Ashley Madison "Hack"
#1
With The Resistance
Thread Starter
Joined APC: Jan 2006
Position: Burning the Agitprop of the Apparat
Posts: 6,191
Ashley Madison "Hack"
An expert explains what really happened:
John McAfee: Ashley Madison Database Stolen by Lone Female Who Worked for Avid Life Media
International Business Times ^ | August 24, 2015 | John McAfee
Posted on August 24, 2015 at 12:34:58 AKDT by nickcarraway
Yes, it is true. Ashley Madison was not hacked - the data was stolen by a woman operating on her own who worked for Avid Life Media. The reason that I am so late to the second act of the Ashley Madison affair is that, without a supercomputer, it has taken over a week to finish the analysis of the massive data dumps that the perpetrator has so generously provided us with.
A hacker is someone who uses a combination of high-tech cybertools and social engineering to gain illicit access to someone else's data. But this job was done by someone who already had the keys to the Kingdom. It was an inside job.
In my first IBTimes UK article about Act One of the Ashley Madison Affair, I alleged that the group of hackers claiming responsibility for the "hack" simply did not exist. I gleaned this information from reliable sources within the Dark Web – which have yet to fail me. I also claimed that it was the act of a single person.
Any adept social engineer would have easily seen this from the wording in the first manifesto published by the alleged hacking group. I was one of the first practitioners of social engineering as a hacking technique and today it is my only tool of use, aside from a smartphone – in a purely white hat sort of way. But if you don't trust me, then ask any reasonably competent social engineer.
Lone female operative
Today, I can confidently claim that the single person is a woman, and has recently worked within Avid Life Media. I have provided IBTimes UK background information and pertinent elements of the woman's data dump to prove both my access to the data and also to confirm elements of my research, under the strict conditions that it is to be referenced and then destroyed. The data I provided included such delicate material as the decoded password hash tables of every Avid Life and Ashley Madison employee, which I have also now destroyed.
How did I come to this conclusion? Very simply. I have spent my entire career in the analysis of cybersecurity breaches, and can recognise an inside job 100% of the time if given sufficient data - and 40GB is more than sufficient. I have also practiced social engineering since the word was first invented and I can very quickly identify gender if given enough emotionally charged words from an individual. The perpetrator's two manifestos provided that. In short, here is how I went about it.
How did I discover that it was an inside job? From the data that was released, it was clear that the perpetrator had intimate knowledge of the technology stack of the company (all the programs being used). For example, the data contains actual MySQL database dumps. This is not just someone copying a table and making into a .csv file. Hackers rarely have full knowledge of the technology stack of a target.
Strange files
More important, large companies are heavily departmentalised, in spite of having centralised databases. When a hacker gains access to any corporate data, the value of that data depends on which server, or sometimes a single person's computer, that the hacker gains access to. For example: the personnel work scheduling for equipment maintenance will normally exist only on the workstation of the maintenance manager.
Likewise, the data for options for stock shares in a company, an extremely private set of data, will exist only in a private file on the workstation of the VP of Finance, or the CEO, or possibly both. It would require an equal amount of work to gain access to the personnel schedule for maintenance as it would to acquire a list of potential corporate owners. Hackers don't have all the time in the world, so they pick and choose wisely. Among the data that the perpetrator released is the following:
An office layout for the entire Ashley Madison offices. This would normally exist only in the office of personnel management, the maintenance department, and possibly a few other places. It would certainly not be in the centralised database. Neither would it be of much value to the average hacker.
Up to the minute organisation charts for every Avid Life division. This might be of value to certain hackers, but considering the hacker had already made off with everyone's credit card info, billions of dollars worth of blackmail information, every private email of the CEO (fascinating, by the way), and everything else of value, it would seem odd to dig up the organisation charts as well.
A stock option agreement list, with signed contracts included. The hacker would have had to gain access to the private files of the CEO or the VP of Finance to obtain this material – a job requiring as much time to implement as a hack of the centralised database. Again, of what value would this be considering the hacker had already made off with potentially billions.
IP addresses and current status of every server owned by Avid Life – of which there were many hundreds scattered around the world. Why any hacker would trouble themselves with such a task, considering what was already taken, is mind boggling.
