By Robert Kang
Everyone has emails that they consider to be no one’s business except their own. Our emails contain everything from tax returns to intimate photos meant only for someone special. Imagine the horror if a hacker infiltrated an email account belonging to someone you knew and made those emails public. Imagine the horror if it happened to you.
For many people, no imagination is needed, because it did happen to them. This type of hacking is a crime and many hackers have been brought to justice. But that doesn’t change the horror of being victimized. This article walks through some of the country’s most prominent personal privacy hacks and shares tips for responding to similar attacks. Learning what happened may help protect you and your loved ones from the same techniques used by these hackers.
Protecting yourself from 2010’s “Hollywood Hacker”
(Password Challenge Questions)
Renee Olstead is an actress and singer. Olstead started acting when she was five years old, and has appeared in shows like “Touched by an Angel” and “The Secret Life of the American Teenager.” She works hard and has a bright future. Renee is also a survivor of sex-based computer hacking.
In 2010, a then-unknown hacker hacked into Olstead’s personal email accounts. Her private photos, including nude photos, appeared on the internet, where they spread like wildfire. It was a gross violation of her privacy. Olstead even attempted suicide, though fortunately wasn’t successful. She was only 21 at the time.
Olstead shared her story to a court in 2012 as follows. “About two years ago, I received a phone call from (FBI) Agent (Josh) Sadowski informing me that my personal information had been compromised. And basically that it was a matter of time before these images hit the internet . . . I was humiliated.”
Olstead wasn’t alone. Between November 2010 and October 2011, the FBI tied over 50 female victims to Olstead’s hacker. The list reflected a “who’s who” of Hollywood: Scarlett Johansson, Mila Kunis and Christina Aguilera, among others. The widespread sharing of their intimate photos online created one of the most graphic events in American cyber history. This mysterious assailant became known as the “Hollywood Hacker.”
The case ends with Olstead and Johansson learning their hacker’s identity, and even delivering some payback. In 2012, the FBI tracked down and arrested Christopher Chaney, a then-35 year old man living in Jacksonville, Florida. One technique law enforcement uses to find hackers involves tracking their Internet Protocol (IP) address.
Think of an IP address as the internet version of a calling card which is left behind when one computer talks with another. Chaney had evaded capture using a service called “Hide My IP,” which masked his IP address. However, the FBI was watching, and the one time Chaney slipped, the FBI found him. On February 10, 2011, armed with a warrant, the FBI raided Chaney’s home and arrested him. The trial court sentenced Chaney to ten years, and his sentence was affirmed on February 22, 2016, by the United States Court of Appeals for the Ninth Circuit. Barring the unexpected, Chaney will remain a guest of the penal system for many years.
The sentencing phase of Chaney’s prosecution is where Olstead and Johansson came in. Survivors are often reluctant to speak in court, which requires them to share intimate pain in a very public setting. But victim impact statements are invaluable to putting criminals behind bars. Olstead recounted her experiences in court. “I realized that suddenly I wasn’t the girl who works full time, is a full-time student still manages to make the Dean’s List,” she told the judge. Instead, I was the girl who was naked on the internet. And this is something that has followed me . . . it was the scariest moment of my life.” Johansson also shared her story in court, via a recorded video statement. “I have been truly humiliated and embarrassed,” she said. “I find Christopher Chaney’s actions to be perverted and reprehensible. As long as he has access to a computer, Christopher Chaney continues to be a threat to women who believe email communications are personal and confidential.”
These statements impacted the judge, who referenced them and other victim statements, in sentencing Chaney. Chaney’s ten year sentence was nearly twice the length proposed by prosecutors.
How did Chaney hack into his victims’ online accounts? Was he a computer genius? An inveterate hacker who played electronic hide-and-seek with the NSA in his spare time in a basement?
The answer might surprise you.
Chaney was not a professional hacker. But he was a social engineer of sorts, and clever enough to figure out how people answer the “challenge questions” used by many online service providers to help users reset a lost or forgotten password. We’ve all seen them: “What is your pet’s name?” Or “What is the make of your first car?” Most of us don’t think twice about answering those questions honestly. Neither did Chaney’s victims. That inclination to honesty gave Chaney his chance.
Like a detective, Chaney studied his targets: famous women. He read magazines and news articles about them; he subscribed to online sources and databases like Intelius that compiled celebrity dossiers. This careful research enabled Chaney to figure out the answers to many of the celebrity’s email password reset challenge questions. For example, in one instance, Chaney successfully hacked into one celebrity’s account using the name of her pet. After gaining access to the victim’s account, Chaney set it to automatically forward the victim’s emails to other accounts controlled by Chaney. When the victim found herself locked out of an account, she assumed it was an electronic glitch and simply reset it. But, like many of us, the victim didn’t think to check whether the account had been altered to forward emails automatically to someone else’s account.
