Ashley MadisonLessons Learned

Security lessons learned from the most famous PHP site ever to be

hacked

Who Am I?

• Director of Engineering at LaunchKey• Founder/Co-Organizer of Las Vegas PHP UG• Co-Organizer of Las Vegas Developer UG• National Junior Basketball Coach

What is LaunchKey

• Security as a Service Provider• Anonymous distributed password-free multi-

factor authentication and authorization platform

• PHP SDK• WordPress Plugin• Drupal Plugin

What is Ashley Madison

• Online Community with over 40 million members

• Targets married men looking for an affair• Offers a “paid delete” option to remove all of

a members data for a price

What Happened

• The network containing the Ashley Madison Site was breached

• Hackers claimed to have data they would release and gave a shutdown or else choice

• Ashley Madison refused saying the hackers claims were not possible

• Hackers release 30 GB of data

What Was Released

• Names, email addresses, personal details, GPS coordinates and passwords of users

• Executive emails• Website source code• Credit card transaction details and limited

credit card numbers

How Did It Happen

• Hackers claimed “You could use Pass1234 from the internet to VPN to root on all servers”

• Once inside, the hackers spent years collecting data from inside the network

• Collected file, database, email, and chat data right off of the network

• Had full access to version control software for website code

How Could It Happen?

• Even security conscious companies aren’t very good at it

• Security is rarely at the forefront of decisions related policies and procedures

• Most do only what is necessary to comply with regulation

• Data inside the network itself is rarely secured

What About PHP?

• Site used PHP 5.5+ based password hashing• Most password crackers gave up after trying

common passwords. Common passwords accounted for approximately 0.1%

• Password scheme was too costly to bother as passwords would be reset before they were cracked.

But The Passwords Were Cracked

• Site used its own algorithm for a “login key” that was simply an MD5 of the username and un-hashed password.

• Code was updated but not the database• 11.7 million passwords were cracked using this

vulnerability

Why Was It Such A Big Deal

• Passwords were cracked after password resets• 68% of individuals in a LaunchKey password

survey say they share the same password with multiple sites

• Many users have the same email address password as other websites

• Once hackers have your email, the rest comes with it

What Did We Learn Not To Do

• Do not store passwords• Do not assume that the network is

secure• Do no assume that the database is

secure• Do not roll your own crypto

What Did We Learn To Do

• Protect user data like it was your own• Hash data that does not need to be read• Use PHP Password Hashing to hash data• Encrypt data at rest, especially PII• Encrypt data in motion• Use honeypots to detect intruders

Further Reading

• The Impact Team Interview: http://motherboard.vice.com/read/ashley-madison-hackers-speak-out-nobody-was-watching

• CynoSure Prime Password Crack Explanation: http://cynosureprime.blogspot.com/2015/09/how-we-cracked-millions-of-ashley.html

• LaunchKey Password Survey: https://blog.launchkey.com/passwords-survey.html

Further Reading

• PHP Password Hashing: http://php.net/manual/en/book.password.php

• PHP Social Login: http://hybridauth.sourceforge.net/

• LaunchKey Password Free Login:https://docs.launchkey.com/developer/web-desktop/sdk/php.html

• Honeynet: https://www.honeynet.org/

Rate My Talk

http://spkr8.com/t/63961

Contact Me

• Twitter: @adam_englander

• IRC: #launchkey or #vegastech on freenode.net

• Email: adam@launchkey.com