How did the National Enquirer obtain the richest man in the world’s sexts?
While the truth remains a closely guarded secret, plenty of theories have been floated. Gavin de Becker, the sagacious security consultant granted carte blanche to investigate the situation by Jeff Bezos, the ultra-billionaire founder of Amazon, alleged adulterer, and target of the Enquirer’s prurient exposé, supposedly believes his boss was not hacked. That’s what Manuel Roig-Franzia, a feature writer with the Washington Post, a publication Bezos owns, says de Becker told him anyway, adding that de Becker believes the leak may have been “politically motivated.” In a recent interview on MSNBC, Roig-Franzia added that de Becker, with whom Roig-Franzia says he has chatted extensively about Bezos’ predicament, is entertaining the possibility “that a government entity might have gotten hold” of Bezos’ text messages and then, somehow, these texts found their way into said tabloid.
Considering for a moment that this might be true, which regime might have done so? Michael Sanchez, an avid Trump supporter and brother of Lauren Sanchez, Bezos’ mistress, has apparently discussed with de Becker the possibility that the president, an avowed Bezos opponent, enlisted allied intelligence services, such as those run by the UK and Israel, to dig up the dirt. It’s a fantastical scenario that stretches the imagination beyond all elasticity. Bezos, on the other hand, seemed to intimate in an essay on the blogging site Medium that the intrusion could have involved another state actor. Specifically, Bezos dwelled on connections between American Media Inc., the Enquirer’s parent, and Saudi Arabia. (The recent murder of Washington Post columnist Jamal Khashoggi by Saudi agents, and the kingdom’s reported penchant for mobile spyware, lend plausibility.)
To be clear: I have no privileged information about the entity behind this whodunnit caper; I will note, however, a worthwhile contribution toward the howdunnit. In all the speculation, a blog post by Rob Graham, CEO of Errata Security, a hacking shop, stood out. Using a cheap, online “people finder” service, he was able to discover possible contact information for Bezos’ ladylove, including email addresses, phone numbers, and the names of close relatives. Entering Sanchez’s email addresses into a database of compromised login credentials—the recent mega-leak dubbed “Collection #1”—turned up associated passwords. If Sanchez reused compromised passwords to secure Bezos’ love notes, this might explain the dallying duo’s undoing. If that’s true, then the methods behind this intrusion might not have involved super-sophisticated spy-craft so much as teenage hacker hi-jinx.
Again, I have no idea how these leaks were procured, or who did it, but Graham’s findings suggest at least one possible, simple explanation. If the security of both parties to a conversation is not up to snuff, everyone suffers. “If you send sexy messages and you are a celebrity, there are large parts of the hacker underground who specialize in trying to steal them,” Graham notes—a statement that is not an endorsement, but a reality. Through password reuse and phishing attacks, “getting celebrity nude pics is fairly simple.” He adds: “there is no reason to consider conspiracy theories at this time.”
People interested in protecting their own privacy might consider the following advice: Segment your information by using multiple email accounts dissociated from your real-life identity. Secure your digital accounts with strong and unique passwords—and use a tool like HaveIBeenPwned to make sure none of these has been compromised. Adopt two-factor authentication as an added layer of protection. And finally, instruct confidantes in the merits and methods of proper digital security. (Heck, you might even recommend they sign up for this newsletter.)
If a nation state goes after you, it’s likely game over. But there are steps you can take to make it harder for run-of-the-mill hackers to get their hands on your goodies.
Robert Hackett
@rhhackett
robert.hackett@fortune.com
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
Diamonds are forever. Chinese phone-maker allegedly tried to steal diamond-coated glass technology from Akhan Semiconductor, a small U.S.-based technology firm, reported Bloomberg Businessweek. The story features scenes from an FBI sting operation targeting a Huawei executive at the Consumer Electronics Show in Las Vegas a month ago. It's unclear whether the saga will result in any legal actions. On a related note: President Donald Trump is expected to sign an executive order banning Huawei equipment from 5G networks in the U.S., according to Politico.
iWaymen. Indictments against two alleged serial SIM swappers, a form of phone fraud popular among cryptocurrency thieves, were unsealed in Northern California this week. The charges are the latest aimed at a tight circle of admitted and suspected culprits. Meanwhile, thieves are getting clever about how to break into iCloud-locked phones—by phishing, duping unwitting Apple Store employees, and reprogramming phone CPUs.
