Leaked Photos of Johansson Expose Cloud's Vulnerabilities to Social Engineering
(Updates with comment from Google)
When Christopher Chaney hacked into the e-mail accounts of Hollywood stars and revealed intimate photographs of celebrities, including Mila Kunis and Scarlett Johansson, he exposed something else: Some parts of the cloud can still be woefully vulnerable to social engineering.
Chaney was no computer prodigy. He didn't need to be one in order to pull a stunt that spanned 11 months and affected more than 50 people in the entertainment industry. In many instances, this type of attack could still be executed, said Woodrow Hartzog, a professor at Samford University in Birmingham, Alabama, who researches digital security and social media.
"It is still a significant issue," Hartzog said. "These kinds of attacks can ruin people immediately."
According to court documents and official testimony, he broke into online accounts at AOL, Apple, Google and Yahoo! beginning in 2010, using a fairly basic scheme for snooping and spoofing. The methods of his hacking spree, which eventually landed him in prison, highlight the security flaws in some cloud services.
Regardless of the system's technical sophistication, people can still be tricked into disclosing sensitive data. The Internet has long carried the risk of a "phishing" attack, by which disguised messages are sent to deceive someone into clicking a malicious link or responding with personal information. Even an executive at an international conglomerate such as Coca-Cola can get tricked by an e-mail with the unusual subject line, "Save power is save money! (from CEO)." (Hey, you never know. Even chief executive officers make typos.)
Apple referred a request for comment to its announcement last week, saying the company would begin offering so-called two-factor authentication to iCloud users. "Apple takes customer privacy very seriously," Natalie Kerris, a spokeswoman for the company, told Bloomberg News.
Google also offers two-step authentication, and "provides easy-to-use advice and tools for protecting user security and privacy," Jay Nancarrow, a company spokesman, wrote in an e-mail.
Kate Wesson, a spokeswoman for Yahoo, said the company encourages users to choose complex passwords and change them frequently, as well as to select security questions "that are less susceptible to social engineering." AOL didn't respond to a request for comment.
Jamon Hicks, a lawyer at the Cochran Firm, who represented Chaney in the case, didn't respond to a request for comment.
At home in Jacksonville, Florida, Chaney began his string of breaches by accessing an account of celebrity stylist Simone Harouche, according to court filings. To initiate his break-in of her Apple MobileMe account (the service later became iCloud), he needed little more than Harouche's e-mail address. With that, he went to the login page and clicked on "Forgot Your Password."
Apple's system, like many others, asks for the user's birth date, along with one or more security questions, which are used to verify the person's identity before resetting a password.
The service asks users, "Which of the cars you've owned has been your favorite?" or, "In which city did your mother and father meet?" For public figures -- or even for someone active on social networks -- you don't need to be Sherlock Holmes to find a birth date or a photograph of a celeb riding in her car. Google it. That's basically how Chaney got in.
"We're all at risk of attacks through this kind of social engineering," Hartzog said. "So much of our information is out there, it really underscores the significance of limiting who can access your personal information online."
Upon completing Apple's brief quiz, Chaney set his own password for Harouche's MobileMe account. He browsed her private e-mails and perused her contact list, looking for other targets. Harouche is well-connected within Hollywood, having styled starlets that include Miley Cyrus, Jennifer Lopez and Ashley Tisdale.
Even after Harouche retook control of her account with Apple's help, Chaney was able to continue to monitor her messages. He had changed a setting on her account so it would forward every new e-mail she received to an address for which only Chaney held the keys, firstname.lastname@example.org. Nick Chulbert was one of the many aliases he used during his nearly year-long escapade, along with trainreqsuckswhat, anonygrrl and jaxjaguars911, a reference to his hometown football team.
A few weeks after Chaney first broke into Harouche's account, he tried to bait a new victim: Christina Aguilera. After failing to break into her e-mail account, he hacked into Harouche's e-mail again and sent a message to the pop star. Posing as the stylist, Chaney asked the singer to send pictures of her wearing "very little clothing," according to the hacker's plea bargain. The strategy worked.
Chaney published Aguilera's pictures online, kicking off a string of similar nude-celebrity leaks he would orchestrate. On Dec. 14, 2010, Chaney hacked into Johansson's Yahoo e-mail account. Four days later, he infiltrated Kunis's Apple e-mail and set it to forward new messages to his dummy address. On or around New Year's Day 2011, Chaney logged into Johansson's e-mail again and sent a message to a friend of the "Avengers" actress who possessed the now-infamous pictures of her.
In addition to naughty photos and gossip fodder, Chaney obtained scanned copies of business contracts, unpublished movie scripts, driver's licenses and Social Security cards. As the plot became more serious, Chaney tried to cover his tracks by using a tool called Hide My IP. The fact that Chaney wasn't taking steps from the outset to obscure his Internet Protocol address -- a string of numbers that can be used to trace the source of attacks -- demonstrates that he was no expert computer criminal.
In December, Chaney, who pled guilty to hacking into multiple e-mail accounts, was sentenced to 10 years in prison.
To contact the reporter on this story: Mark Milian in San Francisco at email@example.com
To contact the editor responsible for this story: Marcus Chan in San Francisco at firstname.lastname@example.org