I was reading on Yahoo News today that the hacker who broke into various celebrities’ email accounts like Scarlett Johansson, Mila Kunis and Christina Aguilera was ordered to appear in an LA courtroom in November.
The accused defendant, Christopher Chaney, hacked into their email accounts and posted several sensitive photos of them online.
I don’t know about you, but when I hear the words “hacked” I think of something really high tech with a computer user using skills that I don’t possess in order to get into someone’s machine – like exploiting Unix server’s core dumps, or using encryption breaking software, or something similar.
Yet Chaney’s methods were not particularly complex. All he did was the following:
- He guessed the answers to the celebrity’s personal questions. Why did he do this? He pretended he was the person in question (i.e., mkunis @ yahoo.com or something similar), and pretended to forget the password and then used the password reset.
Password reset questions are notoriously weak. They frequently rely on information that is easily discoverable, such as “Where did you go to high school?” or “In what city were you born?” or “What is your last name?” For most people, that information is not obvious if we are trying to guess it about someone else (I don’t even know where my wife was born, it’s somewhere in Taiwan). But if it’s about a celebrity, a trip to Wikipedia can get you the answers half the time.
Incidentally, this is the same way that former governor of Alaska Sarah Palin’s Yahoo account was hacked.
- Anyhow, once Chaney got access to the account by guessing the correct security questions’ answers, he communicated with other people in the celebrity’s contacts list. He pretended to be them, sent mail directly from their account, and struck up conversations.
- Finally, to ensure that he retained access, he set up a forwarding rule that sent mail sent to anyone to one of his own accounts.
Looking through these techniques, none of it is particularly complex. Any of us reading this blog post could do it. You don’t need any hard core hacking skills to pull it off, you just need to guess someone’s email account alias and then spend a little bit of time searching the Internet for the answers.
The weak point in this are the security questions. Some websites have a list of questions that are too simple to guess. In reality, the best method is to allow the user to define their own set of security questions with answers that are super secret (such as who was the kid that sat next to you in 3rd grade math?).
It’d be nice if more websites allowed that. Almost none of them do.