The Ashley Madison hacker gang will be tough to apprehend, based on our informal survey of security experts. The hackers this week dumped nearly 10 gigabytes of stolen personal data onto the Web — details gleaned from accounts established on the site, which is dedicated to matching up people who want to engage in extramarital affairs.
“In this case, the hackers seemed to have taken all necessary precautions to protect their anonymity while utilizing the Dark Web via Tor,” said Troy Gill, a senior security analyst with AppRiver.
“I’m not sure much more is known about them now than when this whole event began,” he told TechNewsWorld.
Tor is a network designed to keep the identities of the people using it anonymous. The Dark Web is a part of the Internet outside the observation of search engines, and it is inaccessible through conventional Web-surfing tools.
The Impact Team, which last monthbroke into Ashley Madison, used Tor to hide its identity online, and the Dark Web to post stolen data to the Internet.
When the Impact Team announced it had stolen data from the site, it demanded that owner Avid Life Media shut it down — along with two other sites it owned, Established Men and Cougar Life. When Avid didn’t comply with the hackers’ demands, the gang released its cache of stolen data to the Internet.
Find a Rat
“From what I understand, the perpetrators were very careful with their execution and were able to remain anonymous,” Gill said. “When used correctly, the Dark Web offers a tremendous amount of anonymity.”
Just as the human element can be the weakest link in a cyberdefense chain, so too can it be when trying to cage cautious hackers.
“One possible approach that might still prove useful might be to somehow compel those with knowledge of the hackers to come forward,” Gill noted.
It’s very difficult to track down attackers, especially if they are careful about how they set up their infrastructure and conduct their attack, said Ben Johnson, chief security strategist with Bit9 + Carbon Black.
“In fact, it is nearly impossible,” he told TechNewsWorld.
“Often, it is only through a slippage in blending hidden and real identities,” Johnson said. Sometimes an insider’s disclosure leads to the determination of hackers’ actual identities.
Seasoned hackers can be tripped up by tiny mistakes, noted Adam McNeil, a malware intelligence analyst with Malwarebytes, “but as of now, we have not heard of any of those things.”
Fighting Moral Turpitude
Something as simple as resizing a Tor window could lead to a hacker’s demise, McNeil told TechNewsWorld.
“When you try to go full screen in Tor, it will tell you that going full screen will allow people to collect metrics which could disclose your identity,” he explained.
“Other hackers have used Tor to hide their identity but have exposed it through poor operational security,” McNeil added.
Although many data breaches have a financial or espionage angle to them, that doesn’t seem to be the case with the Ashley Madison break-in.
“The motivation for disclosing the data is slightly different than in other cases, because there doesn’t seem to be a financial motivator ,” McNeil observed. “These hackers seem to be concerned about moral turpitude. They’re trying to create transparency and right some wrongs of society.”
However, once a massive amount of data is made public, what happens to that data is out of the hackers’ hands.
“This information can be used to not only steal additional information and ultimately the person’s identity, but also embarrass or hold individuals at ransom, especially given that many users would want to keep this information secret from colleagues or spouses,” said Eric Chiu, president and founder of HyTrust.
“That’s an unintended consequence of the action,” added Malwarebytes’ McNeil. “It will definitely happen.”
Since information is still scant on how the Impact Team pulled off the Ashley Madison caper, security experts say it’s too soon to assess what the threat level may be to other websites.
Still, “any time a large volume of logon information is publicly leaked,” warned Bit9’s Johnson, “there is a tremendous amount of brute-forcing attempted against pretty much every consumer and other high-value website out there.”