Less than eight hours after the Ashley Madison hack, the company issued a statement informing the public and their traumatized customers that they had closed the security holes that had allowed extraordinarily sensitive data on 37 million people, which if released by the hacker, would be the greatest boon to divorce lawyers since the invention of litigation.  Normally, I would simply laugh out loud at the absurdity of such a statement and then go about my business.  But this hack, more than any other, threatens to literally destabilize an entire society.

Imagine what would happen if, simultaneously, nearly 40 million people found out that their spouse was having an affair.  Granted, affairs happen all the time, and to be frank, I myself have been guilty of such.  But the rate of discovery of such affairs is slow enough, and, usually, not discovered at all, so that the global impact is minimal.  Sure, a person who just discovered that their spouse has been cheating is distraught, depressed, angry, sometimes violent, and, generally, useless and unproductive for anywhere from a few weeks to a few months.  If the person happens to kill their spouse, or their spouses lover, or both, then their productivity declines to zero for quite some time.  Can we accept a situation where 25 percent of the adult work force of our country is immobilized for a time and is acting in ways that would strain our police and legal resources to the max?

Self-Delusion

I don’t know, and actually don’t care much.  We would survive.  But the real question is: Can we survive the overwhelming self-delusion of companies who believe that their data is secure, or companies who have been hacked and tell us that the holes in their system have been closed?

Speculation within the hacking community is that the Ashley Madison hacker user an SQL insertion technique to gain entry.  I have no clue.  SQL insertion is only one of many thousands of techniques that hackers use.  If Ashley Madison has closed that door, I guarantee you that a few thousand other remain open.

Less than 24 hours after the Ashley Madison hack I decided to find out how difficult it might be to break into their data center.

I was trained in the old school of hacking – that is: software technology was King.  However, as I aged I got lazy.  High tech hacking requires multiple computers, multiple accounts, proxy servers, coding, uncountable numbers of software hacking kits, each of which may or not work, etc, etc.  I’m too old for that.

Social Homework

Social engineering only requires access to a telephone and a reasonably sharp mind.  So… from the comfort of my bed this morning I set about the task of acquiring someone’s password within Ashley Madison’s data center. The most difficult part of my task, believe it or not, was finding a corporate phone number for Ashley Madison.  I found Customer Service numbers by the hundreds.  I found complaint numbers.  I found everything except what I needed.

I chose instead to call Avid Life Media Inc., who owns Ashley Madison, and also Cougarlife.com and Establishedmen.com – (all three of which were hacked by the way, so we are really talking about 50 million people, not 37 million).  I have no clue why so few have mentioned the other two sites as part of this single hack.

Anyway, I got the number for Avid Life (416-480-2334 if anyone is interested) and tested the openness of their corporate phone operators.  I asked for the name of the head of their Communications Department.  “Paul Keable” was the instant answer, with no hesitation.  This was going to be easy. “Thank you” I said, and hung up.  A series of subsequent calls gave me the names of the IT department head and every person who worked for directly that person.  I then called each one.  If they answered I said “I’m sorry, wrong person, and hung up”. The first phone that didn’t answer gave me my opportunity.  I called the corporate headquarters back and in an agitated manner, I informed them that I had an urgent legal matter with Mr. X and that I must immediately speak with his assistant or secretary, and that only they could help me. Without question, and immediately, I was connected with Ms. Y.  I posed as an international enforcement agency, (that does not really exist, by the way) and implied that Mr. X might have been involved in the recent hack, and, to verify that Ms. Y was really who she said she was, I had her password, and his, written down with 30 seconds of saying hello. For all the security protocols they may have in place, all it took was a single call to gain a set of keys to the kingdom.

Ninety percent of my time acquiring these passwords was spent finding a f#*k7ng phone number for Ashley Madison.  I have thrown both passwords away and have no intention of doing anything with them.

Now to the hack

First and foremost, the group claiming responsibility for the hack – The Impact Team – does not exist.  There is only one person involved in this hack.  I cannot tell you how I know, but the simple published data should help point to this fact.  The group’s name has never appeared in any prior hack.  The name has not surfaced at any time, neither in the Deep Web nor the Dark Web, nor anywhere else.  But first and foremost, a hack on a company such as Avid Life, as can be proved by anyone who wanted follow my above instructions for gaining a password, does not require a team of people.  Even if social engineering techniques were not used, the hackers complete toolkit (a few thousand software tools written mostly by Russian, Chinese, East European and Korean hackers over the past few years) could be used by one person who, in a matter of months could have taken the data.  But take it or leave it.  Time will prove that only one person was involved.

The hacker clearly has a personal grudge with Ashley Madison.  In his manifesto statement, which has been removed from every instance on the Web, he has a small rant where he singles out Avid Life Media’s Chief Technology Officer Trevor Sykes:

“Trevor, ALM’s CTO once said ‘Protection of personal information’ was his biggest ‘critical success factors’ and ‘I would hate to see our systems hacked and/or the leak of personal information.

Well Trevor, welcome to your worst f*cking nightmare.”

Also, from his terminology, he seems to consider having affairs as a very evil thing, and even uses the term “spiteful” to describe a married man who signed up for the service the day after valentine’s day:

“XXXXX XXXXX”, with profile ID 232xxxxx, who spitefully paid for Ashley Madison the day after valentine’s day in 2014, lives at xxxxxxx. Brockton, MA in the U.S., with email xxxxxxxxx@AOL.COM. He is not only married/attached, but is open to a list of fantasies from Ashley Madison’s list: |29|44|39|37|7|, a.k.a. “Cuddling & Hugging”, “Likes to Go Slow”, “Kissing”, and “Conventional Sex”. He’s looking for ‘A woman who seeks the same things I seek: passion and affection. If you have such desires then we will get alone just fine’,’|54|11|9|’ which means “Good Communicator”, “Discretion/Secrecy”, and “Average Sex Drive”.

Cheating Facts

I found the data shared in this hacker’s manifesto to be fascinating.  What fascinated me most was the data (including email data) that indicated a person’s profession.  The top cheaters, by profession and sex are:

For Men:

1. Doctors
2. Police Officers
3. Lawyers
4. Real Estate Agents

For Women

1. Teachers
2. Soccer moms
3. Nurses
4. Real Estate Agents

From emails, the choice of hotels where cheaters choose to meet are, in order of preference:

1. Sheraton
2. Hilton
3. Hyatt
4. Holiday Inn
5. Radisson
6. Comfort Inn
7. Four Seasons
8. Marriott
9. Best Western
10. Westin

It should be no surprise that Washington D.C. tops the list of cheaters by percentage of population.  By a wide margin.

Security that haunts

But enough of trivialities. The fact remains that the overwhelming majority of corporations and Government agencies all over the world are protected by systems that were designed by an old, tired and no longer relevant set of technological principles.  They no longer work. This is a pure and simple truth,

Had Ashley Madison been running STTarx, or any one of the dozens of other dynamic encryption and closed systems technologies, this would never have happened.

Photo credit: Jeff Kerwin via Wikimedia Commons