Chaney’s work opened him up to a treasure trove of personal emails. He learned about Scarlett Johansson’s separation from Ryan Reynolds before the news became public, for example. Before being arrested, Chaney also harvested intimate celebrity photos, many of which he shared with others. The rest is internet history.
Part 1 Tips:
1. Be strategic when providing answers to password reset challenge questions. Don’t use your actual mother’s maiden name, for example, but rather a word that only you would know. Some services give you a range of questions. Changing this personal habit is a good way to protect your online privacy.
- Be suspicious if you can’t open an email account. If your password doesn’t work, don’t assume it’s a glitch. Instead, treat it as a potential hack. Inform your service provider. And check that your account settings haven’t been tampered to forward emails automatically to a different email account.
- Want to learn more about challenge questions? Click HERE – Security Questions Don’t Protect You: Here’s Why.
Protecting Yourself from 2014’s “Celebgate” hacker
Crime never stops. Two years after Chaney’s capture came “Celebgate” – the name of a hacking spree that, again, resulted in the viral posting of of intimate photos belonging to famous celebrities like Jennifer Lawrence and Kate Upton. The event came to be known as “Celebgate” and “the Fappening.”
But while the attacks continued, so did the government’s commitment to capturing the guilty. On March 15, 2016, the FBI and United States Attorney’s Office announced that a then-36 year old Pennsylvania man, Ryan Collins, signed a plea agreement, requiring him to plead guilty to two cyber crimes – felony violation of the computer Fraud and Abuse Act and violation of the unauthorized access to a protected computer system laws. (Related – Hacker Admits to Stealing Celebrity Nude Photos, Takes Plea Deal). He one of several criminals caught in connection with the Fappening, all of whom used similar techniques to gain unlawful access to their victims personal information.
In order to gain access to his victims’ accounts, Collins, and others like him, engaged in “phishing” – a hacking technique that involves creating fake email accounts that look trustworthy. For example, Collins created email accounts with names like “firstname.lastname@example.org” and ”email@example.com.” Using these fake accounts, Collins sent emails to celebrities, asking them (or asking the people managing those accounts) for account and password information. If he was successful, Collins downloaded the contents of a victim’s email or cloud storage account.
As part of the plea deal, prosecutors recommended an 18-month prison sentence, though the trial judge may choose to impose a different one. Collins was sentenced on October 26, 2016, in a federal courthouse in Harrisburg Pennsylvania. The United States Attorney’s Office noted that investigators have not uncovered evidence linking Collins to the actual leaks comprising the Fappening, or that he shared or uploaded the information that he obtained. The hunt continues.
Part 2 Tips:
4.Phishing emails are everywhere; don’t take the bait. View emails asking for your password or other account information with suspicion. Phishing emails often ask for account information, in order to “verify” security. But even if you decide to change a password, don’t click on any links within the email. Instead, go to the account website and change the password directly.
- Use two-factor authentication where available. Many online services allow users to add an additional step before logging into an account, such as the use of a unique code sent to the user’s phone at the time of login. It’s a minor inconvenience that is worth the effort.
- Use long, strong passwords that include a mix of numbers, letters and special characters. Need tips? Click HERE – Microsoft – Tips for creating a strong password.
- Want to learn more about phishing? Click HERE – NCSC’s Know the Risk – Raise your Shield: Spear Phishing.
Protecting yourself from other hacking methods
(working with law enforcement)
Starting this article with celebrity hacks may give the impression that the criminal justice system only moves for the rich and famous. Not true: celebrity hacks gain major media attention, but they represent only a fraction of successfully prosecuted sex-based cyber crimes.
Assistant United States Attorney Lisa Feldman explains. A career cyber prosecutor with the United States Attorney’s Office for the Central District of California, Feldman and her colleagues are at the forefront of catching and prosecuting cyber criminals.
“We’re talking about the Chaney (celebrity) hacking case,” notes Feldman during an interview. “But most of the victims we work with aren’t celebrities. They’re regular people. And we put the same effort into prosecuting those cases as we do the celebrity cases.” These aren’t empty words. Especially in recent years, police and prosecutors have racked wins against sex-based cyber criminals across the nation from California to Florida.
