Monthly Archives: August 2015

How to check if you were exposed in the leaked Ashley Madison data release

When a team of hackers calling themselves “the Impact Group” claimed to break into spouse cheating site Ashley Madison last month, millions of users held their breaths: See, even though Ashley Madison confirmed there was a hack, no one had posted any actual user data yet.

That changed on Tuesday evening (US time), when the Impact Group published a 10-gigabyte trove of user data — including names, phone numbers, email addresses and credit card fragments — to the Dark Web.

While Ashley Madison has not confirmed that the information is authentic, several security researchers have already said that it appears to be: Multiple users have independently confirmed that their names appeared in the leak.

An AshleyMadison statement posted by Team Impact image

A statement posted by Team Impact.

But if you’re worried about appearing on the list, yourself, you don’t need to download Tor or scour Pirate Bay for the right Torrent. At least three sites were republishing Ashley Madison’s user data on the public-facing internet.

One, which went up on Thursday, claimed it could tell you if an email address or phone number appears in the leaked files. It appears to have since been forced offline by action from Ashley Madison.

“Ashley Madison users who were in committed relationships were taking comfort in the fact that their significant others were not able to Torrent things,” the site’s creator told The Washington Post while they were still active. “Our site upsets that in making it easier for people to find out if their spouse was a part of the site.”

Another only business which offers on-demand private investigators, exploited the commercial opportunity by updating its hacked-email search tool to add the Ashley Madison files.

And Have I Been Pwned, a site that tracks major data breaches around the web, just finished loading more than 30.6 million email addresses into its database; unlike the other sites, however, Have I Been Pwned will only share data from the Ashley Madison leak with users who have verified their email address with the service and subscribed for notifications.

In other words, Have I Been Pwned (HIBP) will not allow suspicious spouses, nosy co-workers or other passerby to see if someone else was an Ashley Madison user. It will only allow the actual user to check if his or her name was included in the leak.

It’s a novel response to a situation whose ethics remain enormously murky: If private data is hacked — particularly sensitive, compromising data — who is ultimately responsible for the consequences of that leak? Is it the site that failed to secure the data, the hackers who obtained it, the third parties who republished it, often for profit — or some combination of the three?

“There’s no escaping the human impact of it,” HIBP’s creator, Troy Hunt, wrote in a lengthy blog post explaining why the Ashley Madison data wouldn’t be searchable on his site. “The discovery of one’s spouse in the data could have serious consequences … I’m not prepared for HIBP to be the avenue through which a wife discovers her husband is cheating, or something even worse.”

Computer security expert Graham Cluley warned against witch hunts on his blog.

“For one thing, being a member of a dating site, even a somewhat seedy one like Ashley Madison, is no evidence that you have cheated on your partner,” he wrote. “You might have joined the site years before when you were single and be shocked that they still have your details in their database, or you might have joined the site out of curiosity or for a laugh … never seriously planning to take things any further.”

Cluley also wrote recently about the real risk that a leak could lead to suicide.

“What the howling wolves doesn’t seem to understand is what they are doing is online bullying. The kind of bullying that clearly can cause such personal tragedies,” he wrote.

The Washington Post


Henry Sapiecha

How To Access The Deep Dark Web Buying Guns and Drugs The Hidden Internet Exploring The Deep W



Henry Sapiecha

Ashley Madison hack: Hackers claim cheaters’ details dumped online


Many feel that the 30 million people whose identities could be revealed following a hack into Ashley Madison’s servers deserve everything they get. Photo: Chris Wattie

Australian names have started to trickle out in the huge Ashley Madison data leak.

Users who claim they have access to the data have posted 22 email addresses linked to the University of Western Sydney on an online message board.

Fairfax Media, the publisher of this article, has not been able to confirm the post’s legitimacy but spoke with two people from UWS whose email addresses appeared in the list

Ashley Madison databases enclosed in the 10GB compressed torrent file.CHART IMAGE
The various Ashley Madison databases enclosed in the 10GB compressed torrent file.

One declined to comment and the other said he had never visited the website.

The Ashley Madison leak allegedly reveals the names, addresses and sexual fetishes of more than 30 million Ashley Madison members. Several computer security researchers who have managed to download the file claim it is legitimate.

“This [data] dump appears to be legit. Very, very legit.,” wrote computer security researchers from TrustedSec, an information security consulting service, on their company’s blog.

Ashley Madison boats its ability to privately facilitate affairs between married individuals. Its slogan is “life is short, have an affair” — hence making the release of user accounts and personal details potentially very damaging for individuals involved.

