Ashley Madison hack is a lesson for faithful and unfaithful alike
Times have changed, and nowadays, on the Internet, everybody knows you're a dog.
That's what users of the adultery website Ashley Madison are learning this week, as names and emails -- including thousands that appear to be from military and government officials -- were leaked, exposed and exploited by would-be extortionists.
But it's a lesson we would all do well to take to heart.
"We're way too fearless about the way we enter information online," Michael DeCesare, CEO of network security company ForeScout Technologies, told CBS News. "It's amazing how careless people are."
Every day millions of us sign up on websites with our names, our email addresses, our physical addresses and credit card numbers. The process of giving out personal details online is so woven into the fabric of daily life that we often do it without a second thought. We shouldn't.
"I generally treat the entire online universe as published content and public, and try not to put anything online that I would want to keep private," said cyberwarfare advisor David Gewirtz.
Security experts widely agree that the question is not whether but when a site will get hacked. Therefore it behooves every digital denizen to be careful with what they put online, practice good "password hygiene" -- and, as Gewirtz said, be prepared for the worst.
But of course, the onus must also fall on companies to do everything they can to secure their customers' data and be prepared for the likelihood of attack.
"Information is power," NewYorker.com editor and CBS News contributor Nicholas Thompson said. "Companies collect this information and they keep it -- even sometimes when they say they delete it. So there are all of these places that have massive, massive troves of information that are thus vulnerable to hacks."
Ashley Madison made close to $2 million a year selling a $20 service to users that promised to permanently erase their personal details, but some of it still remained in the nearly 30 gigabytes' worth of data released this week by the hacking group calling itself "Impact Team."
"Ashley Madison turned out to be one particularly damaging one, because even the fact that your information is there is damaging to you. So this is a devastating hack for a lot of people," Thompson said.
DeCesare stressed that companies need to be held accountable for keeping people safe.
"When I read stories like this, that's who I get the most angry at," he said. "You have to build the cloud to be safe from the beginning."
This applies to anyone collecting users' information, from big insurance companies like Anthem and massive federal databases like OPM's, to comparatively small independent websites and online stores. "Anybody who takes data online -- [those are] the people we have to hold most accountable in this day and age," DeCesare said.
Gewirtz warned: "Just keep in mind that anything online is a few milliseconds away from everything else and relies on someone else's dedication to security. That someone else might be a Google, with a tremendous team of security engineers, or it could be the digital equivalent of Paul Blart, Mall Cop. Are you willing to bet your life, career, or privacy on that level of security? That's the question."
"Anyone using online sites like this (or Adult Friend Finder, that also got hacked), needs to be aware that relatively small companies are managing this explosive data and that even the most diligent company (it appears ALM [Avid Life Media, owner of Ashley Madison] was diligent) is no match for, say, China, if it's trying to find some good blackmail material," he added.
And that doesn't just mean cheating husbands. Online services for people who have a need to keep their identities private because of legitimate concerns about their safety are particular targets.
Who perpetrated the hack, exactly why, and how they will use the stolen information is still unclear.
Noel Biderman, the CEO of Avid Life Media, told security expert Brian Krebs when Krebs first reported the hack in July that "it was definitely a person here that was not an employee but certainly had touched our technical services."
The true identities of the hacker or hackers behind "Impact Team" have not been identified. So far it appears that freelance extortionists finding site user emails online are the only ones attempting to make a profit (largely via Bitcoin blackmail) from the attack.
Gewirtz said the perpetrators "did a pretty good job of covering their tracks" and will likely be hard to track down. And DeCesare commented that "it takes a long time to peel back the onion" on who was responsible for an infiltration and how much data was compromised.