'X' marks the spot. Last month Motherboard exposed a blackmarket for location data by paying a bounty hunter to provide the coordinates of almost any cellphone in the U.S. based solely on its number. Apparently, the situation is far worse than that initial report made it seem: Hundreds of bounty hunters have had access to even more accurate GPS data than originally thought. "The news shows how widely available Americans’ sensitive location data was to bounty hunters," Motherboard writes.
The house always wins. A messy one: Atrient, a maker of so-called loyalty kiosks, where gamblers can register to earn rewards at casinos, sold vulnerability-ridden products that failed to secure people's personal information, cybersecurity blog Secjuice reported. When a couple of security researchers attempted to alert Atrient that it needed to patch its holes, the company is said to have given them the runaround for months. Later, when the pair approached an Atrient executive in person at a conference to express their concerns, the executive allegedly assaulted one of them. (After the incident, Atrient tweeted that the security researchers were no-good hackers engaging in foul play, but the company later deleted the statements...)
Tell me lies, tell me sweet little lies.
Share today's Cyber Saturday with a friend:
http://fortune.com/newsletter/cybersaturday/
Looking for previous Data Sheets? Click here
ACCESS GRANTED
Face(book) the music. The blunt manner of Alex Stamos, Facebook's outspoken former chief security officer, is said to have rubbed executives the wrong way during his brief stint at the media giant, writes Roger Parloff, a former Fortune colleague, in this juicy profile for Yahoo Finance. Reportedly, Stamos clashed with senior leaders, such as Sheryl Sandberg, Facebook's chief operating officer, as he dealt with Russian disinformation and election interference campaigns. Stamos, who Fortune named to its 2015 40 Under 40 list, is "a complex man we will be hearing about, and from, for years to come," Parloff says, noting that the cybersecurity guru is now spearheading a democracy-protecting research institute at Stanford University.
Here's a snippet about Stamos from the feature.
From his colleagues, a picture emerges of an inspiring, but polarizing figure. There’s a reason Facebook nudged Stamos toward the exit door. Some former colleagues—including many who still revere him—acknowledge that he is “impolitic,” “volatile,” “dogmatic,” “a self-promoter,” “exhausting,” “rough around the edges,” “not the greatest manager,” “short-tempered,” and, above all, “unfiltered.”
In fact, these are strengths, some claim, because they’re what give him the “cojones” to speak truth to power, as one puts it.
But they take their toll.
FORTUNE RECON
Trump Tipped to Ban Chinese Equipment from U.S. Mobile Networks by David Meyer
Apple iOS Update Fixes Group FaceTime Privacy Bug. Reward Goes to Teen Who Discovered the Glitch by Alyssa Newcomb
Android Bug Lets Hackers Attack a Phone Using Only an Image File by Alyssa Newcomb
Why Are Security Cameras Getting Hacked? Your Sloppy Password Management, Nest Says by John Patrick Pullen
WhatsApp Bans 2 Million Fake or Abusive Accounts Each Month by Don Reisinger
You Can Finally Unsend Texts in Facebook Messenger by Chris Morris
Google's New Feature Will Make It Harder for Hacks to Spread by Natasha Bach
Zcash Discloses Vulnerability That Could Have Allowed 'Infinite Counterfeit' Cryptocurrency by Robert Hackett
Instagram Chief Admits the Company Needs to Do Much More to Protect Users From Harmful Content by Kevin Kelleher
ONE MORE THING
From the horse's mouth. Risky Business, a delightful information security podcast, featured Rob Joyce, a National Security Agency veteran and former top cybersecurity advisor to President Donald Trump, on the latest episode of its show. Joyce weighs in on a range of topics: indictments of foreign hackers, controversy over 5G telecom infrastructure, and the shifting strategies of America's spies. If you're interested in getting up to speed on the state of global cybersecurity from arguably the world's foremost expert, this interview is well worth a listen.
