Tips to Stay Safe Online from the Guy who Wiretapped the Secret Service
Cybersecurity experts see security flaws and safety risks online every day. Since their job is to help people and companies stay safe online, they want to tell people about those flaws and help them avoid or fix them. But what are they supposed to do when no one will believe a particular security risk is actually a problem? For a few, the solution is to take drastic action.
See What Not to Do when Wiretapping the Government with Bryan Seely for a complete transcript of the Easy Prey podcast episode.
Bryan Seely is a cybersecurity expert, ethical hacker, and former US Marine. He also does a lot of public speaking, including keynote speaking. His goal is to educate consumers and companies on the dangers out there so that they can stay safe online. He also wrote a book on “map hacking,” or how people manipulate Google Maps, Bing Maps, and Yelp for nefarious purposes. It’s both the best and the worst book on the subject because so far, it’s the only one. However, Bryan is most famous for wiretapping the US Secret Service and the FBI without permission. And before he goes any further, he wants to point out that it was a spectacularly bad idea.
It All Started with a Security Risk in Google Maps
As a cybersecurity expert, Bryan was trying to help people stay safe online. He found a huge security risk in online maps like Google Maps. People could change publicly available listings to anything they wanted, true or not, and there wasn’t a good process to catch fakes and malicious changes. And anyone could create a new listing, enabling impostors or scammers to gain legitimacy. When Bryan reported the huge danger to Google, they brushed him off.
So Bryan tried different tactics to show them how serious the problem was. He changed a Google Maps listing for a concentration camp in North Korea. He renamed the Church of Scientology, the Mormon Temple, and a variety of Christian churches as comedy clubs. The Russian Embassy in the UK became a gay bar, and he listed Edward Snowden’s secret hiding place on the White House Lawn. While live on the air with a local news station, he changed the Library of Congress to the Zoolander School of Kids Who Can’t Read Good.
While it was funny, it didn’t get Google’s attention. Bryan thought they really should be taking this risk seriously. So he decided to take his attention-getting strategy a step further.
Escalating to Wiretapping the Government
What are the motivating factors in crime? It’s almost always power or money. Power comes through control or something like blackmail. Bryan wondered if he could get information on something using the same techniques he was warning Google about.
The train of thought quickly spiraled into very poor judgment. If he was going to prove to Google that they need to do more to help people stay safe online and do something about these risks, he wanted to do something big. So, he thought, why not use the security issue in Google Maps to wiretap the FBI and the US Secret Service?
Bryan set up phone numbers that would forward to the Secret Service office in Washington, DC and the FBI office in San Francisco. But even though the person calling would get connected to the Secret Service or the FBI, since the call was made to his number and not the real number, he could record the whole thing. Then he submitted changes to the Google listings for both offices, saying that the listed phone number was wrong and his was correct. It worked.
Exposing His Own Illegal Activity
Bryan was not caught wiretapping the FBI or the Secret Service. It would have been very difficult to catch him in the first place. Businesses have been putting their information on Google for a long time, and most people trust that the information we find on Google Maps is accurate. And since the phone numbers did work, likely nobody would have thought to check if the number on Google was correct.
Since his goal was to help people stay safe online, not record classified government calls, Bryan eventually tried to turn himself in. At first, it didn’t work. The FBI hung up on him. Finally, he walked into his local Secret Service office and said, “I wiretapped you. I know it’s a bad idea, but I did it, and I want to explain how it happened so you can keep it from happening again.” Just like Google, they were dismissive. They told him they would look into it, and asked him to leave.
Proving the Risk
Bryan asked for five minutes – if he couldn’t prove it to them in five minutes, then he would leave without fuss. They agreed. He asked one of the three agents there to call the Washington, DC office of the Secret Service. Bryan knew what would happen. Likely, the agent would search Google Maps or just Google for “Secret Service Washington DC” or any combination of those words. The top result was Bryan’s fake number. Then the would push the “Call” button, because the results often didn’t even show the number.
The agent did. He called, someone answered, and they had a brief conversation before hanging up. Then Bryan got a notification on his phone. He asked, “Do you want to listen to your new call recording for the Secret Service?” He put it on speakerphone. Bryan and the agents could hear the phone ringing and now hear both sides of the brief conversation.
At that point, the agents lost their sense of humor and Bryan got to spend a few hours in a small room with no windows.
Consequences for Wiretapping the Government
Bryan was never handcuffed and never put under arrest or detained officially. But he did get to explain how he did it and demonstrate it over and over again. Looking back, Bryan can’t believe the consequences weren’t worse. In the end, he recorded about forty calls. Even though he only listened to two of them – he didn’t want to hear anything he couldn’t un-hear – each call was worth five years in prison. He could have also been charged for recording without permission. People have gone to jail on the three strikes rule with combined crimes less serious than what he did.
There were some mitigating factors, though. Bryan didn’t get caught and didn’t try to tell anyone else or share the recordings. He went directly to the Secret Service and turned himself in. And he was only trying to help people stay safe online and had no criminal intent. It’s much harder to prosecute someone when there’s no criminal intent. It might have also been because he had top secret clearance in the Marines, or maybe even white privilege. Whatever the reason, it was very stupid, and the government effectively let him go after telling him not to do it again. He knows he’s most likely being watched now. But he was treated very fairly and has nothing to complain about.