Fairfax Media has was unable to independently verify the file, which was initially posted as an almost-10-gigabyte torrent file on a web page accessible only on the anonymous Tor network, which requires a special web browser to access.

Hack appears real

Internet message boards Reddit and 8chan lit up with news of the hack on Wednesday, as users frantically tried to download the file — but because of its large size and the number of people trying to download it, few people were able to look at the data quickly.

One Reddit user did appear to confirm that their data had been exposed in the leak.

“Going back through my credit card statements online, I found the days I signed up and opened the portions of the leaked file … associated with those days,” the user said.

“Each time my credit card was hit, all of my information shows up in the leaked credit card file.

“I do not know yet if the [credit card] info can be associated with the information that was contained in profiles, but it’s bad guys.”

Shortly after the users’ message was posted, Reddit banned the thread where users were discussing the alleged hack.

Australian security researcher Troy Hunt said he was uploading anonymised data to his popular website, Have I Been Pwned, so users could check if their log-in details had been exposed. He said that the leak appeared legitimate.

However Raja Bhatia, Ashley Madison’s former chief technology officer, who is currently working to hunt down the hackers, said immediately after the leak that it was too early to tell whether the data was legitimate.

Despite this, high-profile security writer Brian Krebs said he had spoken with sources who “all have reported finding their information and last four digits of their credit card numbers in the leaked database”.

“I’m sure there are millions of Ashley Madison users who wish it weren’t so, but there is every indication this dump is the real deal,” Krebs said on Twitter.

Security researcher Per Thorsheim posted in his blog on Tuesday that the dumped data contained an account that he was using on Ashley Madison for research purposes, and that he’d verified several of the accounts contained in the dump were real.

Credit card data included in the dump and attached to user accounts also appeared to be real. Thorsheim claimed to have verified at least one credit card number.

Emails may not reveal identities

Ashley Madison allows account sign ups without verifying email addresses. That means, theoretically, users could sign up without using their real email address — meaning the email addresses in the database could be fake.

According to the logs of email addresses posted online so far, that appears to be the case, with several obviously fake email addresses — including former UK Prime Minister Tony Blair’s — in use

However, the data dump also contains other information, including names, addresses, biographies, and credit card information that may directly identify users.

In a statement to WIRED magazine, the company behind Ashley Madison, Avid Life Media, condemned the reported leak.

“This event is not an act of hacktivism, it is an act of criminality,” it said.

“It is an illegal action against the individual members of, as well as any freethinking people who choose to engage in fully lawful online activities.”

Hacking originally came to light in July

The hacking originally came to light in July when the hackers behind it posted a small amount of data online and demanded Avid Life Media pull AshleyMadison off the internet.

The hackers claim their actions were motivated by AshleyMadison’s $19 “full delete” feature, which purports to fully scrub account details and personal information from the site’s database. The hackers claim that feature did not work as promised and actually left user information in the site’s database.

Fairfax Media has confirmed a mission statement — supposedly by Impact Team, the hackers behind the leak — was posted to a website on the Tor network.

Hacking group Impact Team posted this message on the Tor network. times up notice image

Hacking group Impact Team posted this message on the Tor network.

“Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data,” it said.

“Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95 per cent of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.

“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”

Know more? Email us

Henry Sapiecha

Kaspersky faked malware to harm rivals, ex-employees claim

Moscow-based KAspersky Lab is one of the biggest antivirus companies in the world image

Moscow-based KAspersky Lab is one of the biggest antivirus companies in the world. Photo: Reuters

Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees.

They said the secret campaign targeted Microsoft, AVG, Avast and other rivals, fooling some of them into deleting or disabling important files on their customers’ PCs.

Some of the attacks were ordered by Kaspersky Lab’s co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology, they said.

Eugene Kaspersky, chairman and CEO of Kaspersky Lab image
“Eugene considered this stealing,” said one of the former employees. Both sources requested anonymity and said they were among a small group of people who knew about the operation.Kaspersky Lab strongly denied that it had tricked competitors into categorising clean files as malicious, so-called false positives.

“Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing,” Kaspersky said in a statement to Reuters. “Such actions are unethical, dishonest and their legality is at least questionable.”

Executives at Microsoft, AVG and Avast previously told Reuters that unknown parties had tried to induce false positives in recent years. When contacted this week, they had no comment on the allegation that Kaspersky Lab had targeted them.

