaches this spring exposed information on more than 21 million people, some 7 percent of Americans. Worse, the affected data is more sensitive than the by-now-routine names and emails and credit card data that most of us have come to expect will be stolen by cybercriminals at some point in time. The hacked OPM records contained background investigation information on federal employees and job applicants, including information about their family members and potentially even their mental health and financial history.
* On the other hand, the OPM hack and the Ashley Madison hack may link up...
Patrick Skinner, a former CIA operative now with the Soufan Group, doesn’t think so. In an email, he called it “a minor issue in terms of matching names on the Madison data dump and the OPM hack. Might bring up awkward blackmail attempts perhaps. I’m sure people will try. But one can claim the emails are spoofed.”

People in the national security community are already under extra scrutiny, but that can ratchet up if you’re having an extramarital affair, or are spotted trolling for one. That makes you a blackmail risk, and therefore a potential insider threat.
* It should always be recalled that most of the "females" on Ashley Madison were fakes, and that the correspondence was often the work of bots.

* A claimed former employee of the company has offered some amusing and revealing information:
We had WAY more men than women. The men on the site were exactly what you'd expect - horny, middle aged, sexually deprived and willing to do/pay anything for the affair of a lifetime. Poor guys, I always felt bad for them. The legitimate women on the site (we like every dating site had a huge problem with fraud/scammers/cam girls) were mostly single, looking for older married men. Lots of women looking for sugar daddies. We also got a lot of couples, looking to add a third person or another couple to their mix. As the site became more and more popular, I saw a lot more married woman making their way to us but they were far more careful than the men. The men would join, post a picture of their dick and then call two hours later screaming "why has no one messaged me?!?!?!" The delusion was off the charts. I had to explain at least five times a day that sending women pictures of your dick is literally the WORST first impression you can make. 9 times out of 10 they still didn't get it and would just go upload MORE dick pics.
In all honesty, it was one of the best companies I've ever worked for. They treated their employees very well - full benefits, salary pay for ALL positions (no matter how menial) and protection. Because of the nature of the business we received death threats daily and they took every single one seriously.
As I haven't worked for ALM in several years, it is not my place to comment on their current security practices or speculate who is behind the hack. I will say that the programmers and developers at ALM are some of the greatest people I've ever met in my life and everyone over there is worried about protecting the customers' privacy. They have dealt with FAR worse than some small time hackers in the past and this will be resolved quickly and efficiently. In MY OPINION this is the work of a bitter spouse (or group of bitter spouses) of an affair gone wrong. If it's anything else, I will gladly accept it but my gut tells me it is just someone with too much time on their hands. The ALM team are beasts and won't go down without a fight.
* Many Ashley Madison users used .gov and .mil email addresses. Should you be upset that these government employees were fooling around while working for the taxpayers? Be reasonable, and keep things in perspective: Everyone fools around online while on the job. Speaking as a blogger, I can tell you that my stats always go up during work hours. Fewer people read blogs on weekends.

4 comments:

Propertius said...

There's certainly no guarantee that all the names and addresses belong to real customers. It would be trivial to insert false information into a supposed "leak" for the purpose of revenge or harassment. It's also worth noting that, according to several media accounts, Ashley Madison did not validate email addresses - so even the "valid" accounts may contain false information and implicate innocent (and possibly unknowing) people. It would have been trivial to sign someone else up for this "service" as a prank. Personally, I intend to ignore the absolute hell out of any "revelations" that purport to come from this.

Stephen Morgan said...

Of course it was originally a blackmail site. They offer a special paid service of removing your information from the site, which you can't otherwise do. And it turns out they still actually keep your information. Naughty.

James said...

With each successive hacking incident the inherent vulnerability of the IT infrastructure upon which society relies more and more heavily comes into clearer relief. Whether or not these hacks are the work of white hats, black hats, or even segments of the intelligence community really doesn't change the fact that the computer systems which manage everything from banking to air traffic control to power distribution all seem to have weaknesses - exploits, as it were - which leave them susceptible to attack. With what we've learned about the NSA's ability to compel technology companies to provide mandatory backdoor access to all of their products, it's really not that surprising.

If Ashley Madison was set up as a blackmail operation I'd still have a hard time feeling much sympathy for the morons who signed up for this service. It's been common knowledge for a while now that the majority of the female profiles on that site were bogus, so anyone foolish (and desperate) enough to sign up almost deserves what they're getting now...almost. With that being said, like you mentioned above there's no way to know that the data being released hasn't been adulterated (pun intended) between the hack and the release, meaning certain records could have been scrubbed while others could have been added; either way it's going to be an interesting ride watching the whole thing play out.

Once powerful people start taking heat (and I like your theory regarding a few sacrificial conservatives to provide authenticity) we'll probably have a better idea as to cui bono.

Propertius said...

Many Ashley Madison users used .gov and .mil email addresses. Should you be upset that these government employees were fooling around while working for the taxpayers? Be reasonable, and keep things in perspective: Everyone fools around online while on the job.

Well, maybe. Adultery is still a punishable offense under the UCMJ, punished by dishonorable discharge, loss of pay and allowances, and up to a year of imprisonment, so active-duty military could suffer a lot more than embarrassment for being outed.