The raw source code for every program Ashley Madison ever wrote. This acquisition would be a monumental task for any hacker and, unless the hacker planned on competing with Ashley Madison, has no value whatsoever. These are just a few of the many strangely included files that would take even a top notch hacker years to gather, and seem to have little or no value. Any reasonable cybersecurity expert would come to the conclusion that only someone on the inside, who could easily gain all of the files through deception and guile, could have done the job.
If we include the fact that the perpetrator's two manifestos clearly state a strong personal dislike of the VP of Information Technology (whom the perpetrator referenced as having made specific comments in the past) and the CEO, and specifically names employees that are liked and are doing a good job, then it seems, without a shadow of doubt, to be an open and shut case.
As to gender of the perpetrator, there were a number of telling signs in the manifestos. The most telling was a statement calling men "scumbags" (for those readers that don't speak American/Canadian English, this is a word that only a woman would ever use to describe men). In a separate section, the perpetrator describes men as cheating dirtbags. I think in any language this would suggest that a woman is speaking.
If that fails to convince you, then this must: In the first manifesto two names of male members were released. In describing one of them the perpetrator states the he "spitefully" joined Ashley Madison the day after Valentine's Day. Anyone who ever had a significant other knows that women rate Valentine's Day higher than Christmas, and men think so little of it that they have to remind each other the day is nearing. To call an act the day after Valentines Day "spiteful", is a thought that would enter few men's minds. If this does not convince you then you need to get out of the house more often.
I must, at this point, thank my lead data analyst, Jacque Donahue, for working 24-hours-a-day for the past few days helping analyse more than 40GB of data.
John McAfee: Ashley Madison Database Stolen by Lone Female Who Worked for Avid Life Media
International Business Times ^ | August 24, 2015 | John McAfee
Posted on August 24, 2015 at 12:34:58 AKDT by nickcarraway
Yes, it is true. Ashley Madison was not hacked - the data was stolen by a woman operating on her own who worked for Avid Life Media. The reason that I am so late to the second act of the Ashley Madison affair is that, without a supercomputer, it has taken over a week to finish the analysis of the massive data dumps that the perpetrator has so generously provided us with.
A hacker is someone who uses a combination of high-tech cybertools and social engineering to gain illicit access to someone else's data. But this job was done by someone who already had the keys to the Kingdom. It was an inside job.
In my first IBTimes UK article about Act One of the Ashley Madison Affair, I alleged that the group of hackers claiming responsibility for the "hack" simply did not exist. I gleaned this information from reliable sources within the Dark Web – which have yet to fail me. I also claimed that it was the act of a single person.
Any adept social engineer would have easily seen this from the wording in the first manifesto published by the alleged hacking group. I was one of the first practitioners of social engineering as a hacking technique and today it is my only tool of use, aside from a smartphone – in a purely white hat sort of way. But if you don't trust me, then ask any reasonably competent social engineer.
Lone female operative
Today, I can confidently claim that the single person is a woman, and has recently worked within Avid Life Media. I have provided IBTimes UK background information and pertinent elements of the woman's data dump to prove both my access to the data and also to confirm elements of my research, under the strict conditions that it is to be referenced and then destroyed. The data I provided included such delicate material as the decoded password hash tables of every Avid Life and Ashley Madison employee, which I have also now destroyed.
How did I come to this conclusion? Very simply. I have spent my entire career in the analysis of cybersecurity breaches, and can recognise an inside job 100% of the time if given sufficient data - and 40GB is more than sufficient. I have also practiced social engineering since the word was first invented and I can very quickly identify gender if given enough emotionally charged words from an individual. The perpetrator's two manifestos provided that. In short, here is how I went about it.
How did I discover that it was an inside job? From the data that was released, it was clear that the perpetrator had intimate knowledge of the technology stack of the company (all the programs being used). For example, the data contains actual MySQL database dumps. This is not just someone copying a table and making into a .csv file. Hackers rarely have full knowledge of the technology stack of a target.
Strange files
More important, large companies are heavily departmentalised, in spite of having centralised databases. When a hacker gains access to any corporate data, the value of that data depends on which server, or sometimes a single person's computer, that the hacker gains access to. For example: the personnel work scheduling for equipment maintenance will normally exist only on the workstation of the maintenance manager.
