Ashley Madison Revisited: Legal, Business and Security Repercussions
Forward
Timeline of Ashley Madison data breach
For Ashley Madison, the whole mess began on the morning of July 12, 2015, when several employees received a message on their computer screens from unknown at that time intruders accompanied by the AC/DC's "Thunderstruck"* (The security journalist Brian Krebs has a lead on that matter). The criminals contacted Ashley Madison, demanding this site and another one owned by its parent company Avid Life Media, "Established Men", be shut down. Both websites did not shut down.
Time's Up!
Although the website for extramarital dating denied reports concerning a mass release of customer records happened on 21 July 2015, over 60 GB worth of data was posted on BitTorrent or on a Dark Web site accessible via Tor.
Phishing simulations & training
Whereas the first data dump was devastating for the users, the second one, occurred on 20 August 2015, exposed Ashley Madison's internal affairs – 12.7 GB of corporate emails and source code.
Perpetrators & Motives
The hackers attacked Ashley Madison call themselves "Impact Team." The group has proclaimed two motivations: Firstly, they have morally disapprove of Ashley Madison's core mission of arranging affairs between married individuals. Secondly, they have challenged Ashley Madison's business practices, in particular the fee that its users have to pay $19 for the privilege of having all their data deleted from the site (but, as it turns out, not all data was scrubbed).
Source: Ashley Madison's members by the numbers by Daniel Schwartz
Hacking in the past was all about financial gain. Now the times are changing. Ashley Madison and Sony Pictures data breaches were focused on embarrassment instead. The main target here is the company's reputation, yet its customers are constantly under the threat of falling into the "collateral damage" category.
At some time in July, Avid Life Media former CEO Noel Biderman mentioned that his team is on the verge of identifying the culprit, who was in his own belief someone close to the company; perhaps a contractor. On the other hand, John McAfee has his femme fatale theory.
Theories are good, but finding hard evidence is something very different. Investigators could close in on the criminal(s) by looking at the server used to host the torrent containing the second data dump. The box seeding the torrent was located at 94.102.63.121. Unless attackers covered their tracks with Tor or another anonymity service, the cyber forensic unit may be able to gather login IP addresses.
Ashley Madison in the Context of the CIA Triad
Information security is deemed to safeguard three main objectives:
Confidentiality – data and information assets must be confined to people authorized to access and not be disclosed to others.
Integrity – keeping the data intact, complete, accurate, and trustworthy and IT systems operational.
Availability – objective indicating that information or system is at disposal of authorized users when needed.
Note: For the purposes of this article, the abovementioned categories of objectives are examined in reverse order. Furthermore, readers should be aware that some of the aspects enumerated under each category might not fit perfectly into its traditional definition. It is a vivid illustration of disparity caused by applying theory to practice.
Availability
It is not a question of the website being unavailable. In fact, it is quite the opposite – as of 01 October 2015, Ashley Madison is still up and running, and has at no moment experienced issues related to its availability on the Internet.
Integrity
Fembot Army – they offer you protection… a lot of love and affection
After exploring the website's source code, Annalee Newitz from Gizmodo revealed in a series of articles that Ashley Madison have used artificially created profiles called fembots ("Angels" or "Engagers" in the company's parlance) to solicit visitors of the site in order to make them pay for premium or other extras offered by the professional matchmaker devoted to connecting married individuals.
Abandoned profiles of women — fraudulent or not — whose last activities had been performed before June of 2011, were transformed to the rank of Angels. It means that the readily available pictures and messages in these profiles were re-used for the purposes of creating of a fembot army.
Once the transformation is completed, an Angel's only software-driven objective in life is to engage men and offer them chance to live out their sexual fantasies. Chances are that there will be no click, unless of course someone likes affairs with less-intelligent forms of software.
Source: Ashley Madison's members by the numbers by Daniel Schwartz
Here is part of the Annalee Newitz's conclusions:
"What I have learned from examining the site's source code is that Ashley Madison's army of fembots appears to have been a sophisticated, deliberate, and lucrative fraud. The code tells the story of a company trying to weave the illusion that women on the site are plentiful and eager. Whatever the total number of real, active female Ashley Madison users is, the company was clearly on a desperate quest to design legions of fake women to interact with the men on the site."
It is deemed that the reasons for this trick is either because the active women on the site were a small portion of all users, or the company tried to prevent hooks up between real women and men in order the male contingent to keep on buying credits from the company, which are needed for communicating with other users.
