ashley madison - lessons learned
TRANSCRIPT
Ashley MadisonLessons Learned
Security lessons learned from the most famous PHP site ever to be
hacked
Who Am I?
• Director of Engineering at LaunchKey• Founder/Co-Organizer of Las Vegas PHP UG• Co-Organizer of Las Vegas Developer UG• National Junior Basketball Coach
What is LaunchKey
• Security as a Service Provider• Anonymous distributed password-free multi-
factor authentication and authorization platform
• PHP SDK• WordPress Plugin• Drupal Plugin
What is Ashley Madison
• Online Community with over 40 million members
• Targets married men looking for an affair• Offers a “paid delete” option to remove all of
a members data for a price
What Happened
• The network containing the Ashley Madison Site was breached
• Hackers claimed to have data they would release and gave a shutdown or else choice
• Ashley Madison refused saying the hackers claims were not possible
• Hackers release 30 GB of data
What Was Released
• Names, email addresses, personal details, GPS coordinates and passwords of users
• Executive emails• Website source code• Credit card transaction details and limited
credit card numbers
How Did It Happen
• Hackers claimed “You could use Pass1234 from the internet to VPN to root on all servers”
• Once inside, the hackers spent years collecting data from inside the network
• Collected file, database, email, and chat data right off of the network
• Had full access to version control software for website code
How Could It Happen?
• Even security conscious companies aren’t very good at it
• Security is rarely at the forefront of decisions related policies and procedures
• Most do only what is necessary to comply with regulation
• Data inside the network itself is rarely secured
What About PHP?
• Site used PHP 5.5+ based password hashing• Most password crackers gave up after trying
common passwords. Common passwords accounted for approximately 0.1%
• Password scheme was too costly to bother as passwords would be reset before they were cracked.
But The Passwords Were Cracked
• Site used its own algorithm for a “login key” that was simply an MD5 of the username and un-hashed password.
• Code was updated but not the database• 11.7 million passwords were cracked using this
vulnerability
Why Was It Such A Big Deal
• Passwords were cracked after password resets• 68% of individuals in a LaunchKey password
survey say they share the same password with multiple sites
• Many users have the same email address password as other websites
• Once hackers have your email, the rest comes with it
What Did We Learn Not To Do
• Do not store passwords• Do not assume that the network is
secure• Do no assume that the database is
secure• Do not roll your own crypto
What Did We Learn To Do
• Protect user data like it was your own• Hash data that does not need to be read• Use PHP Password Hashing to hash data• Encrypt data at rest, especially PII• Encrypt data in motion• Use honeypots to detect intruders
Further Reading
• The Impact Team Interview: http://motherboard.vice.com/read/ashley-madison-hackers-speak-out-nobody-was-watching
• CynoSure Prime Password Crack Explanation: http://cynosureprime.blogspot.com/2015/09/how-we-cracked-millions-of-ashley.html
• LaunchKey Password Survey: https://blog.launchkey.com/passwords-survey.html
Further Reading
• PHP Password Hashing: http://php.net/manual/en/book.password.php
• PHP Social Login: http://hybridauth.sourceforge.net/
• LaunchKey Password Free Login:https://docs.launchkey.com/developer/web-desktop/sdk/php.html
• Honeynet: https://www.honeynet.org/
Rate My Talk
http://spkr8.com/t/63961
Contact Me
• Twitter: @adam_englander
• IRC: #launchkey or #vegastech on freenode.net
• Email: [email protected]