Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18
  1. #11
    Join Date
    May 2004
    Location
    Philadelphia, PA
    Posts
    7,558

    Default Leaked AshleyMadison Emails Suggest Execs Hacked Competitors

    By Brian Krebs

    Hacked online cheating service AshleyMadison.com is portraying itself as a victim of malicious cyber-criminals, but leaked emails from the company’s CEO suggests that AshleyMadison’s top leadership hacked into a competing dating service in 2012.


    AshleyMadison CEO Noel Biderman. Source: Twitter.

    Late last week, the Impact Team — the hacking group that has claimed responsibility for leaking personal data on more than 30 million AshleyMadison users — released a 30-gigabyte archive that it said were emails lifted from AshleyMadison CEO Noel Biderman.

    A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.

    At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.

    “They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

    Neither Bhatia nor Biderman could be immediately reached for comment. KrebsOnSecurity.com spoke with Bhatia last week after the Impact Team made good on its threat to release the Ashley Madison user database. At the time, Bhatia was downplaying the leak, saying that his team of investigators had found no signs that the dump of data was legitimate, and that it looked like a number of fake data dumps the company had seen in the weeks prior. Hours later, the leak had been roundly confirmed as legitimate by countless users on Twitter who were able to find their personal data in the cache of account information posted online.

    The leaked Biderman emails show that a few months before Bhatia infiltrated Nerve.com, AshleyMadison’s parent firm — Avid Life Media — was approached with an offer to partner with and/or invest in the property. Email messages show that Bhatia initially was interested enough to offer at least $20 million for the company along with a second property called flirts.com, but that AshleyMadison ultimately declined to pursue a deal.

    More than six months after Bhatia came to Biderman with revelations of the nerve.com security vulnerabilities, Biderman was set to meet with several representatives of the company. “Should I tell them of their security hole?” Biderman wrote to Bhatia, who doesn’t appear to have respond to that question via email.

    The cache of emails leaked from Biderman run from January 2012 to July 7, 2015 — less than two weeks before the attackers publicized their break-in on July 19. According to a press conference held by the Toronto Police today, AshleyMadison employees actually discovered the breach on the morning of July 12, 2015, when they came to work and powered on their computers only to find their screens commandeered with the initial message from the Impact Team — a diatribe accompanied by the song “Thunderstruck” from rock band AC/DC playing in the background.

    Interestingly, less than a month before that episode, AshleyMadison executives seemed very keen on completing a series of internal security assessments, audits and security awareness training exercises for employees.

    “Given our open registration policy and recent high profile exploits, every security consultant and their extended family will be trying to trump up business,” wrote Ashley Madison Director of Security Mark Steele to Biderman in an email dated May 25, 2015. “Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging” [links added].

    As bad as this breach has been for AshleyMadison and its millions of users, it’s likely nowhere near over: Hackers who have been combing through the company’s leaked email records have just released a “selected dox” archive — a collection of documents, images and other data from Biderman’s inbox, including a 100-page movie script co-written by Biderman called “In Bed With Ashley Madison.” Also included in the archive are dozens of other sensitive documents, including a scan of the CEO’s drivers license, copies of personal checks, bank account numbers, home address, and his income statements for the last four years.

    Also, the Impact Team still have not released data from the other Avid Life Media property they claim to have hacked — Establishedmen.com, a “sugar daddy” site that claims to connect wealthy men with willing young women.

    Earlier today, Toronto Police announced that Avid Life Media had offered a $500,000 reward for information leading to the arrest and prosecution of the hacker or hackers responsible for the breach. But many readers took to Twitter or to the comments section on this site to denounce the bounty as an overdue or cynical ploy, with some saying the company should have offered the reward weeks ago — before the Impact Team released the company’s entire user database and caused so much irreversible damage.

    Leaving aside the proliferation of sites that now allow suspicious spouses to search for their significant other’s email address in the AshleyMadison data leak, some users are finding themselves on the receiving end of online extortion attacks. Worse still, Toronto Police told reporters this morning that they have two unconfirmed reports of suicides associated with the leak of AshleyMadison customer profiles.

    The Hackmaster
    dlevere's blog

  2. #12
    Join Date
    Jun 2008
    Posts
    2,710

    Default

    Quote Originally Posted by MathUser View Post
    Yup, sounds like alot of married couples are gonna have a bad day. Websites like this shouldn't exist anyway.
    As long as there is demand for something, someone will supply it. If it's not this site, it will be another.

  3. #13
    Join Date
    May 2004
    Location
    Philadelphia, PA
    Posts
    7,558

    Default Who Hacked Ashley Madison?

    By Brian Krebs

    AshleyMadison.com, a site that helps married people
    cheat and whose slogan is “Life is Short, have an Affair,” recently put
    up a half million (Canadian) dollar bounty for information leading to
    the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data
    on more than 30 million Ashley Madison users. Here is the first of
    likely several posts examining individuals who appear to be closely
    connected to this attack.



