Perv raided college girls' online accounts for nude snaps – by cracking their security questions Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday. Arrested in November, 2016, Powell, a resident of Phoenix, Arizona, pleaded guilty last August in a …
I thought I did. But it's that Reg functionality flaw, where if you're not logged in, it invites you to do so, but then creates your reply as a new post.
One day, the Reg will fix that. And provide a direct link back to the article from the "Reply to" screen. But it is not that day! An hour of trolls and shattered web interfaces when the age of Men comes crashing down! But it is not this day! This day we type! By all that you hold dear on this good Earth, I bid you stand! Commentards of ElReg!
I know what you mean. I never use the real answers to these common security questions. The downside is that I need to keep encrypted files for each organisation I deal with listing all my different mother's maiden names, pet's names, schools attended etc. I guess most people don't give a second thought nowadays to liberally sharing personal information all over the net, facebook etc. Can't say as I keep any nude photos online either, not that anyone would be interested in seeing the naughty bits of a sixty year old bloke.
"[...] not that anyone would be interested in seeing the naughty bits of a sixty year old bloke."
My 90 year old neighbour would have considered you a cute toy boy. IIRC nowadays she would be called a "cougar". The internet has surely taught us that YMMV has a universal application to every human taste, aesthetic, or experience.
>Can't say as I keep any nude photos online either, not that anyone would be interested in seeing the >naughty bits of a sixty year old bloke.
You mean those young attractive women on the internet who tell me they like older umm larger men are lying to me? I'm in shock.
Some security questions are terrible.
On the phone, HSBC ask for your sort code and account number first off. Then as one of the security questions, they ask you to confirm which branch the account is held in. You know, that publicly-searchable sort code lookup information?
The Co-Op bank ring you up and ask you to answer one of your security questions, then give two digits of your telephone banking PIN. I emailed them to explain how easily exploitable this is (Scammer: "Sorry, that didn't get accepted, we'll have to try again. Can you tell me your first school, please, and this time the second and third digits of your PIN?) but they seemed to think it was wholly secure. So I started reporting every call from them to their own fraud hotline. I understand that they still make these calls, but I don't get them any more ...
Curious aside: Their old internet banking system used to ask me for my first school (out of five security questions) about 80% of the time.
What really annoys me with regards to mothers maiden name and other such related security questions is when a work application asks for them. Understandably I never give the correct answer and usually use an expletive so if anyone with control over said database ever accesses it then my feeling will be rather clear.
a) Most big companies are rubbish at security
b) Why expect ordinary people to be better? In about 30 years of PCs in schools, almost nothing is taught about creating and managing passwords. Telling people to have up to date AV software is not security training.
c) "… obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice*." Why do people take sexually explicit photos (of themselves)? They did it in film days too. Yes, labs made extra prints. Why then store them on so called "Cloud"?
d) Well, no matter about the level of stupid of a-c above, he does deserve suitable punishment.
[* For the miscreant breaking in or the people taking and storing the photos?]
Ay, there's the rub.
These questions are a stupid "solution" to a practical problem - Passwords, and their (often moronic) implementation.
Case in point: My reasonably computer-literate parents already struggle with the idea of keeping separate complex passwords for every account they use - and they use far fewer than I do. Remembering said passwords is a lost cause.
I'm trying to get them used to the idea of a password manager, but they are more likely to use pen and paper, so the complexity of the password is going to suffer.
Want to bet how many people don't really have anyone with at least rudimentary understanding of computer security they could ask for advice?
"These questions are a stupid "solution" to a practical problem - Passwords, and their (often moronic) implementation."
The problem is that there's really no way around this, no matter how you try to implement things. No matter what method you use for authentication, it will always be possible for it to be lost, damaged, forgotten, or otherwise compromised in some way. When that happens, you need a backup method of authentication in order to fix or replace the original. That provides an additional attack surface, and there's simply no way to avoid that. Bad password policies and weak security questions certainly don't help matters, but there's almost always going to be someone with legitimate access to whatever information you want to use, which makes it almost impossible to protect against a malicious insider or simply another big hack releasing it all into the wild.
Well, only the non-financial passwords should be in the password manager, which should NEVER be on the cloud.
ALL passwords should be in an indexed address notebook, with user name, website, what it's for, email used, security questions / PIN etc if applicable, password. And NEVER EVER kept in same jacket / handbag as phone if it is used for main internet (DON'T use it for anything important and then you don't need password book for it.) Never keep with Laptop/Tablet.
Then too, if you get knocked down, struck by lightning, heart attack, assassinated etc, the survivors can access your computer/laptop/phone and the internet accounts etc.
If you have a really important domain, consider creating a trust to manage it and hosting. Will should give Executor location of password book, main pass for main gadget and its browser password manager etc.
@Mage
You are almost there, but I downvoted ... because sensitive accounts (HMRC, banks) should be kept in two separate physical locations if they need be recorded somewhere else than one's brain.
