Ashley Madison Technical Analysis

On this page we examine the nature of the leaked files and the manner in which they were leaked to see what we can learn about how the hack took place.

Initial Theory – Web-Server Hack

The first leak, which we call Dump #1 throughout our articles, contained the notorious user account database, the credit card files, and a small selection of internal business documentation.

The database files are in the form of mysql dumps. Text files containing commands to create the database schema along with all the data. These are typically used when making back-ups of a database as it is a very quick to reload these files into a new database. Only web-server permissions would be needed to access this data.

The leaked dumps only contain what database professionals call “dynamic data”. These are tables that typically contain data entered by end-users, such as their profiles. There are many other tables, containing “static data” used for reference that are missing from the leak. It is not possible to fully reconstruct any user’s profile without these reference tables.

Some information about the user we can infer. For example we know that a gender look-up table must exist because we see user profiles indicating genders of 1 or 2. We do not know which is male and which female but we can infer which is which by looking at the text and keywords users have entered. Phrases such as “I am a girl“, giving us a good indicator as to what the numbers mean. Other references cannot be inferred though.

Thus far this has the appearance of somebody with database knowledge gaining access to the web-server, obtaining web-server privileges, and using them to take a back-up of the database’s dynamic tables, ignoring static data to save time. The hackers knew exactly which tables to take, or they simply took everything and left the uninteresting reference tables out of the leak.

But this cannot be the case.

Refined Theories – Full Network Penetration and/or Inside Job

The presence of credit card files and internal documents shows that this is not an ordinary web-site hack. Such files would not be accessible from the webserver, and the leaking of them establishes that Avid Media’s internal corporate network had been penetrated. Whether this penetration was of an ITSEC or HUMINT nature is unknown.

The credit card files are a mess, in every sense. They are a collection of a few thousand excel spreadsheets containing the daily acknowledgements of credit-card transactions in machine-readable form. As these are acknowledgements sent by the credit-card company computers after a purchase is authorized, they do not contain the full credit card number. Just the last few digits as a cross-check. Credit-card companies are rather more security-concious than the operators of sleazy dating web-sites it would appear.

The spreadsheets do contain customer name, address, email, IP, and a lot of other damning data, almost all of which a suspicious spouse could match-up with credit-card bill.

It is non-trivial task to fully analyse these spreadsheets. Although names and emails can be found easily enough with Unix command-line tools, the sheets themselves are not all in the same format. They can loaded into a database and appear to be usable, but the data will be corrupted and any results from SQL queries are likely to be inaccurate.

The business files include information of the highest confidentially, including one spreadsheet that contained all of the firm’s PayPal accounts with the passwords in cleartext. The passwords themselves were juvenile, indicating that the people who controlled this spreadsheet had never even read so much as a bullet-point list on how to create a good password.

They had failed to even add that extra layer of security such sensitive data requires by password-protecting the spreadsheet.

This is stupidity beyond belief suggesting that the cocky executives thought themselves too smart to ever get hacked. We would not even store twitter passwords in such a way.

Operational Failures Leaking Dumps #2 and #3

Dump #2 contained two main areas. The complete source code of the website and detailed design documents for their architecture was the main part. This we will not comment on, our webmaster has forbidden it, other than to make the observation that for a commercial web-site owner their software is perhaps their most valuable property.

Also included in dump #2 was the CEO’s email archive. This file, however, could not be opened. It was destroyed during the leak in a manner that we will examine in the next section.

The messages accompanying Dump #2 were signed with the same private key that has signed all other Impact Team communications. With the exception of the biderman mail archive, which was corrupted.

The biderman mail file was re-released by the Impact Team as Dump #3. It is our undertanding that the errors made with Dump #2 led the Dutch police, it was in the Netherlands, to the server that the Impact Team were uploading the data to.

This server was, we further understand, siezed by Dutch police shortly before the file had been copied by Internet users. It was an 18GB file and about 17GB was leaked. Unfortunately for Avid Media and it’s CEO that 17GB has now been decoded and contains over 190,000 of his emails.

Leaking Method

We do not know how all of this data got from the corporate network into the Impact Team’s possession, perhaps we never will. Only they know that, and thus far they are not saying. But we do know what happened after that.

We will add a section here later on how the files got into the wild, and how a random actor stumbled into the operation with profound ramifications for the Impact Team’s operational security.

Links
The Strange Inner-World of Bidercorp
Dumping Ashley
Ashley Madison In Numbers
Charts and Analytics
User Profile Captions
Latest Updates

This entry was posted in Bitcoin, General IT and tagged , , , . Bookmark the permalink.