Feldman notes the sobering reality that many crimes go unreported, however. She cites the arrest and conviction of Luis Mijangos as an example. At the time of his arrest, Mijangos was a 32 year old man living in Santa Ana, California. Mijangos used many of the same techniques used by other hackers, such as phishing, to gain access to his victims’ computers and accounts. But where Chaney and Collins primarily collected intimate photos, Mijangos engaged in “sextortion” – a malign, interactive type of cyber crime. For example, in addition to harvesting intimate photos, Mijangos, a more skillful hacker than Chaney and Collins, would control the webcams built into his victims’ computers and use them to photograph women in their private moments. Mijangos would then contact the women to blackmail them into sending him even more nude photos. “I never knew if it was someone that I knew or if it was a complete stranger (who attacked me,)” recounted one victim during the sentencing portion of Mijangos’ eventual prosecution. “It would be in the back of my mind no matter where I went or who I went with. It was always there.”
Mijangos came to law enforcement’s attention after one of his victims reported his crime. The FBI caught Mijangos after backtracking though some of the emails he sent to that victim to domains registered in his name. But the horror is that Mijangos’ computers showed he had victimized over 200 people, including over 30 underage girls. None of the underaged victims reported the crime to law enforcement. Why?
“They were young,” says Feldman, as she recounts the reasons people hesitate to report such crimes. “They are often afraid their parents will find out. They might also be scared to tell people they’ve been victimized. They may blame themselves. And criminals like Mijangos know how to exploit that fear and threaten their victims into keeping quiet. It’s really scary for them. But we hope they tell us, so we (law enforcement) can help them.”
Feldman understands the difficulty that victims and survivors face in reporting sex-based crimes and tries to help members of the public understand their options before disaster strikes. In addition to comforting individual victims, Feldman teaches safe cybersecurity habits in her spare time to the public. It’s a form of community outreach intended to build trust between the public and law enforcement. Her audiences include schoolchildren and their parents. Nor is she alone. Many of her colleagues – including her high ranking supervisors – similarly volunteer their time. Tracy Wilkison, the Chief of the Cyber and Intellectual Property Crimes Section in Feldman’s office, shared her motivations for volunteering: “Because cybercrimes can happen to anyone, it’s important for us not only to vigorously investigate and prosecute the crime after it has happened, but to also reach out and teach prevention as widely as possible,” said Wilkison. “We are providing tips to better protect oneself, as well as spreading the word that law enforcement can be trusted to support and aid victims of cybercrimes. We understand how horrifically violated the victim can feel, and we work very hard to help.”
Working with law enforcement requires courage on the part of a cyber crime survivor. But, as with the Chaney prosecution, the results of such cooperation can be powerful. In the Mijangos case, one of his victims, identified as “JM” explained why she overcame a clear fear of her attacker to work with law enforcement. “He was threatening to ruin my work, to talk to my employers and send them pictures that he had personally grabbed also from my personal computer,” she explained during a court hearing. “I would log onto work, he would somehow just pop up on my computer and call me a bi*ch . . . I started throwing up. I got a rash, developed a rash on my face, and I just couldn’t go to work.” But JM found it important to stop Mijangos. “Prior to being a victim of this man, I was a victim of domestic violence,” she told the judge, “and I would tell you that there is no difference (between the two.) And being so that I had just been a victim of (domestic violence) is why I decided to stand up to him.”
JM’s message came through loud and clear. In 2011, the judge sentenced Mijangos to six years in prison.
Part 3 Tips:
8.Contact law enforcement if you believe you were the victim of a crime. Encourage your friends and loved ones, who may have been victimized, to do the same. Anyone can be a victim, even celebrities who may be someone’s personal hero. Stars like Olstead and Johansson found the courage to share their stories publicly, and their courage contributed to the long sentence that shackles Chaney. Mijangos was convicted after one survivor found the strength to report the crime and work together with law enforcement.
- Cover your computer’s built-in webcam when not in use. Sophisticated hackers like Mijangos can use it to take photos, even when the camera looks like it’s off.
- Learn more about protecting personal privacy. This article only touches the surface of available defenses. The Department of Homeland Security, in particular, has created cybersecurity guides geared towards protecting people from all walks of life, from children to undergraduate students to elder Americans. (LINK – DHS Guides).
Our online accounts represent a treasure trove of intimate information. Law enforcement has scored big victories in capturing and prosecuting offenders. But the first line of defense rests with each of us. Completely protecting oneself from cyber criminals is a full-time job. But it is possible to reduce the risk of being low hanging fruit by learning how to protect yourself against the methods employed by hackers like Chaney, Collins and Mijangos. And share the courage shown by survivors such as JM, Renee Olstead and Scarlett Johansson, with others. Their courage may inspire other survivors of cybercrime to contact law enforcement.