Print 46 comment(s) - last by callmeroy.. on Jan 24 at 11:22 AM

George Bronk  (Source: The Sacramento Bee)

Email clients frequently offer personal security questions that users are asked to answer when they create the account. The questions allow anyone with the right answer to gain access to the account -- without remembering the password associated with the account.  (Source: Checking Email Live)
Man accused of exploiting security questions, forwarding nude pics to womens' "friends"

Do you send nude pictures of yourself or others via email?  Most of our readers are probably too savvy for such nonsense, but if you do, you might want to think twice about it.

George Bronk, a 23-year-old California native, has admitted to trolling Facebook personals looking for young women who posted their email addresses.  From there he began to monitor their wall posts and notes, in an effort to find answers to the security questions protecting their email accounts.  

Many email providers, including Hotmail and Gmail, offer these kinds of questions to help customers regain access if they've forgotten their password.  Most customers answer them truthfully, which can be exploited by malicious parties, as we pointed out in a recent blog.

In Mr. Bronk's case, once he gained access to the women's email accounts, he then typically scoured their email history looking for nude or seminude pics.  He then forwarded those pictures to all the women’s contacts.  He would also gain access to their Facebook accounts via the email-driven password reset feature.  He would then post nude pictures of them to their Facebook profiles.  

He would also post nude pictures of them on other sites.  And at least one woman he sent additional threats to, in order to obtain more explicit pictures.

Mr. Bronk, who resides in Citrus Heights, California, victimized dozens of women in the United States and Britain, according to the California attorney general's office.  He has plead guilty to seven felonies in state Superior Court, including computer intrusion, false impersonation and possession of child pornography.  

His defense attorney, Monica Lynch, is urging leniency pointing to Mr. Bronk's cooperativeness.  She says her client acted not out of malice, but out of immaturity, describing him in an Associate Press interview as a "23-year-old boy going on 15."  She argues, "He's accepted full responsibility. It's a tragic situation."

Prosecutors disagree.  They said that Mr. Bronk knew what he was doing and are seeking a six-year prison sentence on March 10 when the suspect returns to court for a sentencing evaluation.  At least one of the victims agrees.  In a statement to the Associated Press, she states that the incident felt like "virtual rape".

The suspect was caught after one of the victims contacted the Connecticut State Police.  Using computer records, they tracked the suspect to California.  From there the California Highway Patrol took over.  From there they obtained a search warrant and inspected Mr. Bronk's computer.  On it they found 172 e-mail files containing explicit photographs of women from 17 states, including Washington D.C. and Virginia, according to a court affidavit.  According to some reports, he may have exploited as many as 47 women.

Two of the women involved blame Mr. Bronk, but they also blame Facebook and unnamed email providers for failing to secure their privacy.  Mr. Bronk's attorney also blamed Facebook for not catching him in the act sooner.  Facebook and e-mail service providers have faced legal action stemming from victims of similar incidents in the past.  Facebook has been a favorite haunt for those looking to victimize others sexually.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

The main problem...
By aegisofrime on 1/17/2011 9:15:57 AM , Rating: 5
In my opinion the main problem is the choice of security questions that some sites offer. Things like "Where did you grow up" or "Your mother's maiden name" are easily guessed by anyone who knows you well. Sure, you can probably enter a false answer, but then you might forget it.

Then there's also questions for things that aren't constant, involving taste and opinion. "What's your favorite color?" Well, I have no favorite color, and if I do I imagine it might change from time to time.

The worst thing though is that these "security questions" are required by some sites; you can't sign up unless you fill them in. I find myself having to remember the false answer in addition to a unique password.

RE: The main problem...
By amanojaku on 1/17/11, Rating: -1
RE: The main problem...
By mcnabney on 1/17/2011 9:34:55 AM , Rating: 2
Although I haven't forgotten any passwords (I use several, depending on the purpose of the account), I would imagine even email passwords can be forgotten. With the advent of autofill and 'remembered' passwords, I haven't typed my email password for a couple years.

