Saturday, April 14, 2012

Google and gumption - Scarlett Johansson and 50 other celebs got HACKED

Hacking Scarlett Johansson—and 50 other celebs—using Google and gumption
On November 13, 2010, 34-year old Jacksonville, Florida resident Christopher Chaney went hunting for unreleased nude photos of celebrities. According to court documents, he had the e-mail address for celebrity stylist and handbag designer Simone Harouche, but he didn't have Harouche's password. No matter; after connecting to Apple's e-mail servers, Chaney used the password reset feature. He answered the required security questions by supplying publicly available information gleaned from the Internet—and he was in. What to do next?

Account settings were a top priority. From there, Chaney could have a copy of all Harouche's incoming e-mail mirrored to nickchulbert@yahoo.com—an account created specially for this purpose. Even after Harouche regained control of her account, she was unlikely to start poking around immediately in her account settings, and Chaney might maintain his virtual view of her life for weeks or even months.

With the mirroring in place, a quick stroll through the actual contents of the account might be in order. For Hollywood celebrities, a search of all e-mails containing attachments could bring up everything from film scripts to scans of a driver's license to intimate photos. When he found these last items, Chaney saved them to separate folders on his computer. He then used three e-mail accounts with names like trainreqsuckswhat@yahoo.com—an I'm-better-than-you reference to a 2008 hacker named "trainreq" who had broken into Miley Cyrus's Gmail account—to distribute nude pictures to various Internet sites.

But such pictures weren't always sitting around, waiting to be downloaded; sometimes Chaney had to work for them.

Which led him to Harouche's contacts list. Thanks to electronic address books, the successful hack of a single well-connected individual like Harouche might turn up all sorts of private celebrity e-mail addresses, the raw material for future attacks on new accounts. In this case, Harouche knew singer Christina Aguilera. Chaney went off and tried to break into Aguilera's e-mail account, but with no success—so it was back to Harouche's account for one last dodge.

On December 2, three weeks after the first break-in, Chaney hacked his way back into Harouche's account. This time, he impersonated her, sending an e-mail to Aguilera in which he requested pictures of Aguilera wearing, as he would later admit to a federal judge, "very little clothing."
Amazingly, she appears to have complied; Chaney soon released photos of Aguilera obtained from Harouche's account onto the Internet. 

Chaney went on a spree, cracking more than 50 celebrity e-mail accounts, including those belonging to Mila Kunis and Scarlett Johansson. On January 1, 2011, Chaney celebrated the new year by logging into Johansson's Yahoo e-mail account once more and sending a message to a friend asking the friend to please send back copies of some private photographs. 

Chaney obtained several photos of Johansson in various stages of undress and released them online. Johansson commented on the photos to Vanity Fair last December:
She confessed she had taken them herself with her smartphone. “Those are old, from three years ago. They were sent to my husband,” she explained, referring to her now ex, Ryan Reynolds. “There’s nothing wrong with that. It’s not like I was shooting a porno—although there’s nothing wrong with that either.” Still, a dangerous habit, I thought, for a movie star. Worse than getting her phone hacked, she might make herself look bad: “You’re hardly a professional photographer.”
“I know my best angles,” she replied breezily. Cool, too, and smart was Johansson’s response after she found out she had been hacked: she copyrighted the pictures so that she could go after sites that displayed them.
As Chaney's victim count mounted, he finally realized he should be hiding his identity if he didn't want the FBI at his door. He began using a proxy service called "Hide My IP"—"By faking your IP you can often access many sites you were banned from," promises the site—but it was far too late for such a maneuver.

On February 10, 2011, the FBI executed a search warrant at his residence in Jacksonville. Agents hauled away a desktop computer with a black "Exblade" case, a Seagate hard drive, a 8GB USB memory stick, a cell phone, and 155 blank DVDs. When agents asked about the hacking, Chaney confessed it all. 

Christopher Chaney
Christopher Chaney
But not even a visit from the feds could stop Chaney's habit, though he must have known the hammer was about to fall hard. He lasted until April 30 before hitting another (unnamed) target using a new computer. He cracked the security questions, logged in, and looked through the victim's e-mail account. On October 10, he broke in again and sent a message to one of the victim's friends, asking for photos.

Chaney didn't know it, but the 11-month investigation (dubbed "Operation Hackerazzi" by the FBI) of his activities had just wrapped up 3,000 miles away. On October 11, a California grand jury returned a lengthy indictment against him; on October 12, he was arrested in Jacksonville without incident. 

He spoke to CNN affiliate WAWS-TV in Jacksonville shortly afterwards. "I deeply apologize," he said. "I know what I did was probably one of the worst invasions of privacy someone could experience. And these people don't have privacy to begin with. And I was in that little sliver of privacy they do have."

Chaney's motivations remain opaque; he didn't sell any of the information he obtained for money and claims that he was just driven by "curiosity," which morphed into addiction. He told the TV station that he felt "almost relieved months ago" after the February raid, because finally someone had put a (temporary) stop to his activities.

The "dark underworld"

Despite the on-air confession, he pled not guilty. Court documents show that Chaney's bail required him to put up $10,000, with his mother coming up with $100,000 more. The government gave him an electronic tracker and ordered him not to leave the Jacksonville region while awaiting trial in Los Angeles. He was to reside at "mom's address," his bail document shows, and consume alcohol only in moderation. "Stay away from celebrities," someone wrote in pen next to the clause ordering him to avoid his victims. 

Chaney's Los Angeles trial was scheduled for December 27, 2011, then pushed back to April 2012 when it looked like a plea deal might be forthcoming. That deal materialized this week; Chaney pled guilty to nine counts of "aggravated identity theft," "wiretapping," and other crimes. 

The government notes that the maximum total sentence he could still face is 60 years in prison and a fine of $2.25 million, though the actual numbers will likely be far lower. Chaney has also committed to pay restitution to his victims—now believed to top $100,000. 

On March 19, Chaney faxed in his signature page from a downtown Jacksonville print shop—the header line reads "Kinkos Downtown Jax"—with the government signing the deal on March 21.
On Monday, March 26, federal judge James Otero signed off on the plea. At the hearing, Otero commented, "I don't understand why any person who is rational would continue in that kind of behavior."

US Attorney André Birotte Jr, whose office in Los Angeles brought the case, laid the "dark underworld" rhetoric on pretty thick after the hearing.
"Today's guilty pleas shine a bright light on the dark underworld of computer hacking," he said in a statement. "This case demonstrates that everyone, even public figures, should take precautions to shield their personal information from the hackers that inhabit that dark underworld."

But Chaney lived in sunny Jacksonville, and the case actually serves of a reminder of just how some modern hackers have little need of a "dark underworld" at all. Reaching from a Florida computer into the most private documents of Hollywood celebrities took no organized blackmail ring, no special tools, and no special software. It required merely a search engine, an Internet connection, and the willingness to be deeply creepy.

Plenty of these people exist; thanks to the Internet, any of them can be your "neighbor." Just ask the many victims of Luis Mijangos, a 32-year old California man who from his wheelchair managed to go much further than Chaney. Mijangos actually seeded malware on P2P networks, used it break into computers of young women, then spied on their instant messages and e-mail, even turning on their webcams and microphones to watch them undress or to eavesdrop on their conversations.

Like Chaney, he would interact with his victims, e-mailing them, impersonating friends, and demanding provocative photos or video. The women weren't celebrities, and Mijangos's invasions of privacy were so extreme that, when the FBI went to interview a college student, agents reported that she was "visibly upset and shaking during parts of the interview and had to stop at points to control her emotions and stop herself from crying." So terrified was the woman that she didn't leave her dorm room for a week.

Mijangos did need more tools, and had more technical savvy, than Chaney. His "sextortion" relied on commonly available remote access software and various bits of operating system exploit code, and in that sense he used a "dark underworld" to help him. But Mijangos was a freelancer when it came to online stalking, and he managed to cause serious mayhem for many women without so much as a partner in crime. 

The tools are so widely available, and now require such little effort to run—whole forums exist in which people share pictures of the women whose computers they have infiltrated with automated remote access tools—that basic "hacking" is no longer even self-limited by the requirement that the hackers have real technical skills. 

There's one upside of "hacks" being easier for non-hackers to implement, however—people like Chaney don't cover their tracks well. That may provide little comfort to those whose privacy was invaded, but at least it helped end one more sorry chapter in the Internet's long history of privacy problems.

Chaney will be sentenced on July 23. 

Read this Article also :

About Dilips Techno Blog

A Daily Blog for Latest Reviews on Technology | Gadgets | Mobile | Laptop | Software and Hardware Reviews | Social Media | Games | Hacking and security | Tips and Tricks | Many more....


Dilips Techno Blog

Dilips Techno Blog
Logo