What the Ashley Madison Hack Means for Cybersecurity
For about 37 million people this week, issues that may seem abstract – cybersecurity and the importance of privacy online – became a real-life concern in the blink of an eye. A group of hackers called Impact Team breached the databases of Ashley Madison, an online dating site that caters to people who want to have affairs, and posted some of the stolen data online. The hack was first reported by cybercrime expert Brian Krebs on Sunday evening.
The hack raises important questions about what private companies and government agencies are doing to ensure the security of their users’ and employees’ data, a concern all the more urgent following an attack on the U.S. Government’s Office of Personnel Management earlier this year that was attributed to Chinese hackers. Databases holding information on over 22 million federal workers and their families were compromised in that seizure.
The FBI responded with a move that left many experts concerned it would make U.S. citizens’ data even more vulnerable: In testimony before Congress earlier this month, Bureau Director James Comey proposed that technology companies create “backdoor” entrances to their platforms in order to allow law enforcement to access the hidden data while protecting it from other intruders – at least in theory. (In the same appearance, he said the FBI was in favor of strong encryption. The FBI did not immediately provide a comment on the Ashley Madison hack.)
In practice, what Comey is asking for is impossible, according to an open letter written by several leading cyber security experts. “Whether you call them ‘front doors’ or ‘back doors,’ introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers,” the experts wrote in a letter to President Obama. “Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts.”
Although it’s hard to draw direct connections between Comey’s proposal and the circumstances that made the Ashley Madison hack possible, security experts warn that as a general rule, creating access for law enforcement will make everyone’s data less secure.
“There’s a growing recognition that if a company can access user communications, it creates a central point of failure that’s very attractive to hackers,” says Julian Sanchez, a senior fellow at the Cato Institute. “The best security guarantee a company can offer is: ‘You don’t have to trust us, because even we can’t read your messages. If we’re compromised, your data is still safe.’ That’s not a guarantee every site will want to (or be able to) make, but we are seeing a growing market for sites that take that approach.”
Sanchez added that there are specific cases in which intruders have gone in through the very door that was created for law enforcement. “Definitely in the case of Greek Vodaphone, where a lawful intercept function in some equipment was exploited to wiretap prominent business and political figures, and possibly also in the case of an attack on Gmail a few years ago,” says Sanchez.
The ACLU’s Ben Wizner follows the debate around privacy and mass surveillance closely, and he thinks the Ashley Madison leaks may help put to bed one of the great fallacies in the conversation. “I think there’s a growing sense that the ‘I’ve-done-nothing-wrong-so-I-have-nothing-to-hide’ mantra is silly nonsense,” says Wizner, director of the ACLU’s speech, privacy and technology project. “Every one of us has some information, sitting somewhere, that, if published, would cause us real harm, if not ruin.”
Impact Team appears to have been motivated by anger at a profile deletion service Ashley Madison offered but failed to deliver on. The site – whose tagline is “Life is short. Have an affair” – offered a service to completely delete a user’s account for $19. Impact Team says this was a scam. They claim Avid Life Media, the company that owns Ashley Madison, “netted $1.7 MM in revenue in 2014,” but that “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
As of Monday afternoon, the amount of data posted remained unclear, but Impact Team has demanded ALM take down Ashley Madison and another of their sites, called Established Men. They have threatened to release data on all the profiles if those demands are not met.