RE: The main problem...
By xsilver on 1/17/2011 9:39:49 AM , Rating: 2
you're only 1 stolen laptop/computer away from being either very sorry or very poor.

RE: The main problem...
By wiz220 on 1/17/2011 10:35:55 AM , Rating: 2
Eh, only if his machine auto logs on. Although Windows XP was exceedingly easy to get into or reset passwords on. Have they figured out how to crack/reset Win7 passwords with a boot CD yet?

RE: The main problem...
By bah12 on 1/17/2011 12:23:17 PM , Rating: 3
Have they figured out how to crack/reset Win7 passwords with a boot CD yet?
Using Dictionary attacks yes, but even a fairly cryptic password is enough to make those disks fail. Too bad most people still use formal words/names.

RE: The main problem...
By nafhan on 1/17/2011 1:40:16 PM , Rating: 5
Unless you've turned on some form of drive or file encryption, the login password doesn't offer much security against someone with physical access to the machine. A simple boot CD or just physically transferring the hard drive to another PC will give someone access to all the files on the drive.

RE: The main problem...
By Breathless on 1/18/2011 11:20:59 AM , Rating: 2
Hirens much? I'll get past your password in less than 5 mins

RE: The main problem...
By delphinus100 on 1/22/2011 8:35:39 PM , Rating: 2
I would imagine even email passwords can be forgotten. With the advent of autofill and 'remembered' passwords...

I know someone to whom exactly that happened. She had to create a whole new account.

RE: The main problem...
By aegisofrime on 1/17/2011 9:37:46 AM , Rating: 3
I know almost everyone uses the same password for every site. However, I actually make it a point to try to use unique ones for critical sites like my bank account, my email and my Facebook. I have one common password for throwaway sites like forums and such.

And you are right that one should not be able to forget his email password. The issue I'm pointing out is the existence of a facility to recover one's password, and the weakness in this facility.

I'm assuming the yous in your post is referring to me. If so, I agree with your points, but to reiterate, I'm pointing out the questionable practices that some email services use that compromises their users' security.

RE: The main problem...
By amanojaku on 1/17/2011 10:02:07 AM , Rating: 2
I didn't mean you, aegisofrime, I meant you, the reader of my post, and any Internet user. Sorry for the confusion.

I was trying to make the point that in the event of a lost site password a person could have an automatically generated email sent to his/her account. The email would include a link to reset the site password. This is how corporate sites work. Everyone I know logs into his/her email daily, so the probability of a forgotten email password is low. Unless you use auto-fill, in which case security isn't a big concern for you.

I've never trusted security questions for the same reason this article was posted. It's well known that the people who know you the most (ex-lovers, ex-friends, etc...) are the ones most likely to break into your accounts. This particular criminal is an exception in that he patiently researched his victims, who were stupid enough to supply vital details to the public.

I also advocate unique passwords, but I'm being realistic in assuming people reuse the same one. There are people who would use "12345" if it was allowed.

RE: The main problem...
By sviola on 1/17/2011 10:14:21 AM , Rating: 2
There are people who would use "12345" if it was allowed.

Yup, also, there are the "qwerty" and "qazzaq" password people.

Most people are just unaware to the damages implied in having their passwords compromised.

RE: The main problem...
By Solandri on 1/17/2011 2:16:19 PM , Rating: 3
Not just unaware, but oblivious and in denial. I ran into the same problem with physical keys. At a previous workplace we had electric carts for traveling around the (outdoor) premises. Many of the workers had the bad habit of just leaving their keys in the carts instead of taking 1 second to remove them when they left the vehicle.

As a manager, I felt it was my responsibility to expound on the security risk this presented. I talked about it to the employees over and over and stressed the importance of taking the keys with you. And still most people just left their keys in the carts. Eventually, one day, I ran across a cart with its key in it, so I simply took the key and let the guy run around for 20 minutes looking for it before I returned it to him.