    It was just past midnight on July 20, a few hours after I’d published an exclusive story
    about hackers breaking into AshleyMadison.com. I was getting ready to
    turn in for the evening when I spotted a re-tweet from a Twitter user
    named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data
    that had been confidentially shared with me by the Impact Team via the
    contact form on my site just hours earlier: It was a link to the
    proprietary source code for Ashley Madison’s service.

    Initially, that tweet startled me because I couldn’t find any other
    sites online that were actually linking to that source code cache. I
    began looking through his past tweets and noticed some interesting
    messages, but soon enough other news events took precedence and I forgot
    about the tweet.

    I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media,
    the parent company of Ashley Madison, is based). The Toronto cops
    mostly recapped the timeline of known events in the hack, but they did
    add one new wrinkle: They said Avid Life employees first learned about
    the breach on July 12 (seven days before my initial story) when they
    came into work, turned on their computers and saw a threatening message
    from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.

    After writing up a piece on the bounty offer,
    I went back and downloaded all five years’ worth of tweets from Thadeus
    Zu, a massively prolific Twitter user who typically tweets hundreds if
    not thousands of messages per month. Zu’s early years on Twitter are a
    catalog of simple hacks — commandeering unsecured routers, wireless
    cameras and printers — as well as many, many Web site defacement's.

    On the defacement front, Zu focused heavily on government Web sites
    in Asia, Europe and the United States, and in several cases even taunted
    his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.

    The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”

    I began to get very curious about whether there were any signs on or
    before July 19, 2015 that Zu was tweeting about ACDC in relation to the
    Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015
    — nearly 12 hours before I would first be contacted by the Impact Team —
    we can see Zu is feverishly tweeting to several people about setting up
    replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?


    Twitter
    user ThadeusZu tweets about setting up replication servers. Did you
    spot the Youtube video he’s playing when he took this screenshot?

    Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”

    A week ago, the news media pounced on the Ashley Madison story once
    again, roughly 24 hours after the hackers made good on their threat to
    release the Ashley Madison user database. I went back and examined Zu’s
    tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,”
    which linked to the Impact Team’s now infamous post listing the sites
    where anyone could download the stolen Ashley Madison user database.


    ThadeusZu tweeted about the downloadable Ashley Madison data more than 24 hours before news outlets picked up on the cache.

    WHO IS THADEUS ZU?

    As with the social networking profiles of others who’ve been tied to
    high-profile cyber-crimes, Zu’s online utterings appear to be filled with
    kernels of truth surrounded by complete malarkey– thus making it
    challenging to separate fact from fiction. Hence, all of this could be
    just one big joke by Zu and his buddies. In any case, here are a few key
    observations about the who, what and where of Thadeus Zu based on
    information he’s provided (again, take that for what it’s worth).

    Zu’s Facebook profile
    wants visitors to think he lives in Hawaii; indeed, the time zone set
    on several of his social media counts is the same as Hawaii. There are a
    few third-party Facebook accounts of people demonstrably living in
    Hawaii who tag him in their personal photos of events on Hawaii (see https://www.facebook.com/Steve.Aoki/photos/a.94599072460.101289.29286157460/10151193358822461/+&cd=9&hl=en&ct=clnk&gl=us]this cached photo[/url],
    for example), but for the most part Zu’s Facebook account consists of
    pictures taken from stock image collections and do not appear to be
    personal photos of any kind.

    A few tweets from Zu — if truthful and not simply premeditated
    misdirection — indicate that he lived in Canada for at least a year,
    although it’s unclear when this visit occurred.


    Zu’s various Twitter and Facebook pictures all feature hulking, athletic,
    and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans).

    But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.

    That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available https://www.facebook.com/OfficialRubyRose/posts/10151908682186074+&cd=4&hl=en&ct=clnk& amp;gl=us]here[/url].

    Rose’s tour schedule indicates that she was in New York City when that
    photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. Update, 2:56 p.m.:
    As several readers have pointed out, the two people beside Rose in
    that cached photo appear to be Franz Dremah and Kick Gurry, co-stars in
    the movie Edge of Tomorrow).

    Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts,
    and the majority of them are various Australian news organizations.

    That account also is following several Australian lawmakers that govern
    states in south Australia.

    Then again, Twitter auto-suggests popular accounts for new users to
    follow, and usually does so in part based on the Internet address of the
    user. As such, @ThadeusZu may have only been using an Australian Web
    proxy or a Tor node
    in Australia when he set up that account (several of his self-published
    screen shots indicate that he regularly uses Tor to obfuscate his
    Internet address).

    Even so, many of Zu’s tweets going back several years place him in
    Australia as well, although this may also be intentional misdirection.
    He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.

    Interestingly, for someone apparently so caught up in exposing
    hypocrisy and so close to the Ashley Madison hack, Zu appears to have
    himself courted a married woman — at least according to his own tweets.
    On January 5, 2014, Zu ‏tweeted:

    “Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange



    A month later, on Feb. 7, 2014, Zu offered this tidbit of info:

    “My ex. We were supposed to get married 8 years ago but she was taken
    away from me. Cancer. Hence, my downward spiral into mayhem.”



    To say that Zu tweets to others is a bit of a misstatement. I have
    never seen anyone tweet the way Zu does; He sends hundreds of tweets
    each day, and while most of them appear to be directed at nobody, it
    does seem that they are in response to (if not in “reply” to) tweets
    that others have sent him or made about his work. Consequently, his
    tweet stream appears to the casual observer to be nothing more than an
    endless soliloquy.

    But there may something else going on here. It is possible that Zu’s
    approach to tweeting — that is, responding to or addressing other
    Twitter users without invoking the intended recipient’s Twitter handle —
    is something of a security precaution. After all, he had to know and
    even expect that security researchers would try to reconstruct his
    conversations after the fact. But this is far more difficult to do when
    the Twitter user in question never actually participates in threaded
    conversations.

    People who engage in this way of tweeting also do not
    readily reveal the Twitter identities of the people with whom they chat
    most.

    Thadeus Zu — whoever and wherever he is in real life — may not have
    been directly involved in the Ashley Madison hack; he claims in several
    tweets that he was not part of the hack, but then in countless tweets he
    uses the royal “We” when discussing the actions and motivations of the
    Impact Team. I attempted to engage Zu in private conversations without
    success; he has yet to respond to my invitations.

    It is possible that Zu is instead a white hat security researcher or
    confidential informant who has infiltrated the Impact Team and is merely
    riding on their coattails or acting as their mouthpiece. But one thing
    is clear: If Zu wasn’t involved in the hack, he almost certainly knows
    who was.

    KrebsOnSecurity is grateful to several researchers, including Nick Weaver,
    for their assistance and time spent indexing, mining and making sense
    of tweets and social media accounts mentioned in this post. Others who
    helped have asked to remain anonymous. Weaver has published some
    additional thoughts on this post over at Medium.

    The Hackmaster
    dlevere's blog

  4. #14
    Join Date
    May 2004
    Location
    Philadelphia, PA
    Posts
    7,558

    Default Analysis Reveals Almost No Real Women On Ashley Madison

    Posted by timothy

    gurps_npc writes:

    Ashley Madison claimed to have about 31 million men and 5.5 million woman enrolled. Those odds are not good for the men, 6:1.

    But unfortunately, most of those 'women' were fake.

    This researcher analyzed the data and found only 12,000 actual, real women using Ashley Madison. That means for every 7,750 men, there were 3 women.

    There are reports that Ashley Madison paid people to create fake female profiles. Their website admits that 'some of the users may be there for "entertainment purposes."'

    The article itself is well written, including a description of the analysis. A charitable person would say that Ashley Madison was selling a fantasy, not reality. But a realist would say Ashley Madison is just a thief stealing money from lonely, unhappy men.

    The Hackmaster
    dlevere's blog

  5. #15
    Join Date
    Jul 2002
    Posts
    2,598

    Default

    That stuff about Thadeus is interesting. You pick good news stories to post.

  6. Likes dlevere liked this post
  7. #16
    Join Date
    May 2004
    Location
    Philadelphia, PA
    Posts
    7,558

  8. #17
    Join Date
    May 2004
    Location
    Philadelphia, PA
    Posts
    7,558

    Default Lawyers score big in settlement for Ashley Madison cheating site data breach

    Members who paid $19 for their data to be deleted (it wasn't) might get a refund.

    https://arstechnica.com/tech-policy/...on-settlement/

    The Hackmaster
    dlevere's blog

  9. #18
    Join Date
    Jul 2002
    Posts
    2,598

    Default

    Geez, they didn't even delete it eh?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Android 4.2 Cheating
    By Cibomatto2002 in forum Miscellaneous Game Hacking
    Replies: 7
    Last Post: 06-28-2017, 04:46:44 PM
  2. GTA V Hacking, Modding, And Cheating
    By dlevere in forum Hacking Scene News
    Replies: 0
    Last Post: 09-29-2013, 06:24:24 AM
  3. Apple developer site hacked
    By dlevere in forum The Lounge
    Replies: 3
    Last Post: 08-10-2013, 01:02:08 PM
  4. How Do You Detect Cheating In Chess?
    By dlevere in forum The Lounge
    Replies: 0
    Last Post: 01-16-2013, 04:13:46 AM
  5. question for visualboy advance version hacked in you site gamehacking.org
    By michellefland in forum Under Constuction/To Be Added
    Replies: 16
    Last Post: 08-25-2012, 02:13:50 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •