Monday, July 20, 2015

On morality and data breaches: thoughts on AshleyMadison

Online cheating site AshleyMadison was hacked and its patrons' personal information made public. Before pointing fingers, here are some thoughts as both a Christian and a hacker.

Late Sunday night Brian Krebs published news that online "cheating" site Ashley Madison had been the latest victim of a data breach. Given the site's business model (their slogan is "Life is short. Have an affair." I think you can infer the business model), it is tempting to sit back on our moral high horses laughing at the company and its patrons.

That is entirely the wrong response.

As a Christian, there is a clear parallel straight from Jesus' own mouth. John chapter 8 describes an incident in which a woman caught in the act of adultery was brought before Jesus to see if He would condemn her. His response caught the accusers off guard: rather than condemn her and carry out the punishment that law at the time called for (death by stoning), He suggested that whomever had never sinned should throw the first stone.

Jesus did not condone this woman's actions. Note His parting words - "go and sin no more" - but He reminded those present (and those reading of it thousands of years later) that we should be cautious shaming others for their misdeeds, lest our own indiscretions be put in the spotlight.

In this particular incident, as is often the case, the truest victims had nothing do do with it. Krebs reports that AshleyMadison had about 37 million customers. Even if some of those customers are single or in so-called "open" relationships, there are certain to be a great many unsuspecting spouses and children whose hearts are torn to shreds in the coming days.

This is not an event to celebrate. It's an event likely to split families and cause long-lasting harm to others. Keep that in mind before gleefully posting thoughts on how "that immoral company got what it deserved."

As a security professional and one that writes about security events and lessons, I find a couple of lessons to be learned. Hackers hack. Breaches happen. As has been shown over and over again, when we choose to do business (whether online or face to face), we put a degree of trust in the party with which we do business.

The Target breach cost customers credit card numbers. The Anthem breach divulged social security numbers and other information useful in stealing one's identity. The Office of Personnel Management breach cost Federal employees personal and background check information. The Ashley Madison breach cost its customers their privacy (and perhaps marriages). While we as consumers can do little to prevent our information from being stolen in a cyber heist, we can do a few things to minimize the damage:
  1. What applies to social media also applies to business relationships: once you share something, it's out of your control. Keep that in mind when deciding how much information to provide to a company or website. Do they really need your physical address? (Perhaps, if they will be shipping you an item). Do they need your date of birth? (Perhaps, if it is a banking or medical institution). Do they need 5 credit cards stored in your profile? (Probably not.) That is not to say don't share - just be mindful of what and why you provide information to anyone, and consider providing fake information if that information is not relevant to the service being provided.
  2. "Delete my account" means different things to different businesses. It does not always mean "delete" - it may merely mean "mark as inactive and tell the customer it is deleted." Since you simply don't know, consider updating any and all personal information on your account with fake data, then use the site's "delete" option. (Hat tip to Jessie Irwin for this suggestion)
  3. Use unique passwords for every login account. Assume that at some point your password will be compromised; if a particular password is used at only one site, then only that one site needs a new password.
  4. Here's the moralist in me: if you would be ashamed to have your wife / husband / child / parent / pastor find out that you are doing something, perhaps you shouldn't do it. There: that's my one soapbox comment on this story.
  5. This is more applicable to businesses than to individuals, but it needs to be considered: an employee in a position of trust, that has secrets they might like to keep under wraps, might be highly susceptible to extortion. Is your business capable of handling an insider whose priorities are suddenly very different from your own?
Update: On August 18, the hackers followed through with their threat to expose to the public the information stolen. Private information about 37 million members was released on the Internet, kicking off a new round of gawking.

What I said a month ago still holds true, with an added word of caution: Ashley Madison apparently did nothing to verify the email address of subscribers. Thus an account in the name of an individual does not necessarily mean that person was an actual subscriber.

As a business owner or a risk manager, think long and hard before you search through the public data for email accounts or names that correspond to your company. Is there any practical action you would take based on that information, that would benefit the risk position or reputation of your company? I won't categorically say there is nothing to be gained, but I see very few -- if any -- situations where any good would come of finding an employee or business partner's name in the database.