The release of information stolen from Ashley Madison,
a site devoted to helping married individuals cheat on their spouses,
could harm many people. But there is one group in particular — members
of the military — that might suffer more than their civilian
counterparts if they’re implicated by the data dump.
An estimated 32 million
Ashley Madison users were affected by the company’s hacking. Their
email addresses, partial credit card information, and IP addresses were
revealed over the weekend. For most people, the release of this data
could be a problem. But for military members, being outed as adulterers
could ruin their lives.
The Uniform Code of Military Justice is explicit about its stance on cheaters:
they should be punished. Adultery itself rarely leads to a
court-martial, but the charge is often added to other accusations
against a serviceperson to increase their punishment, and could lead to
much more severe disciplinary actions.
How severe? Well, adulterers could be
punished with a year in confinement and a dishonorable discharge, which
would lead them to lose all veteran benefits. Some, like former
President George W. Bush, have advised against taking all adulterers to the court-martial. But still, the rule remains a part of the UCMJ.
It’s possible that many of the
military email addresses used to sign up for Ashley Madison were fake.
The company didn’t verify all account information, and someone might
have used a fake email address to avoid a spouse’s ire, although that
seems like a bit of a stretch. But given the other information available
— including location data and the last four digits of customers’ credit
cards — it doesn’t seem hard to identify personnel.
And this isn’t just a problem for the
members of the military themselves. If the data wasn’t made public and
was instead used for the hackers’ personal gain, holding this
information over the head of someone in the military could have led to
blackmail. That’s one of the main fears of any major security breach.
Just look at the breach at Anthem,
the nation’s second-largest health insurer. One of the primary concerns
was that whoever hacked the company had access to data that could
inform phishing attacks against the military or government. (Anthem
later said the hackers receiving such information was highly unlikely.)
Imagine if someone combined information
from the two sources. You know who someone is, where they live, and that
they joined a site to help them cheat. Would it really be that hard to
come up with a phishing attack, or a compelling bit of blackmail,
which could lead that person to making some kind of mistake?
Then there is the “potential for
an attacker to reuse the stolen credentials on other Internet services
or even government systems,” says Marcus J. Carey, chief technical
officer of vThreat,
a company that facilitates network attack simulations for enterprise
networks. Should the AM data be used to eventually gain access to
popular social networks, it could lead to a more long-term security
threat to national security — leading military or federal workers to
lose clearances, according to Carey.
“Something like Facebook or Twitter could be used to send people to malicious sites. Other
federal employees would trust links from other people they know and
follow online. Huge phishing potential for federal and military
personnel,” Carey told me.
It’s easy to make jokes about Ashley
Madison users deserving to be revealed, or how the company might pivot
to become a dating service for recent divorcées (Zing!). But underneath
that dubious moral posturing lies a serious warning about how
stolen data from any large website could be more dangerous than you’d
think.
Still, it’s hard not to ask one facetious
question: Why would people with so much to lose attach their Ashley
Madison accounts to their work email? Carey can answer that, too.
“There is a popular saying in the
cybersecurity world,” he says. “There is no patch for stupid. People are
always the weakest link.”
Carey’s point about people being the
weakest link in any security system might be troublesome for another
reason: the potential that anyone affected by this hack used the same
password across multiple sites. (Microsoft researchers said in 2014 that
many people are unable to remember long, unique, complex passwords, so
they often repeat them across multiple sites or use less-secure options.)
This might not be a huge concern, since Ashley Madison did use a decent encryption for passwords, as Quartz
points out. Yet, dedicating all efforts to crack a particular account’s
encryption is very possible. And depending on the person and the nature
of their private online discussions, that could mean a lot of sensitive
information could eventually slip into the wrong hands.
“When the OPM hack of government
employees’ data occurred so close to the Ashley Madison hack pundits
were quick to point out the possibility of applying big data analytics
to a combined data set,” security industry analyst Richard Stiennon told
Gigaom. “Now that the data has been dumped, it would be trivial to
match up the records from OPM with anyone who works in government or has
a security clearance and was also foolish enough to use their real name
and email address on Ashley Madison.
“Of course journalists and researchers are all busy doing this today so those victims already have a problem,” he adds.
That’s more than a bit scary — not to
mention that it may also increase the odds that hackers will attempt to
use blackmail as a tactic to get what they want, according to Stiennon.
But there is one potential upside: Perhaps now people will take their privacy a little more seriously.
Ashley Madison’s breach is “Going to have a
big impact on this sort of behavior in the future,” Stiennon said.
“That is the upside of breaches. Nobody takes security seriously until
they have been personally impacted.” Maybe now some of the country’s
most valuable targets will be just a little bit more cautious.
0 التعليقات:
إرسال تعليق