Exclusive: Russian antivirus firm faked malware to harm rivals – Ex-employees

Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software

The Russian company is one of the most popular antivirus software makers, boasting 400 million users and 270,000 corporate clients. Kaspersky has won wide respect in the industry for its research on sophisticated Western spying programs and the Stuxnet computer worm that sabotaged Iran’s nuclear program in 2009 and 2010.

The two former Kaspersky Lab employees said the desire to build market share also factored into Kaspersky’s selection of competitors to sabotage.

“It was decided to provide some problems” for rivals, said one ex-employee. “It is not only damaging for a competing company but also damaging for users’ computers.”

The former Kaspersky employees said company researchers were assigned to work for weeks or months at a time on the sabotage projects.

Their chief task was to reverse-engineer competitors’ virus detection software to figure out how to fool them into flagging good files as malicious, the former employees said.

The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said. They licensed each other’s virus-detection engines, swapped samples of malware, and sent suspicious files to third-party aggregators such as Google’s VirusTotal.

By sharing all this data, security companies could more quickly identify new viruses and other malicious content. But the collaboration also allowed companies to borrow heavily from each other’s work instead of finding bad files on their own.

Kaspersky Lab in 2010 complained openly about copycats, calling for greater respect for intellectual property as data-sharing became more prevalent.

In an effort to prove that other companies were ripping off its work, Kaspersky said it ran an experiment: It created 10 harmless files and told VirusTotal that it regarded them as malicious. VirusTotal aggregates information on suspicious files and shares them with security companies.

Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky’s lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010.

When Kaspersky’s complaints did not lead to significant change, the former employees said, it stepped up the sabotage.

Injecting bad code

In one technique, Kaspersky’s engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.

Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.

VirusTotal had no immediate comment.

In its response to written questions from Reuters, Kaspersky denied using this technique. It said it too had been a victim of such an attack in November 2012, when an “unknown third party” manipulated Kaspersky into misclassifying files from Tencent , and the Steam gaming platform as malicious.

The extent of the damage from such attacks is hard to assess because antivirus software can throw off false positives for a variety of reasons, and many incidents get caught after a small number of customers are affected, security executives said.

The former Kaspersky employees said Microsoft was one of the rivals that were targeted because many smaller security companies followed the Redmond, Washington-based company’s lead in detecting malicious files. They declined to give a detailed account of any specific attack.

Microsoft’s antimalware research director, Dennis Batchelder, told Reuters in April that he recalled a time in March 2013 when many customers called to complain that a printer code had been deemed dangerous by its antivirus program and placed in “quarantine.”

Batchelder said it took him roughly six hours to figure out that the printer code looked a lot like another piece of code that Microsoft had previously ruled malicious. Someone had taken a legitimate file and jammed a wad of bad code into it, he said. Because the normal printer code looked so much like the altered code, the antivirus program quarantined that as well.

Over the next few months, Batchelder’s team found hundreds, and eventually thousands, of good files that had been altered to look bad. Batchelder told his staff not to try to identify the culprit.

“It doesn’t really matter who it was,” he said. “All of us in the industry had a vulnerability, in that our systems were based on trust. We wanted to get that fixed.”

In a subsequent interview last week, Batchelder declined to comment on any role Kaspersky may have played in the 2013 printer code problems or any other attacks. Reuters has no evidence linking Kaspersky to the printer code attack.

As word spread in the security industry about the induced false positives found by Microsoft, other companies said they tried to figure out what went wrong in their own systems and what to do differently, but no one identified those responsible.

At Avast, a largely free antivirus software maker with the biggest market share in many European and South American countries, employees found a large range of doctored network drivers, duplicated for different language versions.

Avast Chief Operating Officer Ondrej Vlcek told Reuters in April that he suspected the offenders were well-equipped malware writers and “wanted to have some fun” at the industry’s expense. He did not respond to a request for comment on the allegation that Kaspersky had induced false positives.

Waves of attacks

The former employees said Kaspersky Lab manipulated false positives off and on for more than 10 years, with the peak period between 2009 and 2013.

It is not clear if the attacks have ended, though security executives say false positives are much less of a problem today.

That is in part because security companies have grown less likely to accept a competitor’s determinations as gospel and are spending more to weed out false positives.

AVG’s former chief technology officer, Yuval Ben-Itzhak, said the company suffered from troves of bad samples that stopped after it set up special filters to screen for them and improved its detection engine.

“There were several waves of these samples, usually four times per year. This crippled-sample generation lasted for about four years. The last wave was received at the beginning of the year 2013,” he told Reuters in April.

AVG’s chief strategy officer, Todd Simpson, declined to comment.

