IT Security: Citrus Heights hacker leaves bitter taste in California

George Samuel Bronk, 23, of Citrus Heights, faces six years in state prison after entering guilty pleas in Sacramento Superior Court to seven felonies including computer intrusion, false impersonation (that's what so called "identity theft" is properly called) and possession of child pornography. Bronk will have to register as a sex offender. He will return to court on 10 March for further proceedings relating to his sentence.

From December 2009 until the end of September 2010, Bronk accessed e-mail accounts and Facebook pages of people in 17 states, as well as residents of England.

He essentially found answers to the women’s e-mail security questions in information they had posted on their Facebook sites.

Bronk targeted his victims by scanning Facebook for women who also posted their e-mail addresses there.

He then contacted the woman’s e-mail service, pretending he was the legitimate customer, and claimed to have forgotten the password. Bronk was able to correctly answer security questions posed by the e-mail service by finding the answers on victims’ Facebook pages.

Some of the security questions posed by e-mail providers included, “What is your high school mascot?” “What is your father’s middle name?” “What is your favourite food?” and “What is your favourite colour?”

Once Bronk gained access to the e-mail account, he changed the password and the victim was locked out.

Bronk searched the victim’s “sent mail” folder for nude or semi-nude photographs and videos, which he often sent to the victim’s entire e-mail address book. He also gained access to some victims’ Facebook accounts by clicking the “Forgot Your Password?” link and asking for a new password to be sent to the victim’s e-mail account, which he now controlled. In many cases, he posted the photographs to victims’ Facebook pages and to other Internet sites and made comments on the Facebook sites of friends.

Bronk messaged one victim that he had taken over her e-mail account “because it was funny.” In an on-line chat session with another victim using the name “xogreeneyesx3,” Bronk demanded the victim send him more explicit photographs or he would post the photographs he already had more widely. The victim complied.

The investigation began after one victim contacted the Connecticut State Police, and the agency then contacted the California Highway Patrol because the suspect appeared to be operating here. The CHP requested the Attorney General’s assistance.

On the hard drive of Bronk’s desktop computer, which was confiscated from his Citrus Heights’ home during a search in September, investigators found more than 170 files containing explicit photographs of women, including a film actress, whose e-mail accounts he had commandeered. Finding victims, however, proved a challenge. CHP and Attorney General agents were able to use location tagging information embedded on the photographs on Bronk’s hard drive to assist in identifying victims, and e-mailed3,200 questionnaires to potential victims asking them to come forward.

Some 46 victims did, including one who described Bronk’s actions as “virtual rape.”

Bronk was arrested in October and has been held since then on USD500,000 bail.

Attorney General Harris reminded users of e-mail and social networking sites that security questions and answers need to be as secure as passwords. There are steps people can take to avoid being victimized by “security question” hacks. These steps include:

•Pick security questions and answers that do not involve any personal information that is available from social networking sites or any other sites.

•Try to switch the security questions you choose for password protection on e-mail services and social networks.

•Add numbers or special characters to your security answers. For example, the question "What was the name of your High School" could be answered “Middle02High@School.”