What the AshleyMadison Hack Can Teach Everyone About Opsec

Today around 37 million people may be trying to think of a seriously good alibi. Hackers have reportedly published a sample of user account information from the hook up site AshleyMadison, and have threatened to release data on all of its users.

That cache allegedly includes the real names, addresses, credit card information and even sexual fantasies of the site's customers. It also exposes the fact that individuals were signed up to a site explicitly geared towards helping them find a partner for an extramarital affair, even if they had registered on the site with no intention of cheating anyway.

Either way, the site's users are certainly sweating. Especially if they neglected to use good OpSec.

OpSec, or operational security, is the practice of keeping certain pieces of information or activities secret from adversaries. That might include covering the real identity of an intelligence agent; burying the finances generated from a cybercrime scheme; or, yes, hiding the existence of a extramarital affair from a partner.

Ultimately, operational security is not about things like technology or encryption, but relies on ideas of how to handle information. In this case, its about preventing a site from collecting data that could then be released by hackers and traced back to your real identity.

Naturally, it all starts with your name. It's perfectly possible to sign up to AshleyMadison with fake details, as I found out when I made a dummy account earlier today. It's also worth not using your professional email, which may in turn expose where you work. This is what happened to some victims of the AdultFriendFinder breach in May: the hacker Andrew Aurenheimer, aka weev, decided to name public officials whose details were found in the database.

Obviously, identifying photos are a no-no. AshleyMadison cunningly allows its users to alter their photos in small ways, even if that just includes tacky click-and-drag masks to paste on top of their mug shots.

Next is the method of payment. AshleyMadison users can initially sign up to the site for free, but are then encouraged to pay money to boost their profile in the site's listings. Paying for this with a credit card is a bad idea, as your real identity is obviously linked to your bank account or card.

One possibility is to pay for the site's services with a gift card, available from many high street stores such as Best Buy. These can be bought in person, with cash, or from another website, and then exchanged later for plenty of things online.

In fact, AshleyMadison offers this exact form of payment: when asked to pay for a service, site users can select "Trade a Major Brand Gift Card" instead of the usual credit card options. Here, they simply enter the code on the back of the physical gift card, be that from Starbucks, Target, Best Buy or dozens of others, and this sends AshleyMadison the appropriate amount. However, it is unclear how many people took advantage of this method.

Screengrab:

AshleyMadison.com

In sum, the aim is to keep all activities related to your affair separated from your everyday identity, a concept called compartmentation.

Of course, it would have been smart for many people who used AshleyMadison would have taken these precautions. The reason that many don't, the information security expert known as thegrugq told Motherboard over encrypted chat, is "complacency."

"The problem with all opsec failures in general is that the penalty for getting it wrong is very far removed from the mistake itself," he added.

"So you make a mistake, such as signing up with your personal email address, and nothing happens and then a year later suddenly it turns out to have been a fatal error."

For the best chance of remaining undetected, thegrugq suggested creating a fuller persona, complete with a dedicated phone and cover name. That's because there are other threats to your secret affair too—your spouse could find out about it from your offline activities. For example, a phone bill may indicate calls to a unknown number, or your liaison ringing your phone while you have dinner with your significant other may cause alarm bells.

These ideas aren't exclusive to keeping an affair hidden, but extend to operational security generally. Keeping identities and information separated is where plenty of intelligence agents, criminals, and cheaters have all tripped up on, and no doubt will continue to do so.

With a new hack being reported pretty much every week, and with targets including banks, stores, and more miscellaneous services, maybe it's about time that everyone starts thinking about what information is being stored about them, and what they would do if that information was to leak online.

Ultimately, those who didn't take any additional steps to protect or obfuscate the data stored with AshleyMadison fully entrusted the site to keep their affairs a secret. Now they might be regretting not thinking the whole process through more carefully.