Friday, February 08, 2019

How Bezo's dick pics might've been exposed

In the news, the National Enquirer has extorted Amazon CEO Jeff Bezos by threatening to publish the sext-messages/dick-pics he sent to his mistress. How did the National Enquirer get them? There are rumors that maybe Trump's government agents or the "deep state" were involved in this sordid mess. The more likely explanation is that it was a simple hack. Teenage hackers regularly do such hacks -- they aren't hard.

This post is a description of how such hacks might've been done.

To start with, from which end were they stolen? As a billionaire, I'm guessing Bezos himself has pretty good security, so I'm going to assume it was the recipient, his girlfriend, who was hacked.

The hack starts by finding the email address she uses. People use the same email address for both public and private purposes. There are lots of "people finder" services on the Internet that you can use to track this information down. These services are partly scams, using "dark patterns" to get you to spend tons of money on them without realizing it, so be careful.

Using one of these sites, I quickly found a couple of a email accounts she's used, one at HotMail, another at GMail. I've blocked out her address. I want to describe how easy the process is, I'm not trying to doxx her.

Next, I enter those email addresses into the website to see if hackers have ever stolen her account password. When hackers break into websites, they steal the account passwords, and then exchange them on the dark web with other hackers. The above website tracks this, helping you discover if one of your accounts has been so compromised. You should take this opportunity to enter your email address in this site to see if it's been so "pwned".

I find that her email addresses have been included in that recent dump of 770 million accounts called "Collection#1".

The won't disclose the passwords, only the fact they've been pwned. However, I have a copy of that huge Collection#1 dump, so I can search it myself to get her password. As this output shows, I get a few hits, all with the same password.

At this point, I have a password, but not necessarily the password to access any useful accounts. For all I know, this was the password she chose for, which wouldn't be terribly useful to me.

But most people choose the same password across all their websites. Therefore, chances are good this password is the one she uses for email, for her Apple iPhone, for Facebook, and for Twitter.

I can't know this, because even testing this password on those sites (though without accessing the information in her accounts) may be violation of the law. I say "may be" because nobody knows, and I'm not willing to be the first test case to go to trial and find out.

But the National Enquirer is (evidently) a bunch of sleazeballs, so I'm assuming they grabbed a copy of Collection#1 and researched all the accounts of people that interest them to find out precisely this sort of information, and extort them with it. It's real easy, as this post demonstrates. Or, if they didn't do it themselves, they are wildly known in the United States as one of the few media outlets who would pay for such information if an independent hacker were to obtain it.

So which accounts did the sexting images come from? Were they SMS/iMessage messages? Were they sent via Twitter/Facebook private messages, like with the Anthony Wiener scandal? Were they sent via email? Or was some encrypted app like Signal used?

If it's Twitter or Facebook, then knowing the email address and passwords are enough. A hacker knowing this information can simply log in and view the old messages without the owner of the account knowing.

They do offer something called "two-factor authentication", such as sending a numeric code to your phone that must be entered along with the password, but most people haven't enabled this. Furthermore, using the phone as a second-factor has it's own hacks that skilled hackers can bypass. Phone numbers that belong to her are also on that "people finder" report I paid for:

If the sexy images were sent via email, then likewise simply knowing her email password would grant somebody access to them. GMail makes it really easy to access old emails that you don't care about anymore. You can likewise enable "two-factor authentication" to protect your email account, with a better factor that just text messages to your phone.

If she has an iPhone, and the pics were sent as normal text messages, then hacking her Apple account might reveal them. By default, iPhone's back these up to the cloud ("iCloud"). But not so fast. Apple has strong-armed their customers to enable "two-factor authentication", so the hacker would need to intercept the message.

But Apple text messages don't always go across the phone system. When it's two iPhones involved, or Apple-to-iPhone, such messages go across their end-to-end encrypted iMessage service, which even state actors like the NSA and FBI have trouble penetrating. Apple does a better job than anybody protecting their phones, such that even if I knew the password to your account, I'm not sure I could steal your sexting images.

Lastly, maybe an encrypted messaging service like Signal was used. This is generally pretty secure, though hey have a number of holes. For example, when receiving a sexting message, the user can simply take a screenshot. At that point, we are back into the "cloud backup" situation we were before.

Maybe it wasn't her phone/accounts that were hacked. Maybe she shared them with her siblings, friends, or agent. Diligent hackers go after those accounts as well. Famous celebrity hackers often get nude pics via this route, rather than hacking the celebrity directly. That "people finder" report includes a list of her close relatives, and enough information I can track down her other associates.

So here's how you can avoid getting into the same situation:

  • Setup different email accounts, ones you use for personal reasons that can easily be discovered, and ones you use in other situations that cannot be tied to your name.
  • Don't reuse passwords, as was done in the case, where all the accounts I found have the same password. At least one site where you've used that password will get hacked and have that password shared in the underground. Use unique password for major sites. Knowing your GMail password should not give me access to your iPhone account because that's a different password. Write these passwords down on paper and store them in a safe place. For unimportant accounts you don't care about, sure, go ahead and use the same password, or common password pattern, for all of them. They'll get hacked but you don't care.
  • Check to see how many of your accounts have pwned in hacker attacks against websites. Obviously, the passwords you used for those websites should never be used again.
  • If you send sexy messages and you are a celebrity, there are large parts of the hacker underground who specialize in trying to steal them.
This post describes one path to hack the accounts, from password reuse. Another vector for teenage hackers is phishing, such as in the DNC hack. This leaves traces behind, so presumably if this were the vector, they would've discovered this by now. The point is that there's little reason to assume nation state actors or corrupt law enforcement officials in the pay of Donald Trump.

To summarize this post:

  • No, I didn't hack her accounts. However, her email addresses and some passwords are public on the Internet for hackers who look for them.
  • Some passwords are public. That doesn't mean the important passwords that would gain access to real accounts are public. I didn't try them to find out.
  • Even though I didn't fully test this, people get their sensitive information (like nude pics) stolen this way all the time.
  • Getting celebrity nude pics is fairly simple, such as through password reuse and phishing, so there is no reason to consider conspiracy theories at this time.


Unknown said...

Hey Rob,

This came up on my RSS - just wanted to say I really appreciated it. First, because some people are jumping to conclusions for their own reasons, and it's great to "speak truth" to that eagerness. But also second, this is a really good, easy walkthrough of credential duplication, and I've been able to send it to a couple non-infosec people in my personal life that I've been trying to get to adopt password managers & other hygiene practices.

Chris said...

Even if using a private email address, wouldn’t one be able to find it out from your username anyway, by digging into those database dumps?

Erin said...

It means we have to be very careful while using the people finder and similar platforms, as you are compromising on your personal data. Also I found this password generator strong random password generator very strong and random