It appears that there were internal struggles between leading Ashley Madison partners on whether to disclose the existence of bots and how. A vague description in the terms and conditions of Ashley Madison was their main approach. According to Newitz, a wording that clearly makes a mention of "software" or "fictitious" profiles was available in Ashley Madison's terms of service agreement for quite a while. Nevertheless, as of 27 September 2015, the company's terms of service are:
Our Site and our Service also is geared to provide you with amusement and entertainment. You agree that some of the features of our Site and our Service are intended to provide entertainment ... You acknowledge and agree that any profiles of users and members, as well as, communications from such persons may not be true, accurate or authentic and may be exaggerated or fantasy. You acknowledge and understand that you may be communicating with such persons and that we are not responsible for such communications.
As you can see, there is no qualification directly or indirectly addressing the robot-like services used by Ashley Madison in their pursuit of attracting men willing to pay for a chat or date. But is it not a little bit inappropriate to use the Term & Conditions as a liability shield when your "Complete Profile Removal" clause does not work in the first place?
No matter the real incentive, these fembots justified the investments. Analyses show that the majority of male users – about 80% – resorted to paying to join Ashley Madison after chatting with an Angel. Only some 19% of them selected paid account after communicating first with a real woman. In addition, a chart from the second data dump displays that bots were generating nearly half of the Ashley Madison's revenue.
This is not the first time the "have-an-affair" site deals with accusation related to using fembots. In one of these cases in 2013, a former Brazilian employee claimed that she sustained injuries caused as a result of being asked to input as many as 1,000 fake female members. The case was settled out of court.
This story gives a whole new meaning to the lyrics of a famous Robbie Williams' song — "I'm loving angels instead."
Confidentiality
The ex-CEO of Ashley Madison claimed that:
- AM gives users complete anonymity – the site "never asks for your real information" and the database is completely anonymous;
- Users can delete their profiles entirely – it will erase traces of "digital lipstick" on their collars.
- Ashley Madison is "the last truly secure space on the Internet".
These anecdotal statements were bold even before the incident, but now more than ever, because of the glaring mismatch between words and reality.
∞Complete Profile Removal∞
Owners of profiles are required to pay $19 to "fully delete" their profiles, and the hack proved this service to be untrue. It was good for business, though; Avid Life Media earned $1.7 million a year from payments for shutting down profiles created on the site.
×Ashley Madison's Security Practices×
When the data breach happened, Ashley Madison was given a pat on the back because of their far-sightedness to encrypt valuable information such as passwords via bcrypt, i.e., a cryptographic security algorithm difficult to crack. However, it appears that this acclamation came a bit too soon – due to errors in the programming, a group of white hackers succeeded in cracking more than 12 million Ashley Madison passwords in a week or so. In the same database where the passwords were to be found was stored an algorithm that can be utilized to unlock the hidden characters behind asterisks (******characters). In the words of Ars Technica: It is "the equivalent of stashing the key in a padlock-secured box in plain sight of that vault."
One security consultant has discovered security credentials such as database passwords, API secrets, authentication tokens and SSL private keys hard coded into Ashley Madison's source code. "Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley," the London-based security consultant Gabor Szathmari said. To prevent such lateral movements, users of a system should only be able to access those assets that are specifically tied to their role within the company. Third parties should not be able to enter beyond a given point without proper authorization credentials.
In addition, the security testers have discovered authentication tokens, SSL private keys, and API secrets hard coded into the source code. Moreover, to add some extra fuel to the fire, Szathmari confirmed the adultery website used neither CAPTCHA nor email verification to sift out bots from real customers during account creation process. Now we know that was done deliberately out of providing users with anonymity, but not only.
≤We Know Our Weaknesses≥
As it appears from the leaked correspondence between top executives at Ashley Madison, they were aware that the firm was vulnerable to cyber-attacks.
Source: Internal Docs Suggest Ashley Madison Knew Hacking Was Huge Threat by Honan and Frenkel
Other Characteristics of Ashley Madison Case
Lack of Email Verification
None of the emails used for registering to the site required verification, which means that people can create profiles with fake names. Despite the lack of verification of users' emails, for the public in general, having an Ashley Madison account is tantamount to a scarlet letter – "a mark of shame, an indelible stain on your character that says you were intent on causing pain to a partner."
