Cyber security: will the Ashley Madison hack change our habits?
This week, a group of anonymous internet hackers made good on their threat to release the private information of clients registered on Ashley Madison, a dating site for people wanting to have affairs.
In July the hackers, who call themselves Impact Team, said they would initiate the leak unless Ashley Madison’s Toronto-based parent company Avid-Life Media Inc. shut the website down.
On August 19, Impact Team released a 9.7-gigabyte file on the dark web, where it was quickly picked up and disseminated on the internet. The file included emails, member profiles, credit-card transactions and other sensitive information belonging to Ashley Madison’s 30 million-plus registered users.
Is this breach a precedent-setting moment in internet history, as media outlets like the Washington Post suggest?
To find out, we contacted three Concordia cyber-security experts: Mohammad Mannan and Jeremy Clark — assistant professors with the Concordia Institute for Information Systems Engineering (CIISE) — and Caspian Kilkelly, a senior consultant with Instructional and Information Technology Services (IITS).
How does a hack like this happen?
Jeremy Clark: Whenever there's any data that's of value to people, you'll have what we call advanced persistent threats or APTs. They choose a target and they'll persist in attacking that target until they find a loophole.
Caspian Kilkelly: A lot of times it's not so much that the data is 100 per cent unsafe, but that somebody has taken a shortcut in the design of the site that makes it unsafe.
It's kind of like having a glass window beside a heavily guarded metal door that allows you to just punch a hole through and unlock the door from the inside: it deters most people but it's not going to deter someone who wants to get in there.
In future, are massive security breaches going to be par for the course?
Mohammed Mannan: If you have information somewhere, collected in some kind of storage, most likely it will be leaked. It's just a matter of time. If there is any interest in that data, it's actually very difficult to protect it with the current technology that we have.
What impact will this have?
MM: As a society now, we don't care. Even if Ashley Madison was compromised, and people are pissed off now, the same people might sign up for something else in a few weeks. Because we think, "Okay, that company was not good, but if it's a service from Google or Facebook it might be better."
Right now, functionality is the most important thing to us as individuals, and also for governments. We just want to make things easy, without thinking about the implications. We tend to ignore these things for a reason. We get something out of it so we want to ignore the bad part of it.
JC: I concur with Mannan. I don't think this is the straw that's going to break the camel's back.
A more similar and arguably more high-profile hack of the same type is what happened with Sony, where they got all sorts of internal emails and things.
The only difference is that there wasn't this big public data dump in the same way we see with Ashley Madison. The Sony hack woke a lot of people up. It certainly got the press interested.
This one will add fuel to the fire, but I don’t think it will be pegged as the real case where everything changed.
So it isn’t likely to change consumer habits?
CK: Changing what people do online is going to be hard. Changing how people do it is going to be a lot easier.
I hope people are actually rotating their passwords, or using different passwords for different services. The security community has been crowing about this for 15 years at this point, or longer.
It should be common sense, but it's also common sense to lock your doors at night if you live in a neighbourhood with a lot of traffic, or not to leave the coffee on before you leave. People do dangerous things all the time, and they make mistakes.
MM: It might change at some point when we're really screwed over by something. There might be some new governmental regulations, or something like that might change.
But for the foreseeable future, the functionality or the ease of use will dominate how things are done.
Do you think our data is ever going to be 100 per cent safe?
JC: No, I really don't. Employees need access to the data. So, as long as a hacker can impersonate an employee, and as long as employees have access to the data which they need to run the business, there's a way for the attacker to get access to the data.
In fact, a lot of these breaches happen because internal employees leak the information — like with the Edward Snowden/NSA type of stuff. WikiLeaks has a whole website where internal people leak stuff.
MM: I worked on this problem for a while, and we have designed some systems where you don't care if the data is breached, it's useless to the attacker. They can’t do anything with it. If they get your credit card number or SIN, they have it but they cannot use it.
You can design things like that; it's not tremendously difficult. But as a society, we probably don't have the appetite for that kind of technology yet, because we don't see it as a problem. It's just a nuisance now and then. You leak some data and in a week or so, it's forgotten.
CK: There's always a trade-off between safe and practical. It's the same with cars and planes and everything else that we put a lot of faith in when we're getting on the road or doing anything in life.
It's like asking, am I going to be safe while walking down the street? Yes, most of the time. But there's always the off chance that somebody pops up out of nowhere and does something.