As the number of cyber attacks increase, hackers don’t normally get the red carpet treatment at tech events. But Bryan Seely isn’t just any old hacker.
It’s an airless morning. One of the stations for scanning tickets at the entrance to ICT Spring is bugging. I have less than five minutes to get to the other side of Luxexpo The Box where Bryan Seely’s cybersecurity talk is due to begin. And I’ve not yet had a coffee.
Fortunately, Seely’s keynote speeches are accessible, even for brains that have yet to receive a caffeine fix. I arrive to hear his opening gambit: “I don’t like morning meetings.” Well that makes two of us.
Seely had his fair share of early starts in the US Marines where he served two years in the Middle East as a linguist. Two years ago, he founded the Blackhat conference in Riyadh, delivering ethical hacking training to the Middle East. But what he is best known for is identifying a bug with Google Maps and getting the tech giant’s attention in the most-provocative way possible. “Anybody could place anything, anywhere without any scrutiny. So I made a funny joke about Edward Snowden’s super secret hiding place and located it at the White House,” he says.
Tapping US Secret Service Phone Calls
When that didn’t work, he created a fake secret service location and an FBI location. Then he added a phone number and flagged the original location as spam, making his locations the default. Using a phone tracking service he was able to listen to all the calls made to the secret service, an activity which he now recognises is “super illegal”.
When he realised the extent of his error and tried to contact the FBI they gave him the brush off, believing he was just a crackpot. Until, he walked into their offices and demonstrated what he had done. “Because I didn’t have any criminal intent […] And they knew that I knew walking in there was a really dumb idea, they said: ‘obviously you’re an idiot, but you’re an honest idiot so you can leave.’ And that was the that was the beginning,” he says.
After that introduction, Seely began spotting vulnerabilities everywhere. One of the highlights he recalls was getting to report a bug directly to Steve Wozniak, of Apple.
A year after the Google Maps incident, the problem still hadn’t been fixed. “So I put a snowboarding shop in the White House called Edwards Snow Den and that’s my favourite joke of all time,” he laughs.
After the talk, Seely tells me that he always wanted to become a standup comedian. “I got famous for this, and I can make this interesting and fun. Instead of trying to pack in statistics and really complicated words and not say anything interesting,” he explains. He has a point. About a third into his talk, the audience leans in and this is when he delivers the kicker: “The problem is they’re not targeting you at work. They’re targeting you at home.”
Home Targets
Most data breaches show an IP address of where the user was affiliated–often a home network. A blackhat hacker need only look up that IP address and find all the emails connected to that home network and all the passwords to all those emails. Seely says: “They’re trying to go through your wife, your kids. I know this because celebrities pay for this service.”
Equipped with this information, hackers can then gather intelligence in all manner of ways about a CEO, from what car they drive to when they are not at home. Don’t think you’ll get off lightly because you’ve got nothing worth stealing, says Seely. Everyone has value for a hacker. As an example he cites that old passwords are traded on the dark web helping hackers establish patterns in these passwords. Sometimes just by adding a year or an exclamation mark to these old versions, they can access the latest passwords.
“Yes, it meets the policy criteria but it’s not compliant and it’s not secure, which is why password managers never pick a password, ever,” says Seely. To illustrate how easy it is, he recalls meeting a famous comedian waiting for a flight a few years ago and using his hacker skills to crack his passwords. “Within an hour, I had all of his passwords,” the hacker says, adding: “I contacted his agent and they gave me backstage passes to his next show! It blew my mind that that password was still being used ten years on.”
Seely wasn’t seeking a reward, unlike blackhat hackers, who often ask for tens of millions in ransom for stolen data.
Seely reckons that everything is hackable, especially if you have IoT devices. He cites as an example a casino in Las Vegas that was hacked through its smart aquarium system. “The main reason you haven’t been hacked as there are not enough hackers,” he concludes.
Bryan Seely’s cyber security tips
Use a password manager to select a password: Don’t select your own password, because you’re using a brain that’s tired of doing that job and you’re not going to do your best work. Use a password manager.
Activate multi factor authentication when accessing platforms and devices. Multi-factor authentication means a user is only granted access to a website or application after successfully presenting two or more pieces of evidence to an authentication mechanism
Dehashed.com is a data breach search engine allowing users to check if their information appears on hacked lists online.
Have I been pwned? shows websites you may have signed up for which have suffered a data breach.
privacy.com masks credit card details, allowing buyers to shop without providing their actual credit card number.
MySudo allows people to send private messages, manage multiple phone numbers and email addresses and create custom personal identities that last as long as you need them.
Protonvpn a high-speed VPN with hundreds of servers all over the world, that can be used to safeguard your privacy.
KrebsOnSecurity.com offers cyber security news.
Spiceworks.com provides answers to your cyber security questions.
