Posts: 14,375
Threads: 1,802
Joined: Jun 2015
Reputation:
3,576
Mon Aug 17, 2015 | 2:53 PM EDT
UNITED NATIONS (Reuters) -
The United Nations said it expects member states to respect its right to privacy and is assessing how to respond to a report that
telecommunications company AT
Semper Fidelis
USMC
Nemo me impune lacessit
Posts: 8,865
Threads: 233
Joined: Jun 2015
08-19-2015, 10:05 AM
(This post was last modified: 08-19-2015, 10:11 AM by Linville.)
Hackers Finally Post Stolen Ashley Madison Data
[img=0x0]http://www.wired.com/wp-content/uploads/2015/08/AshleyMadison-File-Dump3.jpg[/img]
Hackers who stole sensitive customer information from the cheating site AshleyMadison.com appear to have made good on their threat to post the data online.
A data dump, 9.7 gigabytes in size, was posted on Tuesday to the dark web using an Onion address accessible only through the Tor browser. The files appear to include account details and log-ins for some 32 million users of the social networking site, touted as the premier site for married individuals seeking partners for affairs. Seven years worth of credit card and other payment transaction details are also part of the dump, going back to 2007. The data, which amounts to millions of payment transactions, includes names, street address, email address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a transaction ID unique to each charge.AshleyMadison.com claimed to have nearly 40 million users at the time of the breach about a month ago, all apparently in the market for clandestine hookups.
“Ashley Madison is the most famous name in infidelity and married dating,†the site asserts on its homepage. “Have an Affair today on Ashley Madison. Thousands of cheating wives and cheating husbands signup everyday looking for an affair…. With Our affair guarantee package we guarantee you will find the perfect affair partner.â€
The data released by the hackers includes names, addresses and phone numbers submitted by users of the site, though it’s unclear if members provided legitimate details. A sampling of the data indicates that users likely provided random numbers and addresses, but files containing credit card transactions will yield real names and addresses, unless members of the site used anonymous pre-paid cards. One analysis of email addresses found in the data dump also shows that some 15,000 are .mil. or .gov addresses.
The data also includes descriptions of what members were seeking. “I’m looking for someone who isn’t happy at home or just bored and looking for some excitement,†wrote one member who provided an address in Ottawa and the name and phone number of someone who works for the Customs and Immigration Union in Canada. “I love it when I’m called and told I have 15 minutes to get to someplace where I’ll be greeted at the door with a surprise—maybe lingerie, nakedness. I like to ravish and be ravished … I like lots of foreplay and stamina, fun, discretion, oral, even willingness to experiment—*smile*â€
Passwords released in the data dump appear to have been hashed using the bcrypt algorithm for PHP, but Robert Graham, CEO of Erratasec, says that despite this being one of the most secure ways to store passwords, “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.†If the accounts are still online, this means hackers will be able to grab any private correspondence associated with the account.
It’s notable, however, that the cheating site, in using the secure hashing algorithm, surpassed many other victims of breaches we’ve seen over the years who never bothered to encrypt customer passwords.
“We’re so used to seeing cleartext and MD5 hashes,†Graham says. “It’s refreshing to see bcrypt actually being used.â€
Here’s how the hackers introduced the new data dump:
[img=582x0]http://www.wired.com/wp-content/uploads/2015/08/AshleyMadison-Data-Dump2-582x437.jpg[/img]Click to Open Overlay GalleryKim Zetter
Following the intrusion last month, the hackers, who called themselves the Impact Team, demanded that Avid Life Media, owner of AshleyMadison.com and its companion site Established Men, take down the two sites. EstablishedMen.com promises to connect beautiful young women with rich sugar daddies “to fulfill their lifestyle needs.†The hackers didn’t target CougarLife, a sister site run by ALM that promises to connect older women with younger men.
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,†the hackers wrote in a statement following the breach.
To show they meant business, they posted sample files containing some of the stolen data, which included company financial information detailing employee salaries and documents mapping the company’s internal network.
The hackers appeared to target AshleyMadison and EstablishedMen over the questionable morals they condoned and encouraged, but they also took issue with what they considered ALM’s fraudulent business practices. Despite promising customers to delete their user data from the site for a $19 fee, the company actually retained the data on ALM’s servers, the hackers claimed. “Too bad for those men, they’re cheating dirtbags and deserve no such discretion,†the hackers wrote. “Too bad for ALM, you promised secrecy but didn’t deliver.â€
Avid Life Media defiantly ignored the warnings and kept both sites online after the breach, promising customers that it had increased the security of its networks.
That wouldn’t matter for the customers whose data had already been taken. Any increased security would be too little too late for them. Now they face the greatest fallout from the breach: public embarrassment, the wrath of angry partners who may have been victims of their cheating, possible blackmail and potential fraud from anyone who may now use the personal data and bank card information exposed in the data dump.
[img=582x0]http://www.wired.com/wp-content/uploads/2015/08/AshleyMadison-File-Dump3-582x410.jpg[/img]Click to Open Overlay Gallerycourtesy of Robert Graham
“Avid Life Media has failed to take down Ashley Madison and Established Men,†Impact Team wrote in a statement accompanying the online dump Tuesday. “We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data…. Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.â€
The hackers deflected responsibility for any damages or repercussions that victims of the breach and data dump may suffer.
“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it,†they wrote.
It’s important to note that Ashley Madison’s sign-up process does not require verification of an email address to set up an account, so legitimate addresses might have been hijacked and used by some members of the site. One email in the data dump, for example, appears to belong to former UK Prime Minister (Tony Blair).
Avid Life Media condemned the release of the data.
“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,†the company said in a statement. “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.â€
This story was updated as it developed.
Go Back to Top. Skip To: Start of Article.
============================
======================
What We Know About the NSA and AT&T’s Spying Pact
What We Know About the NSA and AT&T's Spying Pact
[img=660x0]http://www.wired.com/wp-content/uploads/2015/08/56371701_H26179996-1024x683.jpg[/img]
New Edward Snowden documents revealed on Saturday in the New York Times detail a decade-long secret partnership between the NSA and AT&T, which provided the spy agency with metadata on billions of emails. Although the Times story has garnered a lot of attention, it offers few details about how the telecom conducted the siphoning and spying for the NSA.
But two stories published almost decade ago by WIRED and Salonprovide in-depth details about the secret rooms at AT&T facilities in San Francisco, Missouri, and other areas across the US that the NSA used to siphon internet data.
AT&T isn’t identified by name in the Snowden documents, but theTimes notes that “a constellation of evidence†points to AT&T as the primary company mentioned in them, which several intelligence officials have confirmed to the paper.
According to the Times piece, the siphoning of internet data from AT&T began in 2003 and continued for a decade in a relationship that the NSA called “highly collaborative.†The telecom giant, according to one Snowden document, was extremely willing to help out the spy agency, and its engineers “were the first to try out new surveillance technologies invented by the eavesdropping agency.â€
WIRED and Salon exposed that willingness back in 2006, when Mark Klein, a former technician with AT&T in San Francisco, and two other former AT&T technicians who worked at other facilities, provided information about secret rooms the telecom had built in Bridgeton, Missouri and San Francisco.
According to them, AT&T first built the highly secured room in Bridgeton, outside St. Louis, in 2002. The telecom outfitted the room with a biometric “mantrap†that was secured with retinal and fingerprint scanners, and only workers with a TS/SCI security clearance were allowed inside. The facility, local workers were told, was being used for “monitoring network traffic†for “a government agency.â€
The Bridgeton facility was a significant jewel in the NSA’s crown, because it was AT&T’s technical command center, the place from which the telecom managed all of the routers and circuits carrying its domestic and international Internet traffic. At the time, AT&T controlled about one-third of all bandwidth carrying Internet traffic to homes and businesses across the country, which essentially gave the NSA access to an enormous amount of data through its partnership with the telecom.
Although the Bridgeton room was likely one of the most important secret rooms AT&T established for the NSA, it wasn’t the only one. AT&T also hid “secret rooms†deep in the bowels of other facilities in several US cities.Â
The Snowden documents the Times obtained say the company installed surveillance equipment in at least 17 of its Internet hubs, but doesn’t identify the cities. Documents shown to WIRED in 2006, however, indicate that in addition to San Francisco and Bridgeton, secret rooms were built at AT&T facilities in Seattle, San Jose, Los Angeles, and San Diego. “These installations enable the government to look at every individual message on the internet and analyze exactly what people are doing,†WIRED wrote in 2006.
Documents that Klein provided WIRED at the time offer technical details about how it was done. High-speed fiber-optic circuits entered Room 641A at an AT&T facility on Folsom Street in San Francisco and were connected to routers for the telecom’s WorldNet service, part of the internet’s common backbone.Â
Only one management-level technician with a security clearance from the NSA could enter the room.
Plans for the secret room, drawn up in 2002, discussed the difficulties of trying to spy on fiber-optic circuits. Unlike copper wire circuits that emit electromagnetic fields that can be tapped without disturbing the circuits, fiber-optic circuits don’t leak their light signals. In order to monitor communications crossing them, technicians have to physically cut the fiber and divert a portion of the light signal to siphon data, using splitters.Â
AT&T diverted the split signal to a special cabinet in its secret room. There, a device made by Narus analyzed the traffic and presumably filtered it to provide the NSA with the data it wanted.Â
This included giving the NSA access to metadata from billions of emails as they flowed across the telecom’s domestic networks.
According to the Times, AT&T began turning over emails and other internet data to the spy agency around October 2001, even before the secret rooms were built, in a program dubbed “Fairview.â€Â
The program forwarded 400 billion Internet metadata records to the NSA’s headquarters at Ft. Meade in Maryland—which included the senders and recipients of emails and other details, but not the content of the correspondence.Â
AT&T also forwarded more than one million emails a day to be run through the NSA’s keyword selection system. In September 2003, AT&T apparently enabled a new collection capability for the spy agency, which amounted to a “‘live’ presence on the global net.†The Times doesn’t elaborate on what this involved.
In 2011, AT&T also began handing over phone metadata to the NSA, including call records for 1.1 billion domestic cellphone calls a day.
Documents leaked by Snowden in 2013 provided stark evidence in support of the claims made in 2006 by Klein and the two other anonymous AT&T technicians. But according to the Times, it’s unclear if the program for siphoning Internet data still exists in its original form today.
 In the last two years, revelations exposing the breadth of the NSA’s surveillance, as well as the cooperation of technology companies in helping the NSA spy, have forced the agency to curtail some of its activity. Some companies have also begun to push back against the agency’s requests for data in the wake of the public’s anger about their duplicity in helping the agency spy.
Go Back to Top. Skip To: Start of Article.
|