Do You Call Them Grey Hats?

The Ashley Madison hack has no doubt sent many people running for cover - and left many questions in its trail.

For those who have been too busy with life to have followed the story: Ashley Madison, whose parent company also owns a site that hooks prosperous men up with needy, willing women ("Established Men"), is a site that advocates extramarital affairs - and will connect users with one another because "Life is Short. Have An Affair."

Of course, there was a price for the service.

Now, it appears, there is an even bigger price - the outing of the users, including not just names and emails, but credit cards information, photos, and private - frequently explicit - chats and fantasies.

Why? Apparently the hackers didn't like cheating. They offered Ashley Madison the option of shutting down operations, but since negative publicity had worked so well in the past (the site tried to buy Super Bowl spot time, but was refused, and the ensuing publicity got them millions of hits) they figured they'd go for it again. I guess.

A feature of the story that bothered me: the number of unlikely people and organizations' email addresses that were involved. Someone did an unscientific study of the percentage of people coming from various colleges, particularly "religious" colleges. Needless to say, it proved the point the analyst was trying to make.

But I began to wonder: what was the ultimate point of the hack, and were the culprits real, or setups?

Apparently, the hackers hadn't asked for money or any form of blackmail; they simply asked that the site be shut down. Would a list of "famous" (think of Josh Duggar, the "19 Children and Counting" son who was already in trouble for pubescent interest in touching younger girls) clients increase the odds that the people at Ashley Madison would be more or less likely to shut it down? Could the emails and other details have been a purchased list added to the real list and then released to up the embarrassment factor, particularly when you consider that .gov and .vatican (that's not really the email extension, but you get the drift) were included on that list?

Perhaps of most importance to all of us is: what does all this mean to me, and is there any such thing as "secure?"

The simplest answers: a lot and not really.

There have always been hacks of credit card-rich databases, like stores, for example. But odds are a retail store would, once upon a time, not have been on as high an alert for a data breech as would an online entity, such as a bank or online service that required payment.

We've all been warned time and again to change our passwords often, and not to store them where they could be accessed.

But would we have expected that our doctor's offices, and our friendly gas station would now be prime targets for data thieves? Given that you're handing a ton of personal information over to databases every day, to your doctor's office, at the gas pump - and that you have little to no control over what they do to protect that data - the issue isn't as simple as being careful with strong passwords and when and to whom you give out your credit card information.

Another old story that seems to come around again - and again, and again - is the phishing scenario. No longer so unsophisticated as to send a silly-looking subject line like "Naked Pictures of Your Girlfriend," phishers now opt for spoofing the email of a friend, or worse, really using the email of a friend by getting into said friend's computer via a Trojan Horse (you download a seemingly innocent program or file, which comes complete with a nasty bit of code that deploys itself on your computer and gathers up your important data) to entice you into opening an email that comes complete with its own "payload" of malware.

Spoofing email addresses - and making them look like the real thing - is surprisingly easy. There are many programs that will capture images, even images that are designed not to be captured, from a legitimate website. So "branding" an email is quite simple to do. Next, you need a SMTP server (a server than can send email) and some mailing software. If you have a webhost, you probably have a SMTP server (a webhost is simply a server that houses your website, for example).  Then get some software like PHP Mailer, add some "from" and "to" addresses (in other words, the "from" does not have to be legitimate), and send. As far as the recipient is concerned, it looks like they're getting a real email from a real, honest source.

In truth, there is a never-ending story of cops and robbers that goes on with the White Hat hackers and the Black Hat hackers. Each time the Black Hats get caught or stopped, they find another way around the security; every time they come up with a new way to get around it, the White Hats find a way to stop them. And many of them are trying to think one step ahead - think like a crook, but don't be one.

But this whole Ashley Madison story puts yet another spin on that tale: what do you call a group of hackers who are trying to force an enterprise engaged in something tawdry at best to stop what it's doing - and using dirty tricks to get them to do so?

Comments

Popular Posts