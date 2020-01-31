More than a bit of "I'm smarter than you" politics creates the divide between hacking headlines and what we actually need to worry about. On one side, researchers present findings at conferences hoping someone will raise the alarm and practical things will get done before things get worse. On the other, we have Jeff Bezos and his iPhone.

In case you missed it, on January 22 Guardian reported: "Amazon billionaire Jeff Bezos had his mobile phone 'hacked' in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia."

According to the now-contested report by FTI Consulting cited by Guardian, that was in April. I was curious enough to notice that the "hey boi r u up" texts between Crown Prince Mohammed bin Salman and Jeff Bezos were exchanged before Jamal Khashoggi was murdered in October of that same year.

Questions, we have them. But Khashoggi's name is hard to find in the wider reporting about Bezos's iPhone — which has been a mess from the start. Instead, a former-Facebook security pundit and at least one actual researcher snatched the spotlight to say FTI's report was lacking in facts.

Amazon Smartphone More

The self-appointed infosec "adults in the room" weren't wrong. But it was a pedantic and selfish distraction from anything that mattered about the whole affair.

Normal people read about the maybe-hacking of Jeff Bezos's phone and just shrugged. He can afford the best security on the planet. Saudi Arabia's Prince Klaus von Bonesaw is a monster. Everyone's getting hacked, especially us peasants. These are all things we know.

What we also know is that the supposed phone hack came via an attachment. And, if the hack happened, an attachment was clicked. It's the same way the City of Baltimore's computers and emergency systems at Hollywood Presbyterian Hospital were infected and locked with ransomware. And it's how consumers are losing identities and accounts from malware, learning how to send Bitcoin to grubby teenage boys in latitudes and longitudes unknown because of ransomware. Click a link. Look at an attachment. Download a file. That's it. An attacker went phishing and now you're on the hook.

All that is from phishing, though what we hear about most are the breaches. Attackers grabbing usernames and passwords from breach dumps, then using tools with cutesy names like SNIPR or STORM to automatically try it out on all your accounts to see what works. Which they do because Equifax used default passwords on sensitive information, Facebook was so busy lying to everyone it left the barn doors open, the City of New Orleans refused to believe cybersecurity is critical infrastructure.

So much for "the adults in the room."

I attended a recent hacking conference in San Francisco called Disclosure expecting a lot of the same fresh hells. The "I'm smarter than you" guys competing for attention while alarmed researchers in the background are trying to tell us something's on fire.

I was not disappointed.

Apropos to what was happening (or not) to Jeff Bezos at that very moment, I saw the talk "Initial Public Ownage: Trends in Phishing Techniques Across Sophisticated Threat Actors." Sounds boring, right? Nope.

According to jaw-dropping data presented by Proofpoint's Ryan Kalember, phishing is now the #1 attack of choice for cybercriminals. "Phishing is attractive for different reasons for the attackers that do have technical skills, because it scales really well," Kalember told Engadget via email. "The bigger groups, like the threat actor behind Emotet, have built the automation to do social engineering at the scale of millions of messages a day, and are very good are getting their relatively simple attacks (often documents with macros sent via already phished cloud email accounts) through security controls."

Story continues