Likewise, the data for options for stock shares in a company, an extremely private set of data, will exist only in a private file on the workstation of the VP of Finance, or the CEO, or possibly both. It would require an equal amount of work to gain access to the personnel schedule for maintenance as it would to acquire a list of potential corporate owners. Hackers don't have all the time in the world, so they pick and choose wisely. Among the data that the perpetrator released is the following:
An office layout for the entire Ashley Madison offices. This would normally exist only in the office of personnel management, the maintenance department, and possibly a few other places. It would certainly not be in the centralised database. Neither would it be of much value to the average hacker.
Up to the minute organisation charts for every Avid Life division. This might be of value to certain hackers, but considering the hacker had already made off with everyone's credit card info, billions of dollars worth of blackmail information, every private email of the CEO (fascinating, by the way), and everything else of value, it would seem odd to dig up the organisation charts as well.
A stock option agreement list, with signed contracts included. The hacker would have had to gain access to the private files of the CEO or the VP of Finance to obtain this material – a job requiring as much time to implement as a hack of the centralised database. Again, of what value would this be considering the hacker had already made off with potentially billions.
IP addresses and current status of every server owned by Avid Life – of which there were many hundreds scattered around the world. Why any hacker would trouble themselves with such a task, considering what was already taken, is mind boggling.
The raw source code for every program Ashley Madison ever wrote. This acquisition would be a monumental task for any hacker and, unless the hacker planned on competing with Ashley Madison, has no value whatsoever. These are just a few of the many strangely included files that would take even a top notch hacker years to gather, and seem to have little or no value. Any reasonable cybersecurity expert would come to the conclusion that only someone on the inside, who could easily gain all of the files through deception and guile, could have done the job.
If we include the fact that the perpetrator's two manifestos clearly state a strong personal dislike of the VP of Information Technology (whom the perpetrator referenced as having made specific comments in the past) and the CEO, and specifically names employees that are liked and are doing a good job, then it seems, without a shadow of doubt, to be an open and shut case.
As to gender of the perpetrator, there were a number of telling signs in the manifestos. The most telling was a statement calling men "scumbags" (for those readers that don't speak American/Canadian English, this is a word that only a woman would ever use to describe men). In a separate section, the perpetrator describes men as cheating dirtbags. I think in any language this would suggest that a woman is speaking.
If that fails to convince you, then this must: In the first manifesto two names of male members were released. In describing one of them the perpetrator states the he "spitefully" joined Ashley Madison the day after Valentine's Day. Anyone who ever had a significant other knows that women rate Valentine's Day higher than Christmas, and men think so little of it that they have to remind each other the day is nearing. To call an act the day after Valentines Day "spiteful", is a thought that would enter few men's minds. If this does not convince you then you need to get out of the house more often.
I must, at this point, thank my lead data analyst, Jacque Donahue, for working 24-hours-a-day for the past few days helping analyse more than 40GB of data.
#5
"A hacker is someone who uses a combination of high-tech cybertools and social engineering to gain illicit access to someone else's data. But this job was done by someone who already had the keys to the Kingdom. It was an inside job."
Ah, the curious incident of the hacker who did nothing in the night-time.
Ah, the curious incident of the hacker who did nothing in the night-time.
#8
Gets Weekends Off
Joined APC: Oct 2014
Position: Downward-Facing Dog Pose
Posts: 1,537
(Yawn)
Not really. In fact, not interesting at all given that you're wrong. And even then, it's not as interesting as how such comments like your's are designed to focus on and kill the messenger, thus deflecting from the message itself. Much like PP and it's supporters are trying to make the big story about how the videos exposing them were obtained instead of what is contained in the videos. In this case, if you bothered to read the article, you'd know the whistleblower in this case didn't work for Ashley Madison per se, she worked for the parent company that owned the website.
Not really. In fact, not interesting at all given that you're wrong. And even then, it's not as interesting as how such comments like your's are designed to focus on and kill the messenger, thus deflecting from the message itself. Much like PP and it's supporters are trying to make the big story about how the videos exposing them were obtained instead of what is contained in the videos. In this case, if you bothered to read the article, you'd know the whistleblower in this case didn't work for Ashley Madison per se, she worked for the parent company that owned the website.
Thread
Thread Starter
Forum
Replies
Last Post