Another Year, Another Breach
Reports and statistics tallying 2015 data breaches are now available. One of the most staggering statistics is from the Identity Theft Resource Center (ITRC), which reported that over 140 million records have been exposed in 2015 across the business, educational, government and health care sectors. If you have a credit card, Social Security number or password, then you are likely a victim in one or more breaches. I know that I personally have had to replace one credit card three times in 2015 due to compromises at merchants online as well as in-store.
Of the breaches so far this year, few have made the evening news, but one has emerged with a bit of notoriety: the Ashley Madison breach. Now, I know there are critics out there that think this blog is just a sensational one-time shot in the dark to get attention from a saucy online service. However, there some important lessons to observe about the Ashley Madison breach that make it a bit unique and worthy of commentary.
The Ashley Madison Statistics
Just to ensure we understand the extent of the breach, let’s review some of the hard facts reported by Ars Technica:
- The Ashley Madison breach included usernames, first and last names and hashed passwords for 33 million accounts, as well as partial credit card data, street names and phone numbers for a huge number of users. There were also records documenting 9.6 million transactions and 36 million email addresses.
- The leak included PayPal accounts used by Ashley Madison executives, Windows domain credentials for employees and numerous proprietary internal documents.
- Passwords were protected by the bcrypt hashing algorithm and were considered secure — but were they?
Lesson 1: Storage Is Cheap, but Data Is Very Valuable — Split Your Data
I personally don’t know any victims of the Ashley Madison breach, but I assume they considered their privacy very, very important. These customers didn’t care how much storage was being used in the cloud, how many developers worked on the software, how it was written, the bandwidth consumed or any other technical details. What the customers cared about was one thing: privacy. Given the nature of the business, these customers had a reasonable expectation that their privacy would be better protected.
Storage is cheap, and by all accounts, storage in the cloud is limitless, but that does not mean that we should nonchalantly presume it is secure — even if it is encrypted (more on that later). For cloud-based applications, including those from companies like Ashley Madison, the necessity of privacy through encryption or other means is table-stakes.
The bottom line is this: If there is no privacy, there is no business. It doesn’t matter if you’re selling services like Ashley Madison or sacks of hammers. If a business is unable to protect the account, transaction and credit card information of the customer, then there’s no business because no customer will be willing to subject their information to the potential threat of theft. It is the data and the privacy of that data that is critical. Without that foundation of privacy and protection, nothing else matters.
But data protection is easy and becoming easier through the use of encryption, key management and novel, cloud-based data separation solutions.
Putting Security Eggs in One Basket
It was easy for attackers to collect the data from Ashley Madison because once they had access to the database of account information, they merely had to download it from a single location. I know this is a little easier said than done, but the fundamental weakness existed: All data eggs were in a single basket, and once the cybercriminals could access the basket, they could make copies of that one basket and all the eggs contained therein.
Although Ashley Madison’s eggs were supposedly protected and the passwords were encrypted, they were still in one basket. This is a problem for two reasons.
First, it is no longer necessary to keep all data (eggs) in a single location or database because of modern tools and technologies. The newer and more secure strategy is to split data into slices as well as encrypt it and store separately.
This approach requires the perpetrator to not find the treasure chest and the key, but instead find all pieces of the treasure chest, find all pieces of the key, reassemble them and then find a way to unlock the chest. This is a fundamentally more challenging problem for any thief.
Do approaches such as data splitting and encryption take more space? It does and it will (more baskets or treasure chest pieces represent more space in our analogy), but that’s irrelevant because it is the privacy of the data that matters, not the space.
Lesson 2: When You Find a Mistake in Security, Fix It Immediately!
The Ashley Madison breach was bad enough when the data was compromised and accounts were stolen. However, the aspect of the breach that makes it so much worse is the fact that the passwords were compromised on 11 million of those accounts. And for those poor souls who had their account information published, the attackers now have published their passwords, as well. We will get to the reason for the password compromise a little later, but let’s first understand the impact of the compromised passwords.
We know that human behavior is to renew, reuse and recycle. This is especially true for passwords. There is a high likelihood that you are using a similar (if not the same) password for multiple accounts. It’s easier to remember that way. However, once your password is compromised, perpetrators can more readily and easily gain access to accounts you use for your social network, work employment or personal email because they know your name, username and the pattern of your password. It’s reasonable to assume that cybercriminals will try similar passwords on your other accounts and, as a result, gain quick access.
In the particular case of Ashley Madison, if your spouse found your name on the list of compromised accounts and then got access to your password — which he or she could probably guess anyway — his or her ability to check your other accounts would be trivial and your life of pain would just be beginning.
How Did Attackers Get Access to the Passwords?
When the cybercriminals breached the website, they were able to access the source code that was used to protect many of the original passwords. With this code, they saw the approach that the Ashley Madison developers used to protect the passwords and found a weakness. CynoSure Prime provided a great description of the code used to protect the passwords and how it was originally built upon the weaker MD5 algorithm.
Furthermore, the developers at Ashley Madison knew their approach was weak ,and when they realized it wasn’t that secure, they changed the password protection method by using stronger algorithms. But they failed to go back to the 11 million earlier passwords and protect them with the newer, stronger algorithms. As such, instead of taking years or decades to crack the code, it only took days for attackers to reverse the 11 million passwords, which represented approximately one-third of the accounts compromised as a result of the breach.
History Repeats Itself — Again
In 1586, Mary, Queen of Scots, learned firsthand the punishment for using weak security. She lost her head — literally — as the result of using a weak form of encryption when communicating with her compatriots in an effort to plot her escape from prison and take over the throne of England from her cousin, Queen Elizabeth. This event is known famously as the Babington Plot.
That was over 400 years ago, and we continue to see the same error. Ensuring protection of data via security measures such as encryption, data splitting, key management, logging, event management and strong authentication is commonplace, but we continue to take shortcuts to the joy of cybercriminals, thieves and spies.
What Can Be Done to Avoid Compromises Like Ashley Madison?
Follow these simple rules to avoid the mistakes of Queen Mary, Ashley Madison and others: Get a plan for encryption and key management. Follow standards. Design your systems so that keys are the only way to get access to data and split your data so that it is not all in one place. Make certain that the cost to compromise your environment exceeds any value that an attacker can obtain from your data. Minimize the blast radius if a compromise were to occur through the use of data-splitting technologies.
Breach attempts will continue because data is worth money — but they don’t need to be successful.
Keep your head. Keep your data. Keep your customers. Don’t be like Ashley Madison.