What would you do if your Facebook wall was suddenly filled with x-rated pictures and videos of you. Yeah, you. That happened to at least 20 women after a California hacker broke into more that 3,000 webmail accounts of women. There are two lessons here. First is the basic flaw in the “secret question/answer” system for password recovery (ask Sarah Palin about that one). Most of the questions are pretty basic and often we (eventually) share that kind of information online at some point. Stuff like your high school mascot, or your first pet or first concert. It’s a lot more secure, but certainly not perfect, to make up your own question. We’re all pretty lame about what kinds of questions we’d come up with. So this recent example is just like what happened to Sarah Palin during the presidential election:
Computer security experts have known for years that the password security questions that Bronk is alleged to have guessed are a weak link in online security. In 2008, a college student named David Kernell guessed the answer to some of these questions using information he’d found on the Internet and was able to break into the Yahoo Mail account of Alaska Governor Sarah Palin. Kernell is set to be sentenced for that crime in Nov. 12.
Kernell found a lot of his information on Wikipedia, which has a detailed entry on Sarah Palin. But with Facebook, some of this data can be dug up on non-celebrities too.
“Sometimes individuals out there put too much personal information that is accessible to the public,” Dixon said. “People should protect their security password questions as vigorously as they protect their passwords.”
In this recent example the hacker trolled through thousands Facebook profiles picking his victims, then just started trying to find and guess the answers to the women’s security questions. No serious security breach there, just basic social engineering. The hacker was found guilty and will go to jail, but honestly, the problem is still there.
We’re (collectively) pretty bad about choosing passwords and “secret questions/answers”
Now for the second lesson: The victims had the explicit photos and videos in their own email accounts. Look, it doesn’t matter what you want to do with your time, but if you’re emailing that kind of sensitive stuff around…at least trash the sent item! Not that we’d encourage you to send that kind of thing unencrypted in the first place.
Of course if you did want to send naughty pictures to your true love on Valentine’s Day … eCrypt.me would be the way to do it.
The last thing to remember is this. We’re all human and it doesn’t matter how awesome our encryption is or strong our password is if you give the password to someone. Kinda like this from xkcd: