A former NASA contractor has been arrested for allegedly sextorting nude photos out of women.
The US Department of Justice (DOJ) said on Wednesday that Richard Gregory Bauer, 28, a former contractor at NASA Armstrong Flight Research Center who used aliases including “Steve Smith,” “John Smith,” and “Garret,” was arrested by special agents with NASA’s Office of Inspector General.
Bauer allegedly targeted seven women with online threats to publish nude photos unless the victims provided him with additional explicit pictures. A 14-count indictment charges Bauer with stalking, unauthorized access to a protected computer, and aggravated identity theft.
According to the indictment, over the past several years, Bauer harassed his victims on Facebook and via email. Masking his identity, he told the women that he had nude photos of them… photos that he did, in fact, allegedly have for six of the seven victims. Bauer allegedly sent the women their nude photos, claimed to have more, and threatened to post the images online unless the women sent him additional photos of them undressed.
How did he get the photos? By allegedly hacking passwords for social media accounts. Using his real name, Bauer is said to have reached out to his victims on Facebook, asking them questions that were purportedly for a project he was working on for a “human societies class.”
Some of those questions were the same type of thing you’d use to reset your passwords, such as: What’s the name of your first pet? In what city did your parents first meet?
Well, that was probably overkill. Unfortunately, humans are so terrible at password recovery questions that sextortionists and other online crooks don’t have to go to all that much trouble to trick them out of us as Bauer allegedly did.
As Google researchers have shown, the kinds of questions that are easy to remember are often insecure because answers are common or distributed unevenly across the user population.
From Google’s 2015 paper:
Statistical attacks against secret questions are a real risk because there are common answers shared among many users. For example using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers for the question “Favorite food?”.
Besides, many of the answers to password recovery options are easily found online, according to research by Ariel Rabkin:
…16% of questions had answers routinely listed publicly in online social networking profiles… Other questions can be found in publicly available records. For example, at least 30% of Texas residents’ mothers’ maiden names can be deduced from birth and marriage records.
Then again, humans, including the women who were targeted in Bauer’s alleged extortion scheme, are pretty easy-going when it comes to simply handing over whatever “secret” is protecting their accounts. Another researcher, Chris Karlof, was able to use email phishing to extract answers from 92% of his targets.
Likely the best a memory-challenged human can do, in order to avoid using common, easy to guess or poorly chosen answers, is to generate a random string of letters, numbers and special characters, and then store them in a password manager.
But back to Bauer: with answers in hand for password resets, he would have been able to hijack his alleged victims’ accounts. Beyond that phishing approach, malware can get a crook what he’s after, and the indictment alleges that Bauer used that path as well: it charges him with allegedly convincing victims to install malware by claiming that he needed the victims’ help in testing software he claimed to have written.
The malware gave him the ability to allegedly capture victims’ passwords. At least twice, he’s alleged to have used logins and passwords belonging to victims to log on to their Facebook and Google email accounts.
If convicted of the 14 charges in the indictment, Bauer would face a statutory maximum sentence of 64 years in federal prison, though maximum sentences are rarely handed out.