Risks that are Difficult to Detect
One of the big challenges to people trying to stay safe online is that some risks are nearly impossible to detect. When Bryan wiretapped the government, he didn’t hack into Google or insert a virus into Google Maps. Anyone else would be able to do the exact same thing he did. And that’s not the only danger of online maps. A CISO for a Fortune 500 company once told Bryan that he’d found Google Maps locations for people pretending to be the company. Those Google Maps listings give legitimacy to a domain or a phone number so people look them up and get tricked.
It was a logic flaw and using a system that was designed a certain way, but there were loopholes on how you could get Google Maps businesses online.Bryan Seely
Despite everything Bryan went through wiretapping the government, these issues are still there. Google hasn’t done anything about them. It’s trickier because there’s nothing technically wrong. There’s no problems with the code that are letting hackers in. It’s just implemented in a way that’s easy to exploit.
In the end, it comes down to penetration testing (pentesting) and cybersecurity in general. Some companies want to help themselves and their customers stay safe online. They actively pentest, identify problems, and fix them. The faster the cycle, the more secure the company will be. Some companies think that’s not for them and assume they won’t get breached. But data breaches happen if you’re on the internet. Bryan thinks we’re going to start seeing more people prosecuted for cover-ups and negligence with data breaches.
Stay Safe Online by Knowing What Info You’re Exposing
If you want to stay safe online, it’s important to be aware of what exposes your information. We actually broadcast a lot about our security measures – more than most of us realize. If you have a security system, you probably have a sign outside your door or in your yard saying your house is protected. It increases your physical security by deterring burglars. But it also makes it easy for clever criminals to call you and say, “Hey, this is so-and-so with X security company. There’s a fault in your system and you need to let us in so we can fix it.”
“Geoguessing,” short for “geographical guessing,” is another risk most people don’t think about. Geoguessing is the process of figuring out where a photo was taken from a little bit of stuff in the background. Bumper stickers can give a lot away, too. When you put identifying things on your bumper, anyone can learn info like how many kids you have, where you like to travel, what school your kids go to, and more.
There are lots of things that … give indicators away if you’re paying attention.Bryan Seely
When he travels internationally, Bryan sticks out like a sore thumb. He’s six-foot-four barefoot, and so white he could get a sunburn from opening the fridge. From his tattoos, someone could pretty easily figure out he’s from either the US, the UK, or Canada. The way he dresses and talks gives away more. You have to be okay with some of them, because there’s no way you’re going to hide every piece of information about you. The key is knowing what’s okay to disclose and what should be private.
Be Careful with How Your Phone Connects
As an additional step to stay safe online and in real life, Bryan recommends turning off Bluetooth and wifi on your phone. If your phone automatically connects to known public wifi networks, there are techniques people can use to steal your data from the network. People can also create lookalikes to trick your phone into connecting and then harvest your data. Bryan has a friend who exploits this for presentations. He creates a fake wifi network, collects the people connecting to it, and shows all the data he can get during his presentation.
Cell towers can be risky too. Bryan has heard of nation-states creating their own cell towers. Your phone connects, and you’re happy you have service. But the tower is controlled by someone else and collecting your data. Worse, you have no way to know because it looks correct.
How many enemies do you have? Because if you’ve got a bunch of them, maybe yeah, be more vigilant … but if you’re just caught up in a big net because they’re being lazy and they’re sending email to everybody, you have less to worry about.Bryan Seely
Teach Your Kids to Stay Safe Online
We have to teach our kids how to stay safe online, too. We’ve accepted that when we buy a car, the responsibility is on us. It’s not Ford’s job to tell you when to change your oil. It’s traditional to teach kids how to change a tire or change the oil on their car. We should also teach them tools to use the internet safely.
Show your kids how to set up two-factor authentication or multi-factor authentication and explain why it’s important. Tell them about the dangers of data collection, health misinformation, face-swapping apps, and social media quizzes. If you don’t teach your kids about online privacy or scams, they’re going to find out the hard, painful way.
An eight-year-old’s knowledge of the internet versus a fifteen- or sixteen-year-old’s should be different. You should be helping them along with that as best you can.Bryan Seely
Why Bryan Likes Helping People Stay Safe Online
Sometimes, cybersecurity can be really boring. But Bryan likes educating people and making it funny. If he can make it funny, people will pay more attention, and then they may learn more about how to stay safe online. Bryan can tell the story of a really stupid thing he did to get people interested. Saying “I wiretapped the Secret Service” often gets people’s attention. Once they are interested and want to hear what he has to say, he can talk about other things they can do to stay safe online.
In this line of work, Bryan has been able to meet a lot of amazing people. He received a football from Steve Young, he got to be on John McAfee’s board, and he got an endorsement from Mark Cuban in an article by Brian Krebs. He’s been able to work with a lot of really cool people doing really cool things to help people stay safe online. Most of all, he just wants to be able to help as well.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
In the modern world, we need the internet for daily life. Work, school, banking, shopping, social connection,…[Read More]
You’ve probably seen them somewhere. A sign by the road, an ad on a billboard, or even…[Read More]
Student loans came out of their forbearance period and payments resumed towards the end of last year….[Read More]
A virtual kidnapping call can be terrifying - that's why it's important to be prepared in advance.[Read More]
If someone asked you if you want the messages you send and receive to be private, you’d…[Read More]