I thought it would be a good lesson to him on the dangers of leaving keys in the carts. After all, I could have stolen the cart, not just taken the key. Instead, I was the one who was reprimanded. People's sense of risk assessment gets all screwed up when trying to compare a real loss (guy running around for 20 min unable to do his work) with a potential loss (danger of cart being stolen). (I was vindicated in the end though. A year after I quit working there, one of the carts was stolen when a thief simply drove it off the premises, key and all. $6000 gone just like that.)

RE: The main problem...
By vol7ron on 1/23/2011 3:44:07 AM , Rating: 2
Not to mention, large sites can be compromised. Remember Gawker:

I've mentioned this many times before, but the security questions are of themselves, insecure. Sites have increased their password securities by upping the criteria (8+ chars, must use numbers, must use special chars, must have at least one capital, cannot use part of name or username, etc), but then you get to the security question and it's like "What was your first dog's name?" - if answered honestly, not only is it less secure by not having to use a certain combination of alpha-numerics, but you can filter the possibilities down much easier (searching for common dog names).

I think Lifehacker put out some good password naming guidelines:

RE: The main problem...
By nafhan on 1/17/2011 9:44:50 AM , Rating: 2
It's certainly not as simple a problem as people commenting on technology sites make it sound. If this wasn't a real problem, then it wouldn't be an issue for so many people. A website forced to choose between being more secure for it's customers sake or losing a large number of customers will often choose less secure.

RE: The main problem...
By The Raven on 1/17/2011 10:00:18 AM , Rating: 2
Actually it is simple. You don't put info up that you don't want people to get. The reason that FB isn't as secure as a bank's site is that people aren't demanding the security. Personally I don't care if anyone gets access to any of my FB info (its really minimalistic). I don't trust FB enough and really don't find the need for it to be secure. The point of the thing is so I can see what is going on with friends and let people know stuff about me. Why would I want to keep stuff I want people to know about hidden?

If people are really worried about the risks involved and have no idea how to safeguard their info better, then I suggest they just get a simple blog that everyone can see and keep it all above the belt knowing that the public can access it at anytime. Relying on FB/Google/MS's privacy settings is folly.
It's certainly not as simple a problem as people commenting on technology sites make it sound. If this wasn't a real problem, then it wouldn't be an issue for so many people.

If so many people weren't so simple minded then this wouldn't be a real problem. It certainly isn't a problem for me and most people (from what I know) since I don't have naked pictures of myself in the cloud. I suggest that everyone have the same policy.

RE: The main problem...
By nafhan on 1/17/2011 1:22:23 PM , Rating: 2
You're correct, implementing common sense measures to protect online privacy is relatively simple. Now, I'd like you to convince millions of people that it's worth 5 minutes of their time to do so. That's apparently kind of difficult...

RE: The main problem...
By rudy on 1/17/2011 3:27:29 PM , Rating: 2
On top of that if you really want security you need to have a strong password 10+ chars and change it every 3 months. Some places force you to do this. Also different websites have different limits. I have 1 password that is often longer than allowed at various websites. So I cannot use that one. Then I have strong passwords that can not be used due to ilegal chars at other sites. Over the years my passwords have changed. I do keep separate passwords for sites depending on the security I need. I do not forget any passwords ever but I have enough that I some times cannot remember which password goes with a particular account. Since I have more than 5 I can get locked out of my sites trying. You do not have to be stupid to have an issue. On top of that some sites force you to use password recovery or some banks consider it part of authentication. So if you really want to be secure you need to make up Passwords for those questions.

So I now have around 20 passwords I need to keep up on plus security questions.

RE: The main problem...
By fic2 on 1/18/2011 7:46:30 PM , Rating: 2
The "illegal" char thing really pisses me off since they actually have to do work to filter these characters which are usually just the shifted number keys. Also why limit the length or at least make it something like 50 characters. It should just be hashed anyway the computer doesn't give a crap about the length.

RE: The main problem...
By Alexstarfire on 1/17/2011 9:49:32 AM , Rating: 2
I used to think the same thing.... then I started going to college and have since transferred to another college. I can tell you now that I try to use the same password for most of my sites. Not like people could guess it anyway since it's very complicated. However, there are several sites, including the two colleges, that require you to change your password every so often and you can never, I repeat, NEVER use a password you have previously used. After a couple passwords you start deviating off the base password quite a bit. Not imagine this for several sites on top of the likely dozens of other sites that require passwords as well many of which have different password requirement.

