Thursday, 23 July 2015

Ashley Madison Breach Redefines Ethical Hacking

Hackers known as the Impact Team have compromised the personal information of 37 million members of cheating website Ashley Madison. To date, two users' personal information has been revealed.
Avid Life Media, Ashley Madison, Krebs on Security, Impact Team, data breach, hack, Dr. Eve, digital privacy, full delete
Krebs on Security revealed part of the Impact Team's message.

The Impact Team's motivation? To shut the website down.

At issue is Ashley Madison's "full delete" feature, an option that charges users to remove all evidence of their existence from the website. 

According to Krebs on Security, the Impact Team justified their actions: “Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and  address, which is of course the most important information the users want removed.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

Ashley Madison countered the claim in a July 20 acknowledgement of the hack: “Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by does in fact remove all information related to a member’s profile and communications activity. The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes.” 

A closer look reveals “full delete” is just the tip of Ashley Madison’s privacy shortcomings.

In a 2012 Inc. interview, Ashley Madison founder and CEO Noel Biderman referred to his website as a “sociology experiment” and to himself as the “gatekeeper” of its data: “We realized we have so much anonymous data and we could go through our data to show the true reasons men and women have affairs, what their demographics are, whether there really is a two-year itch or a seven-year-itch.”

The fact is, hacked or not, users of Ashley Madison have long been defined by their data. Ashley Madison’s media page is littered with analyses of aggregate data. For South Africa alone, which has 175,000 users, the company has published information about when men and women login, the search terms they use and the neighborhoods of Cape Town they predominate. 

Even more disconcerting, the data has not been kept in-house. South Africa’s Dr. Eve, a couples and sex therapist, made no secret of her relationship with Ashley Madison in 2014: “In the last 18 months I have been privileged to be utilizing the database of AM for my research into Cyber Infidelity.” Dr. Eve’s research resulted in Cyber Infidelity: The New Seduction, a book that terms Ashley Madison as Dr. Eve’s “new home” and features Biderman’s praise on the front cover.

Biderman once boasted, “We’ll help you meet someone and not get caught. If you want to be clandestine, we’re an intelligent choice.” His assertion now rings hollow.

The Impact Team has asked Ashley Madison to make a choice: shut down or risk users’ privacy. Given its previous treatment of user data and lack of reaction to what has been leaked so far, Ashley Madison appears to be choosing self-interest over privacy, lending a whole new meaning to “the most recognized name in infidelity.”

No comments:

Post a Comment