Just because the now infamous Ashley Madison data leak story is “headlined” along with “adultery and cheating partners” should not distract us from the lessons, we can all learn.

The formal investigation has found Ashley Madison’s security to be woeful – It has shown that Ashley Madison dropped the ball on some pretty basic stuff – can you be certain this story could not be your story?

1. Reminder of the story
   1. Sometime last year, attackers stole some 36 million user accounts from Ashley Madison, a site for cheaters run by Avid Life Media (ALM, which recently rebranded itself as Ruby Corp.).
   2. After the breach in July 2015, the attackers went on to publish a 10GB dump of user details which was followed up by a further 20GB dump.
2. The report
   1. Ashley “100% discreet” Madison’s security, before its breach, was as flimsy as tissue paper, according to a new report. A joint investigation by Canada’s Privacy Commissioner and the Australian Information Commissioner (http://bit.ly/2biI7Xn ) has found that the security fails leading up to the July 2015 breach and subsequent online dumps of user data, and related extortion attempts included these:
      1. A “fictitious Trustmark icon” on its home page to reassure users.
      2. Storage of encryption keys in regular text files that were easy to spot.
      3. Sending passwords in plain text in emails.
      4. Inadequate authentication for employees in accessing systems remotely.
      5. Storing a “shared secret” (a common passphrase used by all VPN users) for how to access systems remotely on the company’s Google drive, meaning it was available to anyone, anywhere, who could access an employee’s drive on any device.

3. The investigation scope
   1. The investigation into Toronto-based ALM’s practices focused on four key areas:
      1. information security,
      2. retention and deletion of user accounts,
      3. the accuracy of email addresses, and
      4. transparency with users.

4. The investigators found
   1. The report found that
      1. ALM violated privacy laws in both Canada and Australia. ALM’s storage of passwords in plain text in emails and files.
      2. The company supposedly only kept hashes created by passing users’ passwords through a key derivation function (in this case bcrypt – http://bit.ly/2cao9DJ)
      3. Passwords were hashed using bcrypt, except some legacy passwords that were hashed using an older algorithm.

1. FAIL Examples from the report include
   1. Encryption keys – The investigators found that ALM’s network protections did, in fact, include encryption on all web communications between the company and its users – BUT – The storage of the encryption keys were visible, plainly identifiable text on ALM’s systems, leaving any encrypted information at risk of being disclosed.
   2. trustmarks  – the investigators found that at the time of the breach, the Ashley Madison homepage included various stamps that suggested a high level of security, including a “medal icon” labelled “trusted security award.” This mark was completely fabricated and self-bestowed, ALM officials later admitted before removing it. The Privacy Commissioner of Canada, Daniel Therrien, said in a statement [www.priv.gc.ca/media/nr-c/2016/nr-c_160823_e.asp ] that this means Ashley Madison’s users never properly gave consent: The company’s use of a fictitious security trustmark meant individuals’ consent was not obtained properly
2. Comment
   1. Marc Dautlich, an information law expert at Pinsent Masons, had this to say to the BBC: http://bbc.in/2bMN5MO
      1. Ashley Madison’s shortcomings were avoidable through relatively straightforward measures.
      2. Moreover, the cost of the consequences which it has now incurred are far greater than the cost of prevention would have been.
   2. Recommendations
      1. Both the Canadian and Australian commissioners issued some recommendations aimed at helping Avid get into compliance with privacy laws and published takeaways that all organisations can use  – these suggestions are worth a look.
         1. http//bit.ly/2cav0gn 

Want To Learn More To Manage The Risk Shown Above

1. Comsure is hosting the 1^st of its x4 cyber security workshops on September 4 See flyer here [click here] – importantly these x4 workshops will not be technical as the programme is for the “Non – “IT” – Community”.
2. As you will appreciate this topic is [should be] top of a Director’s, Key Person’s (e.g. MLRO/MLCO) and other employees’ education programme particularly after the recent JFSC Dear CEO letter on 22 February 2016 [click here to read the letter]
3. With all this mind I hope you agree these workshops are a MUST for everyone, and to encourage you to participate I would like to offer you (or another colleague) ONE FREE SPACE on each of the four events (four [x4] complimentary workshops for you or a colleague).
4. For more details, you can see the Full Programme Of Current Training [Click Here]

Link Library

1. See flyer here [click here]   https://training.comsuregroup.com/wp-content/uploads/workshop-flyer-nobleed.pdf
2. JFSC Dear CEO letter on 22 February 2016 [click here to read the letter] http://www.jerseyfsc.org/pdf/JFSCCyberLetterFeb2016.pdf
3. Full Programme Of Current Training [Click Here] https://training.comsuregroup.com/