That said, I don't use auto-fill forms and such, for obvious reasons, and still have managed to remember all my passwords that I set (or at least the variations of it that I use), but it's very easy to see how people can forget them.

Only passwords I forget are the randomly generated ones. I have 2-3 sites that use randomly generated passwords that you can't change. I'm sorry, but I'm never going to remember that password since I don't use the site all that much.

BTW, your "easier" method wouldn't have helped with the way this guy was doing things. He already had access to the email account. If you mean in place of security questions to reset a password then I whole-heartedly agree. Nearly all security questions I've come across are useless for one reason or another.

RE: The main problem...
By AntiM on 1/17/2011 9:41:40 AM , Rating: 2
I think the main problem in this case is that these women simply posted too much personal information. The email providers are required to strike a balance between security, and providing users access their email and helping them when they forget their password.
People should also know that they shouldn't send anything in an email that they wouldn't put on a post card.
So, what's the main problem? Is it that online services aren't secure enough, or is it that people are too careless?

RE: The main problem...
By mindless1 on 1/17/2011 2:39:06 PM , Rating: 2
The main problem is stupid people screw up in many areas of life - including this. You can't fix stupid, and in trying to you just ruin things for everyone else who had enough sense to avoid these types of problems.

RE: The main problem...
By VahnTitrio on 1/17/2011 10:53:02 AM , Rating: 2
Pick a favorite TV character and then answer all the security questions as if you were them. Then all you have to do is remember which character you used, google can handle the rest.

RE: The main problem...
By AlexWade on 1/17/2011 12:43:24 PM , Rating: 2
I fill in bogus answers to the security questions. For example, you could answer "your mother's maiden name" with "mr. smith".

RE: The main problem...
By Solandri on 1/17/2011 2:22:26 PM , Rating: 2
At that point, it ceases being a security question and just becomes a backup password. Backup passwords are just as difficult to remember (and just as easy to forget) as the primary password.

The better sites let you create a custom security question and answer. These tend to work a lot better as you can tailor the question to jog a memory only you would remember.

RE: The main problem...
By mindless1 on 1/17/2011 2:46:13 PM , Rating: 1
You do not need a custom security question, just a standard answer that you will remember but that isn't an intuitive answer someone could troll on and glean info about because it is nonsensical. For example,

"Your mother's maiden name" = "I like plastic"

"Your favorite color" = "I like plastic"

"Your high school" = "I like plastic"

RE: The main problem...
By rs2 on 1/18/2011 7:13:06 AM , Rating: 2
Actually I think the main problem is the degenerate meaning of the words "hack" and "hacker" as used in the popular media. These words used to imply using some degree of cleverness and intellect to solve or bypass a problem that is generally considered to be unsolvable (or not solvable in any trivial way).

But now apparently anyone who gets someone's e-mail password through brute-force-like methods such as stalking them online and sifting through public postings that they make until they carelessly let a clue slip is some sort of master hacker.

The term "hacker" used to imply a degree of intellect and sophistication. To call someone a hacker was not to just say that they might get into places they're not supposed to go, but that they are also a good deal more intelligent than the average person on the street, and that their digital trespasses are just as likely to stem from a desire to be challenged as from any sort of sinister intent. Not so anymore, however, and that's a real shame. I think it's time to take the word back.

The guy in this article is not a hacker. He's just some poor lonely sob who realized that if he spent enough time digitally stalking enough women, eventually some of them would let enough personal information slip for him to reason out their password. That's not a clever or intelligent approach, it's just a predator picking off the weakest targets. A real hacker wouldn't need to wait around for a random victim to expose itself. A real hacker would choose his target, and then the rest would be over quickly.