Psychological Impact & Ethics
Besides broken marriages, adultery could entail grievous consequences in certain cases. Approximately 15,000 U.S. .mil and .gov email addresses were registered on the site. Using work emails is always a bad idea since they are not 100% private and could be checked on occasions like litigations, audits, technical malfunction, etc. For military personnel, getting caught cheating could be worse than being fired – dishonorably discharged and losing pension is very likely. Death sentence tops everything, of course, and that fate can befall adulterers in Saudi Arabia, or at least some owners of 1,200 .sa email addresses found in the leaked database, according to France24.
The journalist Mic Wright writes: Shame kills. He refers to an article of his about Skype extortion where criminals obtain an explicit footage of the victim, given under the impression that he or she is communicating with an attractive person of their preferred gender. Seeing the things from that angle, let's not forget that the Ashley Madison user is an average person caught in the gears between a cheaters' website and cyber criminals who targeted it.
"Social media has created an aggressive culture of public shaming in which individuals take it upon themselves to inflict psychological damage [and more often than not] the punishment goes beyond the scope of the crime," thinks the reporter Carolyn Gregoire. In addition, Graham Cluley, a British security expert, also argues that the consequence for individuals publicly shamed, in terms of psychological well-being, could be so immense so as to some of them can be bullied into committing suicide. On 24 August 2015, two suicides allegedly linked to the Ashley Madison data breach are reported by the Toronto police. A pastor from New Orleans died by suicide on 28 August 2015, and on the report of his wife, the fact that his name was among the names of the website's users was the reasons why he took his life.
Privacy Should Not be Equated to Secrecy
Those who say – If you don't have an affair, why are you so concerned what they are going to find out about your online activities? – are not exactly right. "The only individual who can make the decision of what they wish to disclose is the person themselves," as asserted by the former Ontario privacy commissioner and founder of Privacy by Design approach Ann Cavoukian.
Instead, the human right to privacy should be respected at all times. In other words, "[a]rguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say," wrote the whistleblower Edward Snowden in a public Q & A.
Derivative Crimes & "Services"
Following the hack, cyber extortions came into fashion. Criminals began demanding $200 worth of Bitcoins from people whose details are leaked out. For instance, one site promoted a "search engine" for finding persons who had profiles on Ashley Madison, but upon submitting their email addresses into the search bar, the crooks behind this scam would send to the targeted people whose names are in the database a letter threatening to expose their details unless they pay a ransom.
Other kinds of businesses strive to snatch a piece or two of the company's rotting carcass. Private detectives were in great demand ($67 per case), and Trustify offered a comprehensive review of the personal details exposed online delivered to the purchaser's in-box within 72 hours.
Post-Exploitation & Pillaging
For purposes of profile creation and cross checking, intelligence services from China and Russia are reportedly collecting and analyzing the PII released in the wake of major data breaches such as the ones against US Office of Personnel Management and Ashley Madison. It is Big Data analytics in action.
Reaction of the Targeted Website
The owners of Ashley Madison chose some rather untraditional methods to solve the predicament they are in:
1) Publicly condemned the attack:
"This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world."
2) Plea to the hacking community to turn the perpetrators in:
"To the hacking community who engage in discussions on the dark web and who no doubt have information that could assist this investigation, we're also appealing to you to do the right thing. You know the Impact Team has crossed the line. Do the right thing and reach out to us."
3) Bounty hunting:
Any information leading to the capture and prosecution of criminal(s) will be rewarded with 500,000 Canadian dollars.
4) Stretching the copyright laws:
Ashley Madison announced "Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online." But does that really work? Perhaps not since leaked data is seldom considered copyrighted information
Legal Chaos
Presumably, email accounts under a different name and anonymous prepaid credit cards would have saved many marriages, as Krzysztof Szczypiorski concludes (a security researcher at the Warsaw University of Technology in Poland).
Nevertheless, the burden of data protection, and even personal privacy, should not be placed on the shoulders of common people, at least not entirely. Instead, data collectors should invest more time, funds and effort into providing adequate security of PII. Until data breaches like those against Sony, Target and Ashley Madison, the damage was concentrated primarily on the individuals whose details were stolen, but now the companies are considered liable for the theft as well.
Pursuant to the common law in the United States, a company could be held liable in the event of a data breach only if it fails to fulfil a contractual obligation to protect the data. Generally speaking, the data theft victim would still have the option to file a tort lawsuit against the perpetrator. However, the tide is turning recently – lawyers have started to take actions challenging how these norms are being construed. A fresh example of that would be the pending employee data breach case against Sony Pictures Entertainment.
