NEWS

You are known for becoming the only person to ever wiretap the United States Secret Service and FBI. How did you come up with such a plan, and how did you succeed in realizing it?

A few years prior I was doing data entry for a guy who worked in Lead Generation and after quite a long time working for him, I realized that everything we were creating was fictional. Completely fictitious business listings. This was mainly for a few different industries, but the scope and scale were staggering. I eventually quit to find a job that was more in line with what I wanted to do (systems engineering / Microsoft engineer etc).

Some years later, I was sitting at home and decided to start looking around at Google Maps, Yelp, Bing Maps and other mapping/business directories and thought maybe that things would be getting better, but this was not the case. Google was doing a pretty killer job on the worst categories like locksmiths. But overall, business to business and business to consumer categories were rampantly overrun by spam.

So to summarize the thought process, I thought it would be funny to use what I knew about manipulating Google Maps to make funny business listings to see if that would gather enough attention. It got some mentions on blogs, but really did not accomplish the goal of getting someone to take things seriously.

Then I did a news story with a Komo News in Seattle in which I demonstrated some of the funny business listings, along with some other ones with more serious implications. This got some local media attention, but within the next day or two was when I thought, why not take things up a notch, and my stupid brain thought, “why not the Secret Service in Washington DC?” You know, the type of people that are super serious, secretive and protect the President, I am sure that they will have a good hard laugh about all of this… Oh I should also throw in the FBI in San Francisco for good measure.

So I set up listings, with different phone numbers in the exact same places, using “tricks” to get verified listings in places that I should not be able to. This resulted in 2 identical listings for each agency. Then I flagged the correct agency listings as spam a few times, which triggered their removal, and my Secret Service and FBI listings remained active. The phone numbers I put on the business listings were in fact forwarding numbers that sent users right to the switchboard of the Secret Service and the FBI, but the only problem was that I could record and playback those calls which makes this a VERY serious issue, and a VERY poor idea on my part. In theory, no one would do anything to verify what I was saying was true if the plan was just on paper; and in reality, this is a very serious crime. Once the listings were active, calls started coming in right away and my brain paused and realized “I need to call someone immediately”.

So I ended up calling some friends to make sure I had a good plan, and then I called the FBI office in San Francisco which ended up with them hanging up on me, and the next day I went to the Secret Service in Seattle and told them what I did.

When planning an attack, what happens in a hacker’s mind? Basically, what are the main steps to follow or, at least, the common ones?

You can easily imagine the steps to most hacking operations. It is very similar to the movies where you see the main characters robbing a bank. You might not have fancy names for all the steps, but here they are:

1. Target Selection
2. Gather information (Reconnaissance)
3. Probe for weak spots / using the information you got in the first level of surveillance
4. Develop Plan
5. Execute

Typically you will not go for the hardest possible route. And with hackers, you can be sure they are really good at managing their time and resources and go after the lowest hanging fruit possible. They are scanning the Internet – either in whole or in part – or using a variety of online tools to be able to identify potential/easy targets.

Such as Windows Servers, with Unsecured or Unpatched Remote Desktop Servers, that are connected right to the Internet. Or Citrix / Terminal Services of some kind that is not fully patched and is therefore vulnerable to a known issue. When a vulnerability gets identified in a major piece of software like Microsoft Windows or Citrix or VMWare, you can believe that there is a patch or system update available VERY soon afterwards. This is commonly seen in “patch Tuesday” updates from Microsoft. The more serious issues (ones that approach 8.0- 10.0 on the severity scale) gain a lot of buzz and regularly hit major news networks due to how serious or widespread the issue is.

Think of it like this:

a) A major recall on ALL TIRES sold with new cars from Volvo from 1990-2022 that causes the car to explode without warning and also simultaneously causes your car to text your bosses cell phone number and tell him that you hate him and you want to quit and to donate your paycheck and 401k to charity.

VERSUS

b) A automotive advisory notice that all beige volvos made in the last week of 2022 have a bad batch of tires that cause the tires to make a funny sound but pose no risk to the operation of the vehicle.

One of these will make it on the news, the other will not. Find the industries that make mistakes and do not follow the industry best practices.

You wrote a book entitled “Cyber Fraud: The Web of Lies” to tell your story and raise awareness among private people and businesses. We too often think that cybersecurity is a business matter but it is also a personal one for every individual. What is the best strategy so as to prevent cyber attacks?

Continually update and read about “best practices” related to software and hardware that you use on a daily basis. You should know how to configure and then actually configure MFA (two-factor authentication) on every online service that you use. You should use a password manager, never saving passwords in your browser. Lastpass is for instance a good choice, there are many others.

Never use the same password on multiple websites, which is why a password manager is so helpful. Because you cannot remember hundreds of different passwords. If you are really brave, configure and use a Yubikey or generic term “fido” token / key. These are hardware keys that look like thumb drives and currently, even the best hackers in the world use them to secure their own stuff because they cannot figure out how to break them. That is good enough for me.

Another good piece of advice: go on the internet with a purpose, finding what you need; but don’t go down rabbit holes or expect to find free stuff or get rich quick schemes that are real. They are not. Advertising is designed to trick you into clicking on something and then so many times can be hijacked for deploying malware, and most people do not have the time to keep up with all the various new issues that could pop up.

If you get an email saying there is some URGENT problem, like your iCloud was hacked, or Amex was hacked, don’t immediately click on the link. Go to your service provider directly, because oftentimes you will get emails like that from people who are just playing a numbers game with phishing emails.

It can say: “your __ was possibly hacked, please contact __ or click here. No one wants to call.” Or the number is busy, so they resort to clicking. And the link goes to a website that looks real, but it is not. That is how they get your credentials, and you willingly gave them the credentials.

Here are some Google search terms you can search for to give you an idea: Windows 10 Security Best practices; Iphone security checklist; Privacy best practices; Family online safety best practices; OSX / Windows cybersecurity best practices…

When it comes to digital transformation, and hence to building cyber resilience, the Zero Trust Model is most often considered and applied. Could you explain what this model encompasses, and why is it important?

Zero trust is very much like it sounds. Old networks were static, and people did not bring their professional desktops home with them. Most people did not have to deal with all the stuff we do now, and network security was mainly to protect corporate networks and all the stuff inside. If you were/are on the inside of the firewall/connected to Wi-Fi or ethernet, you are trusted. Which is a really poor way to conduct your cybersecurity operations.

Zero trust is a methodology for saying, each machine needs to identify itself, traffic, users, data all needs to be verified as being from where it says it is from. It is the difference between default allow vs default deny type firewall rules. NO more implicit trust just because you say you are safe. This can prevent a lot of headaches as attackers love to break 1 level of security and then find very low levels or no levels of resistance once inside.

As we keep evolving in a fast-pace cyber environment, are current legal frameworks adequate enough to regulate cybersecurity requirements and mostly, to penalize hackers?

Typically no as most compliance standards, if met exactly at a level that would pass a compliance audit, is not enough to keep your company from being hacked. Some of them are better than others with more rigid audits, but even then, you have to be constantly improving, testing, scanning and training users. You cannot just buy a product or set up some magic piece of software and then all your problems are gone for good.

Considering the emergence of new technologies, notably Web3 or the Metaverse, which cyber challenges and threats should we – as businesses and as individuals – anticipate?

More people figuring out ways of scamming others is not trending downwards anytime soon. Sure, some attack vectors might be way more difficult, but you will still have people pretending to be someone they are not, or coming up with ways of making giant ponzi schemes or doing romance fraud on dating sites. The ease/multitude of ways to send and receive money, with so many possible scenarios that sound plausible make it that much harder to identify who is being sincere and who is not.

If someone wants money from you, for whatever reason, and they cannot facetime or video chat/prove who they are, especially if you have never met them in person, do not send them money. Period.

_____

Bryan Seely will start the ball rolling on the ICT Spring’s cybersecurity stage next June 29. 

Get more information on the international Tech conference ICT Spring and get your ticket here.