RE: The main problem...
By redeem4god on 1/24/2011 1:42:00 AM , Rating: 2
Agreed but I'd like to further expand that as not necessarily the choices that are available but rather the lack of choices available. I think the option should always be given to make up your own security questions thereby lending a level of uniqueness to an individual, like our fingerprints

Facebook has always been IMO to be just as flawed as Myspace and to think he got in the California Hall of Fame. He can't even control something, again IMO, which he at the very least partially stole. He isn't that great as all he did was expand on what Myspace was already doing. Facebook, is a hobby, game nothing more. If you want solid, serious Networking I would go with LinkedIn.

I use to think the level of security for my Credit Unions online banking was obnoxious but Social sites could stand to learn a lot of their level of security

RE: The main problem...
By redeem4god on 1/24/2011 1:51:55 AM , Rating: 2
I also would like to point out that the title is a little misleading. This idiot is no hacker. snooping around to discover a users password with no talent or computer forensics capability doesn't make him a hacker. The guy didn't do any kind of brute force attack or packet sniffing of any kind, which shows just how easy Facebook is.

I also have to pointout that...yah each user has the ability to keep their email private. I only give it out when asked and NOT through facebook. If he was a real hacker, a GOOD hacker he would have properly "spoofed" his IP address via VPN/SSH tuneling.

BTW it's scary that this hits home because I live not far from where the perp lived and work for the very Court House he will be tried.

RE: The main problem...
By callmeroy on 1/24/2011 11:22:36 AM , Rating: 2
I hate that myself -- the forced security questions that is.

I not only get annoyed by that but in a strange way I also am a bit humored...

I mean its a social networking site not my bank account. I control how much detail about me is on the site right? So isn't it my own stupid fault if I give so much information people can steal my ID or do whatever?

On my FB account you'll get my real name...that's about it. Other info like birthday and all is left blank if it can be or its filled in with bogus info.

By Camikazi on 1/17/2011 9:19:33 AM , Rating: 3
Wait, these victims choose to show their e-mail addresses on facebook (something you can choose to hide), then they make wall posts that gives clues to their secret questions yet it's Facebooks and E-mail providers fault they got their e-mail broken into? That is just stupid, I understand Facebooks privacy security is not great but they cannot protect you from your own stupidity.

RE: Blame
By jwdR1 on 1/17/2011 9:34:23 AM , Rating: 2
They could at least make the open privacy settings opt-in vs. opt-out. If someone creates a new account it should default to the most private and secure then let the user open it up to the world.

I've long since deleted my account due to their privacy policies but at the time finding where turning off some of these features was not intuitive.

RE: Blame
By Camikazi on 1/17/2011 3:30:27 PM , Rating: 2
That won't happen since (I really don't like saying this) the average social network users are idiots. If you defaulted everything to off the company would get HUGE amounts of emails about their information like email and stuff not showing up and how to turn it back on. They are on by default cause it is a social network and the reason it exists is to share yourself with others you know.

It's not Facebooks fault they add every random person who sends a friend request and end up having people like this guy on their friends list and end up becoming victims of their own stupidity. If people would use social networks how they were meant to be used and not just a huge pool to expand their farm this wouldn't happen as much.

RE: Blame
By The Raven on 1/17/2011 9:46:59 AM , Rating: 2
It is true that the blame should be on the dolts who let these pics get out. If you want take a naked picture of yourself and then put it in the cloud, you need to first assume that the public will get access to the pics, and then do your best to not let that happen.
Actually, you should first ask if it is necessary to put the pic out there to begin with!

Like Zuckerberg told Leslie Stahl -
"It's against all of our policies for an app to ever share information. We shut them down if they do... Do we get it right all the time? No. But it's something we take seriously and every day we come to work and try to do a good job on this... It's an important thing for everyone to think about - privacy and making sure we have control of our information is one of the fundamental things on the internet."
You lose that control when you put it somewhere that you don't control. And most of the users on FB/Webmail clients don't control the servers that they have their information on. And there is nothing in FB's record that would lead anyone with half a brain to expect watertight security from them.

