Startup Security Lessons Pt 1 – Ashley Maddison

In the last few weeks there have been some spectacular hacking stories that have provided fantastic entertainment assuming you that you were not one of the victims.

The hacking of Ashley Maddison including the theft and public disclosure of the entire 33 million strong customer list and essentially all operational and company data and files is the most entertaining tech story this year.

This is the story that just keeps on giving.

Ashley Maddison is the site with the business model that encourages and facilitates cheating on your wife.

I use the term “cheat on your wife” loosely for two reasons, firstly its becoming pretty clear that only a small portion of the 33 million users were actually real females and the men were chasing ghosts.

Secondly a large % of the chat activity on the site was allegedly conducted by an Army of 77,000 Fembots who were programmed to make sort of meaningful conversation with the men.

I’m not sure this is what they meant in Startup school when they talk about scaling your business up.

The size and audacity of the deception and the fact that the bots were designed to speak different languages as well blows me away.

According to numerous analysts including veteran security expert John McAffee almost none of the men who used Ashley Maddison got laid.

 Annalee Newitz, a reporter for Gizmodo, writing that there were “at most, about 12,000 of these profiles” that seemed to belong to women who were active on the site however she has since recanted on that claim but still maintains there is 77,00 Fembots .An updated version of the story has just released here.

I guess no one should be surprised that a website setup to encourage cheating on your husband or wife is also cheating on its customers in a pretty incredible way.

The biggest shock for the users was that a lot of them were paying to remove their account names from the database but Ashley Maddison didn’t actually delete the data.

According to John McAfee in a later article he makes the assessment that the Ashley Maddison Hack was performed by a sole female employee who had access to everything in the company and took the lot.

According to Ashley Madison they have had a massive signup rate since the hack got their startup global media attention for week so maybe the breach is working out for them.

Lessons

Startups can learn a lot from this hack;

• Your data is just as likely to get hacked or stolen from inside as outside and the inside hack will probably be more damaging due to their internal access.
• No one in your startup aside from founders should have access to all company data (even that is questionable), no one should have the keys to the vault.
• Data, services, machines and applications should be partioned where possible and access provided to employees on a need to know basis only.
• You should assume you will get hacked at some point.
• Encryption should be the default setting for all data.
• Encrypt data in transit (SSL/TLS)
• Encrypt data at rest (individual files, databases, volumes or tables/fields)
• Encrypt via your application or via system level
• Minimise the data you collect to the barest essential fields.  If you don’t collect unnecessary data you have reduced your risk when the inevitable hack occurs.
• Its worth considering solutions that enable some form of revocable data keys so if data gets into the wild the encryption key can be disabled.
• Force strong passwords
• Keep your systems patched and maintained
• Keep your portable devices locked and enable remote delete mode