'Security Was An Afterthought,' Hacked Ashley Madison Emails Show
Source: Motherboard
It's already clear that, despite handling very sensitive data, Ashley Madison did not have the best security. Hackers managed to obtain everything from source code to customer data to internal documents, and the attackers behind the breach, who call themselves the Impact Team, made a mockery of the company's defenses in an interview.
With a huge dump of the company's emails now available on the dark web, it's possible to get a better idea of what was really going through the minds of those responsible for the site's security, and overall it doesn't look good. Ashley Madison seems to have put a heavy emphasis on PR spin, rather than protecting data.
With what we inherited with Ashley [Madison], security was an obvious afterthought and I didn't focus on it either, the company's founding CTO Raja Bhatia wrote at the beginning of 2012. I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials, he continued. The email was in response to the news that the data of 100,000 Grindr users had been obtained by hackers.
Bhatia was also fully aware of the potential of attacks on Avid Life Media (ALM), the parent company of Ashley Madison. There will be an eventual security crisis amongst one of your properties and the media will leap on it as they always do, he wrote.
<snip>
Read more: http://motherboard.vice.com/en_ca/read/security-was-an-afterthought-hacked-ashley-madison-emails-show
PoliticAverse
(26,366 posts)DURHAM D
(32,610 posts)Elmer S. E. Dump
(5,751 posts)Sunlei
(22,651 posts)our homeland security costs billions and they don't even notice what government computers are used for.
Erich Bloodaxe BSN
(14,733 posts)I worked for a tiny startup for a decade, and we encrypted from day 1. Hell, we even used a custom encryption scheme before we ran things through the standard encryption protocols. So if anyone HAD unencrypted our stuff, it STILL would have looked like garbage chars. And the database was behind a couple of levels of firewalls and another machine. You would have had to hack all those first, just to get near the data, then have figured out the passwords on the database itself as well once you'd hacked the database server.
And none of us were really security pros, we just did our homework, and made sure we complied with industry practices for safekeeping hardware and software touching credit card info, and paid a security firm for the quarterly scans done to make sure we hadn't left any holes open.
AM had the money, they could have had REAL security folks onstaff.
SansACause
(520 posts)I was at a party yesterday of maybe 20 people, and this morning I looked at the AM dump that's out there, and five people who were at that party are directly impacted by this. It's ugly. What Impact Team did was not heroic. Real people are getting hurt by this. Running everyone's dirty laundry up a flagpole is nothing admirable.
LanternWaste
(37,748 posts)"Real people are getting hurt by this..."
Real people are often hurt by the negative consequences of their own choices and their own actions. Blaming anyone else for those actions and choices is simply a rationalization.
YoungDemCA
(5,714 posts)It's a Brave New World.....
Psephos
(8,032 posts)Sounds a lot like US govt.
http://www.washingtonpost.com/blogs/federal-eye/wp/2015/05/26/hackers-stole-personal-information-from-104000-taxpayers-irs-says/
http://www.usnews.com/news/articles/2015/07/09/more-than-21-million-affected-by-government-hacking
http://www.pymnts.com/news/2015/us-government-gets-hacked-again/