RE: Blame
By nafhan on 1/17/2011 9:53:24 AM , Rating: 2
Sites like FB (and most webmail providers) get to choose between:
-Convenience* for users and making extra advertising money

Guess which one they'll pick every time? It'll continue that way until people realize that online privacy is important.

*Convenience = not having to spend time immediately messing with stuff. Long term, convenience and privacy would be the same thing.

By dsx724 on 1/17/2011 8:59:07 AM , Rating: 1
OP is probably a /b/tard. Those women deserved it for their lack of common sense.

RE: Fail
By xsilver on 1/17/2011 9:43:08 AM , Rating: 2
sorry to straight away misuse one of the above posts but isnt that like a rapist claiming "she was naked and the window was open" ?

RE: Fail
By Alexstarfire on 1/17/2011 9:54:18 AM , Rating: 2
It's also like saying the keys were in the ignition and the car was unlocked. Just because it's there doesn't give you the right to take/do it. Of course, the victims also lose their right to be angry since it was their fault it happened to begin with.

And no, that last sentence doesn't apply to everything/everyone.

RE: Fail
By dsx724 on 1/17/2011 10:03:11 AM , Rating: 3
I didn't say the guy doesn't deserve to go to jail. I said the women were at fault too in this situation. Ignorance is not a justification. It's just dumb. Just like if you were to go to sleep naked and leave the window open on the first floor of some motel.

RE: Fail
By mindless1 on 1/17/2011 2:54:50 PM , Rating: 1
It's like laying a t-bone steak in front of a hungry dog. You didn't tell the dog it could eat that steak, but you have to assume that one thing leads to another...

Regardless of what you feel about...
By amanojaku on 1/17/2011 9:19:05 AM , Rating: 2
Facebook, privacy and human stupidity, the nail was hammered into the coffin.
He has plead guilty to seven felonies in state Superior Court, including computer intrusion, false impersonation and possession of child pornography.
Bury him.

By mcnabney on 1/17/2011 9:37:46 AM , Rating: 3
All that means is that one of the email accounts he got into belonged to a minor.

A minor who also possessed that CP, of herself.

Should the victim also be charged? Technically, she was most likely even the CREATOR of the CP.

the blond hair isn't fooling anyone
By ipay on 1/17/2011 12:22:18 PM , Rating: 4
I wasn't expecting that from you, Jason Bourne.

Virtual Rape
By Ristogod on 1/17/2011 9:10:46 AM , Rating: 1
I can just see it now. They are going to coin that term and use it in every single prosecuting opportunity they can think of. Next we'll see an abundance of women claiming "virtual rape" for just about anything, much like we see in the real world.

RE: Virtual Rape
By Solandri on 1/17/2011 2:01:45 PM , Rating: 2
That's not really a problem. Just send the perpetrators to virtual prison.

All joking aside, despite the potential for abuse, it is a real problem. Our real-life personas intermingle with our virtual personas to varying degrees. The more you mingle the two, the greater the possibility of suffering real emotional, reputational, and even financial harm from what goes on in the virtual world. The first time I saw the problem really identified was in 1993 - even when using completely anonymous personas in a virtual world, the social interactions and a person's identification with that persona are most certainly real.

And like back then, there still aren't any clear answers on what's the best way to handle it. In the above case, the crime was committed in virtual space, as was the punishment (virtual execution - deletion of the wrongdoer's account). But the ramifications of the incident touched real people's lives and psyches.

Another potential land mine this could trigger is that of privacy. If it's bad for an individual to collect and use your personal info without your consent, then certainly it must also be bad for a corporation to do the same. But a large part of the modern WWW's financial structure has been built upon doing just that - harvesting people's personal info for marketing purposes.

All of these are difficult questions without simple answers which we're going to have to address in the coming decades.

Never use'em
By ZachDontScare on 1/17/2011 2:49:57 PM , Rating: 2
This is why I *never* to use these 'backup questions'. There have been far too many instances of people breaking into accounts using them. For sites who require them, I enter random characters and numbers.

If you want to keep track of your passwords write them down and keep them someplace safe, or use an encrypted file to store them.

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki