Following the infamous Ashley Madison hack, in which hackers have released the personal data of thousands of people who used the adultery website..
Lamar Bailey, Director of Security Research and Development at Tripwire discusses the implications of the breach: “This has been one of the most interesting breaches this year. The data stolen and released has far reaching social implications and people are already harvesting and creating metrics on the data. Sites are publishing which cities have the most “cheaters” using which cities have the most profiles listed on the site. This could play into hiring decisions too because many companies run background checks, Facebook, Twitter, and Google searches for applicants. If an applicant shows up as an Ashley Madison user does that show something about the applicant’s trustworthiness and morals?
Philip Lieberman, President and CEO of Lieberman Software discusses who the attackers may be and their motivations: “There is a general population of hackers and researchers that troll and test sites on the Internet on a constant basis. This population of attackers is worldwide and motivated by the usual motivations of money, fame, and power. As is the norm in the hacker community, the higher the profile of the attacked site, the greater the prestige to the hacker who discovers a vulnerability and touts it. The general proof of a hack is the publication of the site data or an obvious defacement of the site for other hackers to see.
The motivations may have been technical, moral, political or simply a matter of prestige within the hacking community. The larger and higher the profile of the attack/compromise, the greater the prestige in the hacker community. This does not currently appear to be financially motivated.”
Putting together a case as well as determining proper attribution for an attack is a time consuming process. The attackers may very well not be in the United States, so the US Government’s power to effect a prosecution or justice may be limited or non-existent depending on the country where the attacker operated from.
There are free toolkits to do penetration testing as well as sites that categorize sites with vulnerabilities that are freely available. Most likely there was a flaw in the design of the web site as well as a clear lack of internal systems to detect and terminate this type of attack. Given the massive exfiltration of data without any notice of the company, it is clear that cyber-defence was not one of the primary missions of the compromised company.
There is a clear irony in the entire hack that also increases the prestige of the attacker. A site dedicated to immoral activity seemed to have repeated the betrayal of its customers just as it suggested its clients do likewise to their spouses. What is good for the goose is good for the gander-perhaps this is karmic justice delivered by the hacker community. They lifted the covers on everybody.”