Also, the jacket phone thing .... women will keep phone and diary in their handbag ... then again, handbag snatchers are usually after money and ID, so they grab ID/Passport/Driver's license, any cash and the credit/debit card(s), search for papers stored in same location as cards for pin's ...I doubt they would go through the diary for online account passwords ... not their business model, yet ...
but they are more likely to use pen and paper, so the complexity of the password is going to suffer.
Not really, if you explain a little ...
E.g. https://xkcd.com/936/
Simple passwords, almost impossible to guess, straight forward to write down.
Written-down passwords are safer than software password managers, try and hack their diary/appointment book ...
Password strength test https://www.my1login.com/resources/password-strength-test/
Random data generator https://www.random.org/ - I favour a string of 20 capital letters.
Both to take with a pinch of salt. I either shuffle the random letters before use, or devise a novel way of reading them into a password e.g. every 3rd letter skipping any that don't fit.
Alternatively I pick letters from a page of the bible, again not just a straight reading.
As to "fit": I've seen passwords rejected by assorted rules including "includes actual word" (reasonable-ish, but the risk is up to me) and "uses the same letter twice" (what the actual foolishness). So I pick:
Consonants only.
The first capital, the rest lower case.
No repeats.
6 letters then 2 numerals, also no repeat. The random generator includes a timestamp that can provide numbers, or, convert from letters.
If a site insists on a non-alphanumeric symbols then I add !
So for instance: Nsytrh35!
On the other hand, I suspect that at least one system that I use doesn't recognise the ! symbol. Fortunately it doesn't also require it.
Nsytrh35! is rated "Strong", which is a bit of a worry since that formula usually provides "Very Strong".
Incidentally... I am finding these harder to remember now. It could be Oldtimer's Disease.
For public use I set and hand out a password in format of ABCD-EFGH-IJKL-MNOP-QRST which is the 20 letters with places to stop for a rest. After jumbling it first.
"I get all twitchy like Inspector Dreyfus's left eye."
I had a phone call with O2 the other day, I was asked to give an answer to a security question not too dissimilar to "mothers maiden name", for all of these I just use random letters and numbers stored in a password tool.
The women on the phone seemed genuinely impressed that I could remember all of those random numbers and letters..........
Also, all the calls are recorded so these "security questions" and all bollocks.
Security experts recomend that the name of your first dog should contain at least 8 characters, with a mixture of uppper case , lower case, and numbers. Also, it should contain no common characters or subsets of your own name....
My password hint is "There is no hint."
That saves thinking of something cute, although It's a little tempting to put something like "Underwear row - Sun skewers old soldier (6, 4)". This is from the crossword puzzle in Private Eye 1461 which I haven't done any of, but the answer almost certainly isn't my password. A possible catch is that a hacker gets encouraged and then frustrated and insists on actually finding out what my password is in order to get closure, and eventually they would. But I think most of them prefer low-hanging fruit.
The answer seems to be due to be printed in Private Eye 1462 anyway (20 down and 23 down), now on sale.
...apparently the puzzle answer is "string vest" but I have no idea why except that a "string vest" is underwear... wait: maybe "row" = "string", "old soldier" = "vet" (veteran), and "Sun skewers" means somehow "insert letter S in the middle of the word", thus, "vest".
I would not have got that, and there is a prize but you wouldn't make a living from this.
Humans are an animal with curiosity. Forbidden fruits are always considered more tempting - an idea that recurs in the stories of our ancestors.
As D.H. Lawrence wrote in his poem about figs: the leaves are not a covering of shame - but an adornment to pique curiosity. Salome's dance may not have used the seven veils of Victorian literary imagination - but the suggestion is similar.
Your pet's name? Your city of birth? Your grandmother's middle name? All of this is great security. Until you or anyone connected to you puts it up on Facebook. How do people who know anything about what social media is still insist on relying on this kind of security by obscurity authentications? Oh, right, administrators and managers.
Easiest solution:
Use your password manager (e.g. Keepass) to generate 'passwords' for these fields and store the questions and answers in the notes box attached to username and password.
e.g.
Where were you born? e)\I7l}$=c&T@Pin+{m]
What is your mother's maiden name? Zg%N7al:Y2#R+fmwnc)C
etc, etc
Use your password manager (e.g. Keepass) to generate 'passwords' for these fields and store the questions and answers in the notes box attached to username and password.
You are ignoring the people using Meltdown to access your password manager. This is not a good plan. Use Post-it notes. The old ways are the best!
I have been thinking about this for a while. I think it is time fro me to make up some fake biographical information for these types of questions. EG:
Mother maiden name: Stalin
City of birth: Hiroshima
Pets name: Cujo
Elementary school: Goebbels Elementary
You get the idea. Obviously I would need to store these in my password manager.
