So the hacking group Impact Team lived up to their threat and released 9.7GB of Ashley Madison (ashleymadison.com) website data to the Dark Web. Ashley Madison is a dating site geared towards people in relationships who want to have an affair – their motto is “Life is short. Have an affair.”
Impact Team did not like this, and threatened to release membership data from the site if it wasn’t taken down. This happened, and this morning I saw the news on Reddit and thought I would take a look. Part of being a web developer is trying to keep up with security issues and to be honest, if you aren’t somewhat of a hacker yourself (I’m an amateur, trust me), you’re putting client data at risk if you don’t understand the ways it might be compromised.
Surprisingly the data was released via bit torrent and the “Dark Web” page was just a rant and links to the files:
I was surprised it wasn’t on the news so I let Radio Live know about it by email, and before long I was being bombarded by requests for interviews and access to the data. I was reluctant to look at the actual individual member data, and the data itself extracted into text files of some considerable size – good thing I have a grunty Mac! I was able to do some grepping (a geeky way of analysing data from within a terminal, it’s good with big files) and at the request of the radio station I found that 22,561 unique email addresses ended with .nz, and 32 that ended with .govt.nz (our government’s domain). I’ve subsequently found out that Ashley Madison don’t require users to verify their email addresses, so many of these could be fake. Plus many users would have been using Gmail, or may have only signed up just for a look, so it’s not really possible to know how many Kiwis are active users without actually analysing all of the access times of the users etc, and I didn’t want to do that.
I won’t go into the details of what the files contain – you can find that out by reading The Ashley Madison Hackers Just Leaked 10 Gigs of Stolen Data I’m personally not interested, this is user’s private information, and because it’s on bit torrent, it’ll be spreading through the web like wildfire I imagine. I bet a lot of nervous husbands will have a lot of explaining to do – there were 36 million email addresses in one of the files!
So I’ve been interviewed on Radio Live, TV3, and provided data to The Herald and TV One. Outside of how I feel about cheating in general (it happened in my family and messed me up for many years) I think this leak is a good thing. It’s going to make people wake up and take their personal online security seriously.
My Security Advice
- Use different passwords for each site you have an account on. Rather than remembering lots of different passwords, then giving up and using one password for them all (bad idea!), come up with a password rule that only you know. For example, your password could be the first 5 letters of the website domain name, plus your phone number backwards, plus your favourite colour. i.e. “micro878798987red”. So for any website you can work it out if you forget it. Also, add in some punctuation and capital letters. So, you could have a ! at the start of the password, and the last character upper case. “!micro878798987reD”. A site like http://www.passwordmeter.com/ will help you determine if the password structure is strong (don’t use a real password there!)
- Use a free Gmail account for services or activities you want to keep private, and don’t use your name as part of the email address. Gmail accounts are free and secure.
- If a website wants to store your credit card information (i.e. for a subscription) then make sure it’s a reputable site (you can Google “<site name> scam” to see if people have had problems with it) or use a credit card dedicated to the site with a small credit limit
- If you receive emails asking you log in to a website to check or update your account, always do this from the web by typing the website URL directly into your browser, don’t just click the link in the email (it may take you to a fake site with a similar URL)
- Don’t use Internet Explorer! It’s vulnerable to all sorts of malware and spyware. use Google Chrome or Firefox. Keep your browsers up-to-date!
- And it goes without saying that if you are using Windows, have an up-to-date antivirus. AVG has a free version at free.avg.com so you have no excuse!