What if the Ashley Madison hack was an inside job?

A massive cache of highly personal information collected by dating site Ashley Madison has been publicly posted on the internet by a group calling itself “Impact Team”. Ashley Madison is specifically aimed at married people seeking extra-marital affairs, advertising itself with the tagline: “Life is short – have an affair”.

Impact Team had earlier threatened to release the information if the site’s operators, Canadian company Avid Life Media, continued to operate both Ashley Madison and companion site Established Men. Other dating sites operated by the company, such as Cougar Life, were not targeted.

Interestingly, the motivation for the data release appears to be ideological rather than financial. The group’s statement on releasing all of the data states:

Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.

While earlier purported releases of the data turned out to be fakes, the latest release appears highly likely to be authentic, as pointed out by Gawker journalist, Sam Biddle:

An inside job?

In an interview after the initial release by Impact Team, ALM CEO Noel Biderman stated that:

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication […] I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.

Later statements by the company have been mute on the identity of the suspected attackers. However, an “inside job” still seems to be among the most plausible sources of the data leak.

While security breaches by “outside” hackers traditionally receive more attention, inside threats are often much harder to stop.

Insiders may already have direct access to the information they seek to misuse. Even if they do not, their insider status may allow them to bypass many layers of security. They will also often know what resources are available, and how remaining security might be bypassed, including through social means.

One defence against inside attacks is to limit the information to which an individual has access, and the nature of that access to that needed to do their job. As a simple example, email systems do this by allowing most people access only to their own emails.

However, the information an insider might legitimately need is difficult to predict and frequently changes. Furthermore, some individuals may legitimately need access to virtually all the information resources a company has – the IT system administrators, for instance. It’s also very difficult to automatically determine the purpose of access to IT resources; is the system administrator copying that database to transfer it to a new company server, or to release it on the internet?

Impact Team’s own statements might well hint at the difficulties of protecting against inside attacks, by way of a backhanded compliment to the person most directly responsible for preventing attacks such as theirs. Brian Krebs' original story on the hack quotes Impact Team’s manifesto:

Our one apology is to Mark Steele (Director of Security) […] You did everything you could, but nothing you could have done could have stopped this.

Non-technical countermeasures

While technical measures are of limited use against skillful, motivated inside attackers, there are other factors that deter such attacks. The most significant and controversial media leak of the new century illustrates this well.

Chelsea (born Bradley) Manning, as a junior intelligence analyst in the US Army, was able to access and make copies of an enormous trove of classified data from several US government networks specifically designed for sharing secret information.

The technical measures set up on these networks – presumably set up with information security top of mind – did not prevent her from providing Wikileaks with information well beyond what she would have accessed in the normal course of her work.

But where technical measures failed, US military law has stepped in. Manning is serving a 35-year prison sentence for her actions. The personal consequences of getting caught are likely to deter all but the most committed American soldiers from repeating her actions.

While military and intelligence secrets are protected by uniquely harsh laws, there are a variety of criminal and civil law deterrents to hacking in civilian life, including in Canada, where ALM is domiciled. Furthermore, if they are publicly identified and they are IT professionals, they are likely to have rendered themselves virtually unemployable.

Unusual, but not unique

Ashley Madison is unusual in the sensitivity of the data it kept and the depth of moral outrage its service provoked in some people. As such, it seems to have motivated attackers who were prepared to inflict financial costs on its owners. This is in spite of potentially huge personal costs on its clients and the risk of jail time for the hackers in order to achieve their goal of shutting the site down.

Companies running websites to aid extra-marital affairs are not, however, the only organisations that use IT systems to store highly sensitive information and provoke intense outrage in some individuals.

For instance, sites that bring together people affected by domestic violence, or related to reproductive health, record sensitive details that may have severe real-world consequences if made public. Furthermore, there are relatively small but highly motivated groups within the community who are opposed to the activities of these sites and might be prepared to try to make that data publicly available.

Some of these sites, such as 1800Respect – a national counselling service for those experiencing sexual, domestic or family violence – already provide extensive advice for individuals on how to increase their personal IT security.

Organisations working in such sensitive areas already take enormous care with the information they keep. As they move into online service provision, they will have to be similarly cautious.

The future: a risky world for some

Any information that we leave online is vulnerable to hackers, but not all of it is equally interesting to them. Some information is attractive to criminals for financial reasons; in this case, it was interesting for ideological reasons.

Furthermore, the leak demonstrates that even a well-resourced site aware of the risks it faced was unable to prevent an attack by skilled and motivated attackers.

Individuals providing very sensitive information to sites that may face such attackers should consider further measures to obscure the connection between themselves and their online activities. A full discussion on how to do so would be beyond the scope of this article.

However, to give a simple example of what not to do: most of the Ashley Madison customers publicly identified so far used government or employer-provided email addresses and computing resources to sign up for the service.

Robert Merkel does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond the academic appointment above.