What could most likely work better in the situation with Ashley Madison is the authority given under federal law to the Federal Trade Commission (FTC) to regulate "unfair or deceptive acts or practices affecting commerce." Moreover, in FTC v. Wyndham Worldwide Corp. , it has been decides that FTC regulation applies to cybersecurity as well. The case in question is about a hacked hotel chain whose consumer data was exploited to amass estimated $10.6 in fraudulent charges. Similarly to Ashley Madison, Wyndham allegedly had not lived up to its guarantees concerning its IT system, which was in breach of federal law.
Hence, if FTC successfully proves that Ashley Madison promises security (secret affairs) and then fails to ensure adequate protection (e.g., losing control over the PII of some 37 million users) in contradiction with its initial public representation, the company should be investigated by state and federal competition and consumer protection agencies.
Dealing with a class action lawsuit brought by numerous outraged customers can be costly. Although the company recorded a $55 million profit last year, at least as Forbes' 'ledgers' say, it is a pill to cure an earthquake in comparison to $760 million lawsuit filed by two Canadian law firms against Ashley Madison. A tactic preferred by some users is to sue websites and hosting companies that have put the stolen material on display, such as GoDaddy, Amazon Web Services, and sites like ashleymadisonpowersearch.com, in attempt to make the stolen data legally toxic. On the other hand, according to the security journalist Brian Krebs, Ashley Madison's former CTO Raja Bhatia hacked into a rival company back in 2012. Now the latter is threating to initiate a libel lawsuit against the blogger.
What about the criminals?
Source: Ashley Madison hackers Impact Team could face long list of charges by Daniel Schwartz
Conclusion
Ashley Madison claims they are currently doing just fine – there are still more people wanting to use the website: "Despite having our business and customers attacked, we are growing. This past week alone, hundreds of thousands of new users signed up for the Ashley Madison platform – including 87,596 women."
So is it enough just to fire your CEO and call it starting with a clean slate? Unlike the hack attack against Kaspersky Lab, which might have been beneficial to the firm for the development of more robust security products, the situation here is obviously completely different.
The hackers' ultimate goal was to take down Ashley Madison, to destroy its vile business. They might as well accomplish that goal. Company's secrets are on display for copycats to pillage and re-use them as they see fit. Unless resorting to copyright protection in rare cases, Ashley Madison cannot oppose the exposure of the source code, which in particular could lead up to others adopting in an oblique way some of their ideas. All of the confidential information is out now and people do not trust the lady with her finger raised to her lips much, prompting them to plunge into a secret affair just because the life is short.
The company promises to work harder to make its website more secure, but it is like closing the barn doors after the horse has already been stolen. The lack of trust for making Ashley Madison's secrets public and the lawsuits the company faces seem like an unbearable toll that will finish the company off soon or later.
In reference to the "Thunderstruck"* track, everyone knows the popular myth that a lightning never strikes twice the same place. Chances are this myth does not apply in information security the same way it does in nature.
The question is whether Ashley Madison can survive this blast. If it does, we will witness the there-is-no-such-a-thing-as-bad-publicity phenomenon in its purest forms as far as the digital era is concerned.
Reference List
Adee, S. (2015). After Ashley Madison: How to regain control of your online data. Available at https://www.newscientist.com/article/mg22730364-600-after-ashley-madison-how-to-regain-control-of-your-online-data/ (04/10/2015)
Bahirwani, K. (2015). Ashley Madison hack: All you need to know about the adultery website's data leak. Available at http://www.dnaindia.com/scitech/report-the-ashley-madison-hack-explained-2118036 (04/10/2015)
Biggs, J. (2015). Hackers Now Going After Ashley Madison Targets. Available at http://techcrunch.com/2015/08/24/hackers-now-going-after-ashley-madison-targets/# (04/10/2015)
Brown, K. (2015). Recapping the aftermath of the Ashley Madison hack: Suicide, fembots, cracked passwords and more. Available at http://fusion.net/story/195787/whats-going-on-with-ashley-madison/ (04/10/2015)
