John McAfee reveals that despite Ashley Madison's claims of having secured its network following a massive customer data leak, its systems are still very vulnerable.
Less than eight hours after the Ashley Madison hack, the company issued a statement informing the public and its traumatised customers that it had closed the security holes that had allowed extraordinarily sensitive data on 37 million people to be stolen, which if released by the hacker, would be the greatest boon to divorce lawyers since the invention of litigation.
Normally, I would simply laugh out loud at the absurdity of such a statement and then go about my business. But this hack, more than any other, threatens to literally destabilise society.
The real question is: Can we survive the overwhelming self-delusion of companies who believe that their data is secure, or companies who have been hacked and tell us that the holes in their system have been closed?
Speculation within the hacking community is that the Ashley Madison hacker user an SQL insertion technique to gain entry. I have no clue. SQL insertion is only one of many thousands of techniques that hackers use. If Ashley Madison has closed that door, I guarantee you that a few thousand others remain open.
Less than 24 hours after the Ashley Madison hack I decided to find out how difficult it might be to break into their data centre.
Old school hacking
I was trained in the old school of hacking – that is: software technology was king. However, as I aged I got lazy. High tech hacking requires multiple computers, multiple accounts, proxy servers, coding, uncountable numbers of software hacking kits, each of which may or not work, etc. I'm too old for that.
Social engineering only requires access to a telephone and a reasonably sharp mind. So, from the comfort of my own bed, this morning I set about the task of acquiring someone's password within Ashley Madison's data centre. The most difficult part of my task, believe it or not, was finding a corporate phone number for Ashley Madison. I found customer service numbers by the hundreds. I found complaint numbers. I found everything except what I needed.
I chose instead to call Avid Life Media, which owns Ashley Madison, as well as the Cougar Life and Established Men websites – all three of which were hacked, by the way, so we are really talking about 50 million people, not 37 million. I have no clue why no-one has mentioned the other two sites as part of this single hack.
Anyway, I got the number for Avid Life and tested the openness of their corporate phone operators. I asked for the name of the head of their Communications Department and was given the name instantly, with no hesitation. This was going to be easy. "Thank you" I said, and hung up.
A series of subsequent calls gave me the names of the IT department head and every person who worked directly for that person.
I then called each one. If they answered I said: "I'm sorry, wrong person," before hanging up. The first phone that didn't answer gave me my opportunity.
I called the corporate headquarters back and agitatedly informed them that I had an urgent legal matter with that person and that I must immediately speak with his assistant or secretary, and that only they could help me.
Without question, and immediately, I was connected with his secretary. I posed as a member of an international enforcement agency - that does not really exist, by the way - and implied that her boss might have been involved in the recent hack and I needed to verify that she really was who she said she was.
Within 30 seconds of saying hello I had both her password and her boss's password written down.
90% of my time spent acquiring these passwords was spent finding a phone number for Ashley Madison. I have thrown both passwords away and have no intention of doing anything with them.
Now to the hack
First and foremost, the group claiming responsibility for the hack – The Impact Team – does not exist. There is only one person involved in this hack. I cannot tell you how I know, but the simple published data should help point to this fact. The group's name has never appeared in any prior hack. The name has not surfaced at any time, neither in the deep web nor the dark web, nor anywhere else.
But first and foremost, a hack on a company such as Avid Life, as can be proved by anyone who wanted to follow my above instructions for gaining a password, does not require a team of people.
Even if social engineering techniques were not used, the hackers' complete toolkit (a few thousand software tools written mostly by Russian, Chinese, East European and Korean hackers over the past few years) could be used by one person who, in a matter of months, could have taken the data. Time will prove that only one person was involved.
The hacker clearly has a personal grudge with Ashley Madison. In his statement, which was removed from every instance on the web, he has a small rant:
Trevor, ALM's CTO once said "Protection of personal information" was his biggest "critical success factors" and "I would hate to see our systems hacked and/or the leak of personal information". Well Trevor, welcome to your worst f**king nightmare.
Also, from his terminology, he seems to consider having affairs as a very evil thing, and even uses the term "spiteful" to describe a married man who signed up for the service the day after Valentine's Day:
I found the data from this hack to be fascinating. What fascinated me most was the data (including email data) that indicated a person's profession. The top cheaters, by profession and sex are:
- Police Officers
- Real Estate Agents
- Soccer moms
- Real Estate Agents
From emails, the choice of hotels where cheaters choose to meet are, in order of preference:
- Holiday Inn
- Comfort Inn
- Four Seasons
- Best Western
It should be no surprise that in the US, Washington DC tops the list of cheaters by percentage of population - by a wide margin.
But enough of trivialities. The fact remains that the overwhelming majority of corporations and government agencies all over the world are protected by systems that were designed by an old, tired and no longer relevant set of technological principles. They no longer work. This is a pure and simple truth.
Had Ashley Madison been running STTarx, or anyone of the dozens of other dynamic encryption and closed systems technologies, this would never have happened.
IBTimes UK approached Avid Life Media for comment on John McAfee's allegation but have received no response.