The lessons we’ve learnt from the Ashley Madison leak

Ashley Madison

The shockwaves that were caused by the massive leaking of user information from the online dating site Ashley Madison can still be felt. The attack that was inflicted upon the Canadian company has left both users and the general public stunned. As the dust settles there remains one large question still hanging in the air – in whose hands are we leaving our confidential information?

Looking beyond the debates on privacy that have been caused by the Ashley Madison saga, there are a few lessons to be learnt about cybersecurity and massive data theft. The companies themselves must take advantage of this scandal to learn some things and avoid being the protagonists of the next leak:

  • Security is of utmost importance. When you’re managing information belonging to clients at the same level as that of Ashley Madison, it is extremely important that you protect their confidentiality. However, all companies, in one form or another, work with third-party information so there is no gray area here – your company must look for a security tool that adequately protects the information.
  • Make it difficult for the cybercriminals. In the case of Ashley Madison, the information was kept for years and the user IP addresses were directly linked to their email accounts. The management of information is a sensitive job and it should be stored for shorter periods of time and in a more anonymous manner.

big data security

  • Protect your digital empire. It isn’t just third-party information which is at risk, but also your own company’s private data. In fact, a second leak made public the source code of Ashley Madison, which will allow other cybercriminals to search for new weaknesses.
  • Cyber insurance has arrived. The dating website has lost, after the cyberattack, the closest possible to jump into the world market. Its credibility has hit rock bottom and its future is in doubt. In situations like this, companies that could suffer heavy losses after a cyberattack should consider the possibility of having a cyber-insurer, as many US and European companies already do.

In addition to the advice that every company should follow in light of the Ashley Madison incident, employees can take precautions and act accordingly. Thus, one should take extra care to avoid landing your company in a future scandal when registering with a compromising service:

  • Avoid using a corporate email account. Every employee (including directors) should avoid using their company email account to register with an online service. A case like Ashley Madison is sufficient to call into question the name of companies, political parties and institutions that have been affected by the leak.

company email

  • Separate private and work life. Not only is it recommended that employees of your company don’t use their work email for certain personal matters, but it would be even better if they avoided using the office computers. At the end of the day, even if they don’t use the corporate email account, the IP could be identified, just like what happened in the United States Congress – thanks to his clumsiness, an employee has put the name of his employee at the center of the storm.
  • More valuable than gold. Information theft is like the gold rush of the 21st century and it must be treated with extreme care. All employees should be aware of how important it is, even more so following the Ashley Madison scandal. It’s not only their privacy which is at risk, but sooner or later it is inevitable that a third-party’s information could be put at risk – it is something which is inescapable in business.
  • Be wary of everything. For certain things, it is best not to rely too much on the Internet. Each employee can do what they see fit in their private life, but if you use computers and corporate mail accounts, someone should explain to them the dangers of doing so. On the one hand, cybercriminals are always lurking and, secondly, scams are the order of the day. Beyond data theft, not everything was as clear as it seemed with Ashley Madison – there were false accounts to attract customers and a note in the small print which stated the company renounced any responsibility in the event of a leak.

The storm caused by the leaking of information in the Ashley Madison case will pass, but these lessons will remain valid and essential for all companies. Information theft is a real issue and it’s vital to protect yourself, your business, and others.

The post The lessons we’ve learnt from the Ashley Madison leak appeared first on MediaCenter Panda Security.

SiS Windows VGA Display Manager Privilege Escalation

Vulnerabilities within the srvkp module allows an attacker to inject memory they control into an arbitrary location they define or cause memory corruption. IOCTL request codes 0x96002400 and 0x96002404 have been demonstrated to trigger these vulnerabilities. These vulnerabilities can be used to obtain control of code flow in a privileged process and ultimately be used to escalate the privilege of an attacker. Version affected is 6.14.10.3930.

Red Hat Security Advisory 2015-1700-01

Red Hat Security Advisory 2015-1700-01 – The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. A command injection flaw was found in the pcsd web UI. An attacker able to trick a victim that was logged in to the pcsd web UI into visiting a specially crafted URL could use this flaw to execute arbitrary code with root privileges on the server hosting the web UI. A race condition was found in the way the pcsd web UI backend performed authorization of user requests. An attacker could use this flaw to send a request that would be evaluated as originating from a different user, potentially allowing the attacker to perform actions with permissions of a more privileged user.

Red Hat Security Advisory 2015-1699-01

Red Hat Security Advisory 2015-1699-01 – Network Security Services is a set of libraries designed to support cross-platform development of security-enabled client and server applications. A flaw was found in the way NSS verified certain ECDSA signatures. Under certain conditions, an attacker could use this flaw to conduct signature forgery attacks.

Ubuntu Security Notice USN-2727-1

Ubuntu Security Notice 2727-1 – It was discovered that GnuTLS incorrectly handled parsing CRL distribution points. A remote attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. Kurt Roeckx discovered that GnuTLS incorrectly handled a long DistinguishedName (DN) entry in a certificate. A remote attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. Various other issues were also addressed.