Kaspersky said it had also improved its algorithms to defend against false virus samples. It added that it believed no antivirus company conducted the attacks “as it would have a very bad effect on the whole industry.”

“Although the security market is very competitive, trusted threat-data exchange is definitely part of the overall security of the entire IT ecosystem, and this exchange must not be compromised or corrupted,” Kaspersky said.


Henry Sapiecha

Major Firefox vulnerability lets hackers steal your files using dodgy web ads

firefox logo image

Hackers have found a way to steal people’s computer files through an exploit Mozilla’s Firefox browser.

If you needed another reason to install an ad-blocker on your web browser, read on.

Mozilla Firefox users are this week being urged to update to the latest version after an exploit was found being used in the wild which allowed the scooping up of files from users’ computers via an ad without leaving a trace behind of the hack.

In a blog post, Mozilla said the ad, found on a Russian news website, was “serving up a Firefox exploit” which allowed code to be run on a user’s computer to search files, which were then uploaded to a server in Ukraine.

The exploit affects Windows and Linux users; Mac users weren’t specifically targeted this time around, but the company warned Mac users “would not be immune” should a hacker decide to target them using the same vulnerability.

And the worst part is, if you’re targeted you’ll have no way of knowing, because the exploit leaves no trace it has been run on your computer.

If you’re like the one million Australians who use ad-blocking software, however, you “may have been protected” from the malicious exploit depending on the type of software you use and the level of filtering, Mozilla has advised.

The vulnerability relates to Firefox’s PDF viewer, so products without a PDF viewer, such as Firefox for Android mobile devices, were not at risk, it said.

Mozilla is urging anyone using Firefox on Windows or Linux to install the latest Firefox — versions 39.0.3 for personal users and Firefox ESR 38.1.1 for enterprise — which include a patch for the vulnerability.

Mozilla has also advised users to change passwords and keys for files potentially affected by the exploit, which seemed to be crafted to steal files on a computer used by software and website developers.

Mike Thompson, a security expert and director of Linus Information Security Solutions, said maintaining patch levels was the most important general measure users could take to reduce their exposure to these kinds of exploits.

However, a “concerning” trend was that hackers are increasingly targeting apps such as web browsers rather than operating systems, which tend to push software updates more actively, he said.

“Operating system patching is generally well structured and often automated, but app patching is far more random,” Mr Thompson said.

“Windows 10 for example is strongly pushing automated patching, but app developers more commonly rely on user initiated processes.”

Firefox had 12.79 per cent market share in Australia as of July, according to StatCounter.

Henry Sapiecha

Online cheating date site AshleyMadison hacked

ashley maddison date site finger on lips woman image

Ashley Madison: up to 1 million Australians could be exposed.

Large caches of data stolen from online cheating site have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hook-up service, whose slogan is “Life is short. Have an affair.”

It is unclear whether the accounts of Australian clients have been compromised.

The data released by the hacker or hackers – which go by the name The Impact Team – includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hook-up sites Cougar Life and Established Men.

Reached late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s web links were no longer responding.

“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”

Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.

The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hook-up site AdultFriendFinder.

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

Their demands continue:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.

“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”

ALM CEO Biderman declined to discuss specifics of the company’s investigation, which he characterised as ongoing and fast-moving. But he did suggest that the incident may have been the work of someone who at least at one time had legitimate, inside access to the company’s networks – perhaps a former employee or contractor.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

As if to support this theory, the message left behind by the attackers gives something of a shout out to ALM’s director of security.

“Our one apology is to Mark Steele (Director of Security),” the manifesto reads. “You did everything you could, but nothing you could have done could have stopped this.”

Several of the leaked internal documents indicate ALM was hyper aware of the risks of a data breach. In a Microsoft Excel document that apparently served as a questionnaire for employees about challenges and risks facing the company, employees were asked “In what area would you hate to see something go wrong?”

Trevor Stokes, ALM’s chief technology officer, put his worst fears on the table: “Security,” he wrote. “I would hate to see our systems hacked and/or the leak of personal information.”

In the wake of the AdultFriendFinder breach, many wondered whether AshleyMadison would be next. As the Wall Street Journal noted in a May 2015 brief titled “Risky Business for,” the company had voiced plans for an initial public offering in London later this year with the hope of raising as much as $200 million.

“Given the breach at AdultFriendFinder, investors will have to think of hack attacks as a risk factor,” the WSJ wrote. “And given its business’s reliance on confidentiality, prospective AshleyMadison investors should hope it has sufficiently, er, girded its loins.”

Henry Sapiecha