Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Ashley Madison site had security issues that could have been prevented

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

September 8, 2015

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

More security details (or lack therof) are being discovered in last month's Ashley Madison website hacker attack.

A simple five to ten minute search by security personnel has provided some hints about the serious coding errors that lie behind the now-infamous ''cheating site'' hack.

Obviously, while the hacker doesn't make the specific claim that these mistakes lie behind the hack attempt, it does certainly hint at the kind of 'developer negligence' that opens websites to attack such as this recent incident.

It's not the first time we see such a similar hack, and it won't be the last. The London-based blogger, security consultant Gabor Szathmari, writes that the Ashley Madison source code “contains AWS tokens, database credentials, certificate private keys and other secret credentials”.

Particularly, Szathmari singles out the AWS tokens as a very serious risk, since once the Impact Team had made its initial security breach, “lateral movement” between systems would be easier and probably would help lead to the full attack that was witnessed that day.

The site's developers also seemed to share World+Dog's dislike for long, more secure passwords, since Szathmari says he found many database credentials with just 5 and 8 characters, with only two character classes.

Other really dumb oversights included Twitter O-Auth credentials, the private keys of SSL certificates, and various application-specific tokens. These are all stupid things to store in-code, and was a recipe for disaster.

We now expect that the lawyers suing Ashley Madison as well as AWS will be looking for hired guns to comb the code-base for themselves.

If you happen to be a webmaster or a site owner, it might be a good time to check your own code base, just in case something similar could happen to you.

We keep seeing such security anomalies all the time, and until site developers really and truly understand the legal implacitions in such cases, we expect to see more of the same old, same old.

Sometimes, just spending an extra hour or two analyzing a site's code can make the difference between a site that security experts call ''swiss cheese'' to an internet property that takes better care of its users' credentials and tries to protect their private information for the best of all concerned, no matter what the site's purpose is, good or evil.

Source: Gabor Szathmari.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer