Forgot your password?
typodupeerror
Crime The Courts Facebook Privacy Security Social Networks IT

Man Mines Facebook For Security Questions, Nabs Nude Photos From Email 257

Posted by timothy
from the oh-it's-that-easy-eh dept.
itwbennett writes "George Bronk, 23, has pleaded guilty to charges that he broke into the e-mail accounts of thousands of women, scouring them for nude photos that he then posted to the Internet. How he did it: He searched his victims' Facebook pages for answers to common security questions and then logged in to their e-mail accounts. In one case he persuaded a victim to send him even more explicit photographs by threatening to post the ones he'd stolen if she didn't. Bronk faces 6 years in prison on felony hacking, child pornography and identity theft charges."
This discussion has been archived. No new comments can be posted.

Man Mines Facebook For Security Questions, Nabs Nude Photos From Email

Comments Filter:
  • Obligatory (Score:5, Funny)

    by Anonymous Coward on Sunday January 16, 2011 @08:05AM (#34895960)

    Pics or it didn't happen

  • All I can say is (Score:2, Insightful)

    by drinkypoo (153816)

    Torrent?

    (ObDisclaimer: No, I don't want to receive child porn.)

  • by Anonymous Coward on Sunday January 16, 2011 @08:08AM (#34895970)

    Well, I sure hope all of the girls who took pictures of themselves got child pornography charges against them too.

  • by Anonymous Coward on Sunday January 16, 2011 @08:18AM (#34895992)

    That's why my answer to those security questions is always 30-50 randomly selected characters.

    What's your mother's maiden name? - kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna

    • by Haedrian (1676506) on Sunday January 16, 2011 @08:36AM (#34896058)

      "What's your mother's maiden name? - kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna"

      But everyone calls her bob.

      Joking aside, I did that once for my steam account. Then I forgot the password, when I came to reset it it demanded my secret answer. Couldn't remember it. :(

    • by Lalakis (308990) on Sunday January 16, 2011 @09:34AM (#34896308) Homepage

      I can't believe that no one blames the online services for requiring and using security questions as a security measure(!). This is such an insecure practice that I'm just baffled from the so much widespread use of it!
        Theoretically, security questions could be used as an ADDED security measure and be marginally effective at that, but in most times you can't know exactly how your answer will be used, so the sane response would be something like kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna.

      • by Chelloveck (14643)

        Theoretically, security questions could be used as an ADDED security measure and be marginally effective at that, but in most times you can't know exactly how your answer will be used, so the sane response would be something like kashiqewnchkdhsflakjshflvkdsvhpexiojnasdjlna.

        Hey! How did you know my response?!

        Seriously, when I'm required to give an answer to one of these I just use my regular password generator to create another password for the site, then use that. "What was your first pet's name?" "w8ZRjky

  • by Grimbleton (1034446) on Sunday January 16, 2011 @08:24AM (#34896014)

    To a blogspot blog.

    • by mountaineer76 (941902) on Sunday January 16, 2011 @08:29AM (#34896026)
      yeh, I got that too, re-directs immediately to a blog about some insurance company. Here's the printable link which doesn't redirect: http://www.itworld.com/print/133630 [itworld.com]
    • by CrashandDie (1114135) on Sunday January 16, 2011 @08:41AM (#34896078)

      Indeed. It would appear ITWorld is vulnerable to a simple XSS comment post.

          <div id="comments">
              <div class="header">Comments</div>
              <div class="comment_links">
                  <span class="num_comments"><a href="/comments/133630">1 comment</a></span>
                  <span class="add_comment"><a href="/comment/reply/133630#comment-form">Add a comment</a></span>
              </div>
              <div class="comment content_item">
                  <h3>(No subject)</h3>
                  <META http-equiv="refresh" content="2;URL=http://swift-cars-insurance.blogspot.com/">
              </div>
          </div>

      Mountaineer76 provides us [slashdot.org] with a print version of the article [itworld.com] which isn't affected, though.

      PS: WTF is it with Slashdot's broken support for paste? Trying to recreate the goodness of iOS 1?

      • by hrieke (126185)

        Just report the blog as a violation of TOS.

      • by CastrTroy (595695)
        They probably don't check for meta tags in your post. Probably just script tags. Personally, I don't think comments should allow posting of any HTML whatsoever (make everything escaped, so tags show up as regular text), simply because there's too many ways to make things happen on a browser, even without javascript enabled. As this example clearly illustrates. Just imagine if it had been and image tag of one of the images from the article. Or if the the redirected page contained the content. We'd all ha
    • by macraig (621737)

      Ditto here. The redirect is inside a comment! ITWorld apparently allows too much HTML inside comments, and some comment-spammer figured that out and embedded a meta-refresh tag in a comment. It very effectively hijacks the ITWorld page from inside the comment.

      NoScript blocks the redirect if you have itworld.com blacklisted (I didn't initially).

      • by Dunbal (464142) *

        some comment-spammer figured that out

              Anyone who owns a website which allows comments knows that web spammers have "figured this one out" a long time ago. It's bots that do it nowadays. Which is why I don't allow HTML posts.

        • by macraig (621737)

          I've used a blog CMS called Pivot that allowed limited HTML but was VERY effective - like 100% effective - at stopping comment spam. Why the techniques it used aren't an industry standard might spark a lively discussion somewhere.

      • by drinkypoo (153816)

        NoScript blocks the redirect if you have itworld.com blacklisted (I didn't initially).

        Not here.

        • by macraig (621737)

          There's an Advanced NoScript option that apparently dictates whether it happens or not.

    • by Pharmboy (216950)

      Need to mod this up, then change to a better link without the spam redirect. The one time people are trying to actually read the article on slashdot, and they all get redirected instead...irony.

    • It'll eventually cycle away from the insurance blog to a NY Times Ad, and the Times itself (if you've registered in the past), and in all cases removes Back button functionality. Just and FYI if you're inclined to test NoScript against it (FAIL).

  • by PolygamousRanchKid (1290638) on Sunday January 16, 2011 @08:24AM (#34896016)

    Hobbies?

    • felony hacking
    • child pornography
    • identity theft

    Hell, yeah, you're hired!

  • by Gaygirlie (1657131) <gaygirlie AT hotmail DOT com> on Sunday January 16, 2011 @08:36AM (#34896060) Homepage

    This is exactly why usually the "security question" in most places is such a poorly-thought idea: usually they only allow you to select from a limited set of questions, and usually all the questions are such that it's easy to either guess the answer, check on the user's facebook/IM/etc, or just try from a list.

    It's much better when you can specify the question yourself. And even better: big, bold letters explaining to the user NOT to fucking choose a question/answer pair that is easily guessable or obtainable from their online profiles!

    • by francium de neobie (590783) on Sunday January 16, 2011 @08:55AM (#34896134)
      You can always put non-sensical answers to those security questions. Like, saying your birth place is an Intel 8088.
      • My favorite: "What is your favorite color?" Answer: "Red, no blue!" (booooinnng! omitted)

      • by hitmark (640295)

        Don't know about birthplace, but i grew up with a A500.

      • by Carewolf (581105)

        The problem with most non-sensical answers as they are still vulnerable to dictionary attacks. In fact almost any security question has this critical flaw. There is just no way of making it safe, except by instructing users to never answer the asked question and instead insert a secondary strong password.

      • intel 8088?

        wow.

        was that union or confederacy?

    • by xiox (66483)

      Facebook is guilty as well - I have a choice of 4 questions - name of 1st grade teacher - can't remember - city or town mother was born in - too obvious - last 5 characters of driver's license - okay question probably - street you lived on when you were 8 - not appropriate for me. Why can't I choose something better than this?

      • Facebook is guilty as well - I have a choice of 4 questions - name of 1st grade teacher - can't remember - city or town mother was born in - too obvious - last 5 characters of driver's license - okay question probably - street you lived on when you were 8 - not appropriate for me. Why can't I choose something better than this?

        Why can't you just put something largely arbitrary as the answer to any of those questions that you don't have good answers for? "Who's your first grade teacher? ..."

      • by HJED (1304957)
        you know Facebook doesn't make you set a security question right? Its optional, I however find it ironic how it says a security question makes your account more secure.
        more access methods == less security
        • For facebook, account security == not losing access to your account.
          Thats why it asks me to add multiple cell phone numbers,etc.. so that I can recover my password.
          They would prefer that someone gets access to my account, and then I am able to recover my access to it, rather than I forget my password, and my FB account goes inactive/disabled
    • by Peeteriz (821290)

      The whole concept of 'security questions' is completely flawed for things such as email or facebook, even if you can choose the question and the information isn't posted on the net.

      Private questions to which you would know such an answer would also be most likely known by your relatives - for example, your mother definitely knows her maiden name, but that doesn't mean that she should have an easy time reading your email. Funny details about your childhood would be known by your spouse, but if you're undergo

      • by Znork (31774) on Sunday January 16, 2011 @10:15AM (#34896504)

        The whole concept of 'security questions' is completely flawed

        The whole concept of answering such questions correctly is flawed. Once you're born in Hobbiton and your mothers maiden name is Goose they become quite a bit harder to guess. Such constructed 'alter egos' make the security questions much less dangerous while still maintaining some recovery capacity.

        • by Peeteriz (821290) on Sunday January 16, 2011 @10:58AM (#34896794)

          In that case, why not call it what it is, forget about the whole concept of security questions, and call it 'backup password', 'secondary password' or something like that?

        • by metacell (523607)

          Making up facts makes the security questions pointless, since you have to remember your made-up facts. The "security questions" become merely a second, alternate password which has to be remembered.

          So the security questions are either horribly insecure (if we answer them truthfully), or completely pointless (if we answer them with made-up facts). I'd call that a flawed concept.

    • Nothing requires the "real" answer.

      Use an MD5 or SHA1. If you're afraid a hacker is going to do that, salt it with your favorite food.

      $ echo -n Pasta Kennedy | md5sum
      d579c75318c3f0635c5b897a86eedad4 -

      Use that as your mother's maiden name.

  • Blackmail is blackmail, its an offense offline or online. The issue here is helping educate people to be more secure in their online transactions.

    • The issue here is helping educate people to be more secure in their online transactions.

      Doubtful; if that were the case, people would be talking about PGP and S/MIME. If the victims in this case had encrypted the messages with the pictures, there would have never been any problem.

      Of course, that would be slightly less convenient, so it will never happen.

  • by dpilot (134227) on Sunday January 16, 2011 @09:43AM (#34896358) Homepage Journal

    Evidently child pornography, blackmail, and breaking into thousands of women's email accounts merits punishment 6 times more severe than breaking into 1 woman's (Sarah Palin's) email account.

  • I have a single word that I always use for security question answers. It has nothing to do with any of the questions, so in that respect should be more secure because even someone who knows me well couldn't guess answers and gain access. I don't have to surrender additional personal info on myself or others (mother's maiden name, father's birth year, etc). And I always know the answer, no forgetting.

    And someone like the guy from TFA couldn't get any nude pics of me, not that he wouldn't stop at the first

    • I have a single word that I always use for security question answers.

      Shibboleth?

  • I'm confused as to how this works. On most sites, answering the secret questions correctly allows you to reset the password, which is then mailed to the e-mail address on file. How does this help in obtaining the password to an e-mail system? Is there an e-mail system out there that is so brain-dead that it allows you to re-specify a password as a reward for merely answering the secret questions correctly? If so, which e-mail system?
  • Every time I come across a page that requires me to use a passphrase that's at least 8 characters long, contains numbers, special characters and preferably something that could only be typed on some obscure keyboard layout 10 people on this planet use, I feel kinda good.

    That feeling instantly vanishes as soon as they also want some "security verification" in case I forget my password. And then you get to read things like:

    Mom's maiden name
    Your first address
    Brand of your first car
    Pet's name

    And so on, all thin

  • So, it would seem that people do have an expectation of privacy when it comes to their email. Well, glad to know there won't be any warrantless surveillance now.
  • Dumbass (Score:4, Interesting)

    by flyingfsck (986395) on Sunday January 16, 2011 @11:25AM (#34896954)
    Why go to all that trouble to find nude pics when you can get all the nude pics and live webcams you want on the net without any hacking required?
  • by couchslug (175151) on Sunday January 16, 2011 @11:27AM (#34896972)

    ...working out for ya? (runs)

  • by IGnatius T Foobar (4328) on Sunday January 16, 2011 @12:03PM (#34897176) Homepage Journal
    It wouldn't be difficult for Facebook to automatically reject (or at least warn you about) status updates that contain strings which match either your password or the answers to any of your security questions. At least force the user to think about it.

My idea of roughing it turning the air conditioner too low.

Working...