Makes me think of my English SSID, the password is a succession of German words ... why German ? Nouns in German take a capital letter, so you automatically get case right ... of course, who in France would think an English SSID would have German words in its password ...
i STORE all my passwords on a piece of paper , but I go one better by typing this list up on my computer so that the caps and special numbers are legible. I dont ahve any illusions about how secure this is , but I see no alternative, tryied a password manager once but after using a laptop with NO caps lock indicator, the pain became unbearable, printed list on paper for me +2fa + no facebook ....
Some time ago I set up an account (I don't remember which) that requested my mother's maiden name. So in disgust at being adked to provide such irrelevant personal information, I typed 'bollocks', not realising I would be asked for this information by the girl on customer support. Fortunately she had a good sense of humour. She also thought I was the born in 1999 and my first name is 'po'.
I now have to keep this sort of false information written down, ever since it took two attemots at false mother's maiden name before one support agent would deal with my query.
For starters, at the very least, you use different answers to what the questions are asking.
e.g. Mother's maiden name? Main Street (i.e. street where you first lived)
Favourite Author? Spot (name of first pet)
Favourite sports team? Victoria's Secret (where you work).
Anyone who answers the questions with the correct values for the question itself is stupid and shouldn't be allowed unsupervised on the internet.
Better than mixing up the answers would be to use either totally random words or treat each of them like a password field:
Mothers maiden name? Trombone (random word)
Mothers maiden name? jnk0dS@t(es (just like another password).
Just come up with set of strong passwords and use them as the answers.
It is a moronic way of doing things, just as moronic as the banks that send out "Your Statement is ready to view" emails with a masked link button to your account login page.
At one job they set a self service password recovery system up using this three question system and one of our guys demonstrated how to socially engineer the answers out of people and change passwords.
Then the company attempted to discipline him until we brought them to their senses.
Dude, pornhub is free.
2nd fail: if only the question pool, across most institutions, wasn't limited to a dozen or so. Some of which can probably be researched or guessed. Ranks right up there with mom's maiden name.
Good idea the 1st time someone thought of it. Stupid by the time the 2nd person copied it.
Whenever I'm presented with one of these I find two things.
First, inevitably three-quarters of the questions could be answered by anyone with access to my Facebook account (assuming I actually gave FB the info) or even LinkedIn or a dozen other common sites.
Second, I invariably find that the sites with the most boneheaded "Security" questions are also the ones with the most boneheaded password rules, and are often the sites that wind up being hacked.
I seriously doubt that any authentication scheme like this is at all secure. Anything that relies on publicly available information is by definition insecure. And these days almost everything is publicly available if you know where to look, especially because so many sites insist that you log in using Facebook, Google, or other shared log ins.
@Barry Rueger - "the questions could be answered by anyone with access to my Facebook account (assuming I actually gave FB the info)"
It's worse than that, you don't even need a FB account if your maternal grandparents post that you visited them on their FB account. These questions are inherently leaky.
because so many sites insist that you log in using Facebook, Google, or other shared log ins
Perhaps you and I browse a different set of resources but whilst many sites offer such common login platforms I can't think of any off the top of my head that require their use. I never use them so I would have noticed.
Powell's interest in all this was obtaining private sexually explicit photos, which people apparently store in their email accounts without much thought about security. It's not immediately clear why the large number of such images on the internet did not suffice.
Wouldn't an obvious possible reason be yet-to-emerge coercion/blackmail?
College students aren't the wealthiest of people. There'd also be a good chance in that environment that any woman threatened with coercion would have a couple of large friends overflowing with testosterone who were willing to go along to any proposed meeting and resolve the issue.
"There'd also be a good chance in that environment that any woman threatened with coercion would have a couple of large friends overflowing with testosterone who were willing to go along to any proposed meeting and resolve the issue."
This being America, it's likely that someone involved has a gun, probably the blackmailer, so I'm sure that will end well.
In my opinion, any site holding personal data would be required to use multi-factor security. These hacks are becoming too frequent, and it's fairly obvious that a significant % of users do not understand how insecure their data is, if they don't take adequate precautions.
This post has been deleted by its author
"Click that downvote button then scuttle away before anyone can ask you why!!!"
It is possible to switch between up/down votes later - but not to cancel both completely. To my mind a second click on the same option should toggle it to a neutral state.
People who have down voted a posting may wish to change their minds later when they realise they misread or in some way misunderstood. However they may feel that they still don't want to actually approve the posting.
On the other hand people who vote possibly don't always revisit the thread later to see if any replies cast a new light on the original posting.
Down votes can be an expression of "me too" to align with the content of a later reply posting. However for what appear to be factual subjects then one would expect at least one of them to post a reply expounding their objection for the benefit of everyone.
I do wonder at the posters who attract large numbers of down votes based largely on their previous controversial stances. It can become mob rule if people are trying to browbeat anyone into silence. If you are tired of a particular poster's attitude - if you aren't going to contest their view then just ignore them. If you approve of someone else's considered reply then up vote them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
