Official celebrity hacker

Is it just me, or do the rest of you feel just a twinge of disappointment when you don’t make Time magazine’s “100 Most Influential People” each year?

To add insult to injury, Christopher Chaney of Jacksonville, Florida was just arrested for hacking into computer accounts belong to more than 50 people—primarily celebrities like Scarlett Johansson, Christina Aguilera, Mila Kunis, Simone Harouche and Renee Olstead—but once again, this time as a hacker, I was overlooked.

Chaney, who will someday be labeled as the “Official Hacker of the Stars,” was taken down by FBI agents in Los Angeles as part of the yearlong “Operation Hackerazzi” (I kid you not) investigation.

According to a press release from U.S. Attorney Andre Birotte Jr, “Mr. Chaney was able to access nude photos of some of the celebrities and some of them were uploaded on the Internet.” This got me thinking: maybe my key is to making one of these lists of influential people is racy photos … I’ll talk to the family and see what price we are willing to pay.

Unofficial reports say that 35-year-old Chaney, who hacked for the thrill, may get up to 121 years if convicted on all charges. Wait, 121 years? The serial killer on SVU last night only got 20 years, with parole eligibility in 12—only in America.

OK, I might concede to the fact that Chaney might be a bit weird, but by no means was he dumb. His hack into 50 Google, Apple and Yahoo email accounts was a classic in social engineering.

Piecing Together Passwords with Social Engineering

You probably know that the login name to most accounts is the email address of the account (i.e., itsme@google.com). That’s the easy part. Guessing the password is the harder part, however it is also where being a clever hacker is usually helped by the fact that many email users tend to be a little dumb when it comes to picking passwords.

Most people create a password that they can remember and easily type. These passwords are often a favorite name or place and add a few numbers. They’re usually meaningful as well. In this case, people are working under the assumption that no one is ever going to put the two together.

Just like the key under the flower pot on the front porch or cash in the freezer aren’t really a secret from anyone. For example, who’s going to guess the password aimei90? Unless of course, you’ve met my daughter Ai-Mei and know she was born in 1990. Or, aidan91 (other daughter), ginger03 (dog), or sallyyoung (wife and maiden name).

All a clever social engineer has to do is stalk his target, gather up meaningful password tidbits and set a password cracker in motion. It might take a few weeks to break a password, but if the victim has gone the tried-and-true (and dumb) route of putting meaningful pieces together, their password will be broken.

It seems Chaney spent a lot of time wandering celebrity gossips sites where password tidbits are a way of life.

Finally, in the spirit of a true stalker, once Chaney broke into a celebrity’s email account he set up a forward such that all new emails went to his own, private email account. A question for you – when did you last check to see if your emails were being secretly forwarded—maybe to that ex-girlfriend or the weird guy in the coffee shop?

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure Web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Alan is an expert in Web security - from evaluation to Web development and remediation.