Goldman, D. (2015). Can Ashley Madison survive the hack? Available at http://money.cnn.com/2015/08/21/technology/ashley-madison-hack/index.html?iid=EL (04/10/2015)
Hackett, R. (2015). What to know about the Ashley Madison hack. Available at http://fortune.com/2015/08/26/ashley-madison-hack/ (04/10/2015)
Hern, A. (2015). Ashley Madison's terms and conditions told users it ran fake accounts. Available at http://www.theguardian.com/technology/2015/sep/09/ashley-madisons-terms-and-conditions-told-users-it-ran-fake-accounts (04/10/2015)
Honan, M. & Frenkel, S. (2015). Internal Docs Suggest Ashley Madison Knew Hacking Was Huge Threat. Available at http://www.buzzfeed.com/mathonan/internal-docs-suggest-ashley-madison-knew-hacking-was-huge-t#.fmElkKJl (04/10/2015)
King, H. (2015). Ashley Madison tries to stop the spread of its leaked data. Available at http://money.cnn.com/2015/08/21/technology/ashley-madison-dmca-requests/ (04/10/2015)
Krapp, P. (2015). A teaching moment in the Ashley Madison hack. Available at http://phys.org/news/2015-08-moment-ashley-madison-hack.html (04/10/2015)
KrebsonSecurity (2015). Was the Ashley Madison Database Leaked? Available at http://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/ (04/10/2015)
Linshi, J. (2015). Ashley Madison Data Leak Exposes Reckless Work Email Use. Available at http://time.com/4003135/ashley-madison-email-hack/ (04/10/2015)
Lomas, N. (2015). Full Ashley Madison Hacked Data Apparently Dumped On Tor. Available at http://techcrunch.com/2015/08/19/ashley-madison-data-dumped/ (04/10/2015)
McAfee, J. (2015). John McAfee: Ashley Madison database stolen by lone female who worked for Avid Life Media. Available at http://www.ibtimes.co.uk/john-mcafee-ashley-madison-database-stolen-by-lone-female-who-worked-avid-life-media-1516833 (04/10/2015)
Millman, R. (2015). Ashley Madison's source code reveals poor security practices. Available at http://www.scmagazineuk.com/ashley-madisons-source-code-reveals-poor-security-practices/article/437495/ (04/10/2015)
Moore, H. (2015). I am part of the Ashley Madison hack. Available at http://www.cbc.ca/news/canada/manitoba/i-am-part-of-the-ashley-madison-hack-1.3205949 (04/10/2015)
Murdock, J. (2015). China and Russia collecting Ashley Madison data for intelligence purposes. Available at http://www.v3.co.uk/v3-uk/news/2418412/ashley-madison-cheating-site-hack-leaves-37-million-users-exposed (04/10/2015) AM©
Naked CIO (2015). What does the Ashley Madison hack mean for CIOs? Available at http://www.techrepublic.com/article/what-does-the-ashley-madison-hack-mean-for-cios/ (04/10/2015)
Newitz, A. (2015). Almost None of the Women in the Ashley Madison Database Ever Used the Site [Updated]. Available at http://gizmodo.com/almost-none-of-the-women-in-the-ashley-madison-database-1725558944 (04/10/2015)
Newitz, A. (2015). The Fembots of Ashley Madison [Updated]. Available at http://gizmodo.com/the-fembots-of-ashley-madison-1726670394 (04/10/2015)
Newitz, A. (2015). Ashley Madison Code Shows More Women, and More Bots. Available at http://gizmodo.com/ashley-madison-code-shows-more-women-and-more-bots-1727613924 (04/10/2015)
Pringle, R. (2015). Ashley Madison data breach may undermine privacy for everyone. Available at http://www.cbc.ca/news/technology/ashley-madison-data-1.3198070 (04/10/2015)
Roose, K. (2015). 7 times Ashley Madison's CEO bragged about the site's amazing privacy features. Available at http://fusion.net/story/185052/7-times-ashley-madisons-ceo-bragged-about-the-sites-amazing-privacy-features/ (04/10/2015)
Schwartz, D. (2015). Ashley Madison's members by the numbers. Available at http://www.cbc.ca/news/technology/ashley-madison-s-members-by-the-numbers-1.3208152 (04/10/2015)
Schwartz, D. (2015). Ashley Madison hackers Impact Team could face long list of charges. Available at http://www.cbc.ca/m/touch/news/story/1.3203279 (04/10/2015)
Wikipedia. Ashley Madison data breach. Available at https://en.wikipedia.org/wiki/Ashley_Madison_data_breach (04/10/2015)
Wright, M. (2013). Sexual blackmail on Skype: how sadistic crooks drive young people to the point of suicide. Available at http://blogs.telegraph.co.uk/technology/micwright/100009856/sexual-blackmail-on-skype-how-sadistic-crooks-drive-young-people-to-the-point-of-suicide/ (04/10/2015)
Phishing simulations & training
Wright, M. (2015). The Ashley Madison suicides: It's the hackers who should feel shame. Available at http://thenextweb.com/media/2015/09/09/the-lives-of-others/ (04/10/2015)