CHARLES WARZEL: Jeff Bezos' phone hack should terrify everyone
Saturday, Jan. 25, 2020 -- Those with the most to lose don't always safeguard their privacy very well. You can do better.
Posted — UpdatedIf the Saudi crown prince, Mohammed bin Salman, wants to chat on WhatsApp, politely decline.
Still, the story seems to have everything: from lighthearted, embarrassingly earnest texts, “divorced guy” memes and world leaders who awkwardly sign their text messages with their full names to the deeply problematic issue of revenge porn and stealing of private nude photos. Although it’s a gilded example of digital theft, there’s something troubling and relatable about it all. Billionaires, they’re just like us!
Turns out, there’s some. Yes, your personal privacy and security are constantly under threat. And yes, you should be trying to safeguard against malware, phishing and bulk data collection. But the Bezos attack is an example of extremely targeted surveillance, the potentially expensive and risky kind that is aimed at high-value targets like executives, government officials, celebrities and billionaires. And as it turns out, many of those with the most to lose are woefully inept at safeguarding their privacy.
Not long after the Bezos news broke this week, I spoke to Christopher Pierson, who founded BlackCloak, a cybersecurity company for high-net-worth and high-profile individuals — executives, celebrities and billionaires. According to Pierson, few people take their digital lives as seriously as they should.
“The majority of clients we onboard come on in some kind of hacked state,” he told me. “Their computers are compromised or their login credentials are available on dark web. Their home camera systems are accessible to people on internet or their entire home and appliances are vulnerable and viewable by persons remotely.” Pierson suggests that’s in part because high-value targets choose to focus on physical security over digital and invest in private bodyguards, camera systems and protections like kidnapping insurance.
How bad is it? “We see passwords in little black books on desks by the machines and in files on the computers. We see passwords that are the same everywhere. We absolutely do not see good use of dual-factor authentication on email, health care and financial accounts. I’d say we see less than 1% of high-net-worth individuals using dual factor.”
Pierson said BlackCloak has found more than 82% of its clients’ current passwords on the dark web when it ran an initial search. “In the case of high-net-worth individuals, the same compromised password is frequently used by 20 to 40 different accounts — some of those are personal, some are in the office.”
What Pierson describes is low-hanging fruit — the kind of security flaws that can quickly be fixed with a little knowledge and attention to detail. Even then, he said, it takes time for the true nature of clients’ vulnerability to sink in. “They’re shocked when we give them their password and tell them where we found it, but it doesn’t hit as hard as when we tell them their entire home automation system has been potentially online and viewable for three or five or eight years,” he said.
When it comes to a Bezos-style breach — potentially at the hands of a nation-state’s intelligence service — high-profile targets would most likely be even less prepared. As Bezos’ lengthy investigation into the 2018 attack shows, it’s difficult to get straight answers even when you have the money and resources to run full forensics.
For most of us, the attack against Bezos isn’t the death of privacy, but a reminder of the risks of living a connected life. It should be a moment to think as critically about what you do online as you might in the real world. Invest in a password manager. Turn on dual-factor authentication. Be skeptical of any communication that looks out of place.
The internet has long been thought of as a truly democratic tool, flattening and democratizing the ability to publish and communicate. It’s also the great privacy equalizer. Money can buy a lot of things. But on a dangerous internet full of exploits, flawed code, shady actors and absent-minded humans, total, foolproof security is not one of them.
Copyright 2024 New York Times News Service. All rights reserved.