Ashley Madison customers thought they were in trouble. They are now!
As usual at the end of the summer holidays, when criminal masterminds relax on their private volcanic islands with opening tops or super yachts which can swallow lesser vehicles etc. security news has been relatively slow.
So slow in fact that this threat of the week was about to paint Microsoft as the good guys in their struggle with the US Department Of Justice to resist access to emails hosted in Dublin by The Feds using USA only warrants, and stamping all over the laws of the land in which the data is held.
The fallout if this is allowed will be immense. We will see other states (like China and Russia and the good old UK) follow suit. Cloud storage and therefore cloud solutions will become regulatory impossible for financial institutions who are required to keep data within a specific region (like the EU), which clearly it wouldn’t be, were it acquired by The Feds etc. etc. It might make you wonder if you are making the right decisions about cloud provider’s key management services, mightn’t it?
But enough of that! Not for the first time Ashley Madison has come to the rescue.
It transpires that a bunch of hobbyist cryptographers have uncovered weaknesses in the Ashley Madison apparently one way encryption algorithm which means it is not so one way after all. They have now decrypted over 12 million of the hobbyist adulterer’s passwords and are publishing them, or at least the decryption technique, for use by the aforementioned criminal masterminds in a storm of hitherto unseen penetration attempts.
‘What does this mean to us?’ we hear you yell. Well, if you read our TOTW a couple of weeks back we pointed out that a lot of, albeit stupid, AM users were using their work emails for registration and if they are using their work emails, you can put a considerable amount of money on the fact that they use the same passwords for more than one system.
As usual we always advise anybody who will listen (a struggle), to use and in fact insist on the availability of two-factor token authentication for access to public web sites and if they don’t offer it, don’t use them. This message needs to be reinforced to employees, friends and family repeatedly.
If you want to read the crypto detail, here it is: http://cynosureprime.blogspot.com.au/2015/09/how-we-cracked-millions-of-ashley.html
In a hot of the press bonus article, the researchers at Duo Labs have done some analysis of the number of out of date iPhones in use within the enterprise and have found that 50% are running iOS 8.3 or lower (with just the 100 vulnerabilities), with a quarter running iOS version 7 (a mere 230 vulnerabilities).
It is clearly imperative that vulnerable mobile devices are treated just like vulnerable laptops and desktops when connected to your network and this is a fundamental building block of our NetSure360° managed security service.
If you would like to discuss any of the issues in this week’s post, or in fact anything about information security, please contact us on: 020 7517 3900 or email: [email protected]