A former NASA contractor has been arrested for allegedly sextorting nude photos out of women.
The US Department of Justice (DOJ) said on Wednesday that Richard Gregory Bauer, 28, a former contractor at NASA Armstrong Flight Research Center who used aliases including “Steve Smith,” “John Smith,” and “Garret,” was arrested by special agents with NASA’s Office of Inspector General.
A 14-count indictment claims that Bauer targeted seven women with online threats to publish nude photos unless the victims provided him with additional explicit pictures. Bauer is charged with stalking, unauthorized access to a protected computer, and aggravated identity theft.
According to the indictment, over the past several years, Bauer harassed his victims on Facebook and via email, sending nude photos to six of the seven victims, and threatening to post the images online unless the women sent him additional photos of them undressed.
How did he get the photos?
Using his real name, Bauer is said to have reached out to his victims on Facebook, asking them questions that were purportedly for a project he was working on for a “human societies class”.
Some of those questions were the same type of thing you’d use to reset your passwords, such as: What’s the name of your first pet? In what city did your parents first meet?
As Google researchers have shown, the kinds of questions that are easy to remember are often insecure because answers are common or distributed unevenly across the user population.
Likely the best a memory-challenged human can do, in order to avoid using common, easy to guess or poorly chosen answers, is to generate a random string of letters, numbers and special characters, and then store them in a password manager.
With answers in hand for password resets, Bauer would have been able to take over the accounts.
Beyond that phishing approach, malware can get a crook what he’s after, and the indictment claims that Bauer used that path as well: it charges him with convincing victims to install malware, claiming that he needed their help in testing software he said he’d written, and using the malware to capture their passwords.
If convicted of the 14 charges in the indictment, Bauer would face a statutory maximum sentence of 64 years in federal prison, though maximum sentences are rarely handed out.