I imagine them following me everywhere during our vacation. They’ll know exactly when my family and I arrive at San Diego International Airport and when and where we pick up our rental car. They’ll take notes as I snap photos of my children playing in the sand on Mission Beach and as I buy them souvenirs at Legoland. And at night, after the kids are asleep and our La Jolla beach cottage is dark, save for the glow of my Amazon Kindle, surely they’ll be lurking just beyond me in the shadows, watching silently.
I’m not being paranoid. I know I am being stalked—because I asked to be.
The sleuths lurking around the not-so-dark corners of my life are the folks at Azorian Cyber Security, a Monument-based firm that specializes not just in high-paying corporate clients, like most cybersecurity firms, but also everyday people. “Consumers as a whole haven’t been able to combat cyberthreats,” Azorian CEO Charles Tendell told me a few days before I left on my vacation. “We saw the need to protect and develop programs for the general public.”
That may be an understatement: Since Tendell and his wife, Dee, founded Azorian in their home two years ago, the operation has grown to 10 employees and recently opened a second office in the Denver Tech Center. No one, really, should be surprised. As Tendell says, with a touch of pity, “Consumers love telling the world what they are doing, and they don’t realize how much of a bad idea that really is.”
Tendell and his employees talk like this, with a sort of geeky swagger. Tendell, 31, is an Iraq War veteran who’s worked on network security for missile defense systems and for Boeing, Lockheed Martin, and the National Security Agency. At Azorian, he introduces me to two members of his “Red Team,” the small crew of hackers tasked with compromising clients’ security systems to expose their flaws: 28-year-old Derrick Wrieden, whose resumé includes a stint with the U.S. arm of the international crime-fighting organization Interpol, and 19-year-old Jack Hooker, who caught Tendell’s eye at Def Con in Las Vegas when the 16-year-old kid made a presentation to the world’s largest hacker convention.
During one of my visits to Azorian, Wrieden and Hooker were busy tinkering with a custom-made “black hole,” an antennaed gizmo that automatically connects to and slurps online data from all nearby Wi-Fi-enabled devices—like my phone. “You call that a credit score?” one of their colleagues cracked as they scrutinized my recent Web browsing history from one of their laptops.
Know-how like this has helped Azorian, which charges anywhere from several hundred to tens of thousands of dollars for its various services, to accomplish all sorts of things—like removing all traces of a compromising online video. Or tracking down the biological parents of a client who’d been adopted, after other investigative attempts had failed. Or helping an aggrieved spouse locate her husband, who had vanished during their European vacation (they found him bombing around Italy in a new Porsche). Azorian refused to offer its services, however, when Leland Yee, a California state senator charged with arms trafficking earlier this year, asked the company to remove his name from incriminating online court documents.
To see just how vulnerable folks are to online snooping, I asked the company to try to figure out where I was going on vacation the following week and what exactly I was doing there. Tendell happily accepted the challenge.
I wasn’t sure how difficult it would be for them, but I wasn’t particularly optimistic about maintaining my privacy. Like most people, much of my life has gone digital. I’d purchased our plane tickets through kayak.com and booked our lodging through Airbnb. I use credit cards for nearly all my purchases, and I post to Twitter and Facebook frequently. I do most of my reading through a Wi-Fi-enabled Kindle, and all the photos I take with my phone are automatically uploaded into the cloud via the online storage service Dropbox. In the name of convenience and cost savings, I’ve left a cybertrail of breadcrumbs—like most everyone in America circa 2014. And if Jennifer Lawrence’s nude selfies can be hacked, where would that leave me?
As our vacation progressed, though, things happened that suggested maybe Azorian wasn’t as on to me as I originally imagined. I began receiving Facebook friend requests from strangers clearly dreamed up to access my information. (One listed his education as the Hogwarts School of Witchcraft and Wizardry.) And I received emails with subjects like “Web hosting suspended” and “You have been tagged in a Google+ image” that all came from the same suspicious address: firstname.lastname@example.org.
One of these emails actually tripped me up; I clicked on a link in a legal warning that accused me of using content on one of my websites that violates copyright laws, and the URL took me to a nonexistent Web page. But since the fishy emails kept coming, I figured my slipup didn’t provide Azorian everything they were after. Sure enough, on the last day of our vacation, I was deluged with dubious emails and text messages (“Use promo code LUBE10 for 10% off next order on edenfantasys.com! TO STOP VISIT bit.ly/FetLifeSTOP”), and I eventually clicked on one of the links to throw my stalkers a bone.
When I stopped by Azorian a few days after returning from our trip, I learned that I’d mostly outwitted the hackers. The two email links I’d clicked on had provided Azorian with IP address information that suggested I was in La Jolla, California—or in Santa Monica, 125 miles away.
Because I avoid social media when I’m on vacation, Tendell’s Red Team didn’t find any clues to my whereabouts on Twitter or Facebook. And since I’d ignored their friend requests, they couldn’t send me messages from fake Facebook accounts encouraging me to download apps that could have accessed my private messages and IP address logs, not to mention added and deleted posts on my Facebook page.
I hadn’t fallen for most of the Red Team’s email trickery, since to me they seemed like obvious phishing attempts. But maybe that was because I knew I was being stalked. “Usually, that’s all it takes,” Tendell says of such phishing scams. “The average consumer is going to click that link in an email. Everybody is a social-media whore. If I send you an email that someone tagged you in a post, you are going to click on that.
“People should be more like you,” he adds. “They should have a heightened sense of attention.”
Azorian says it could have gone further: “It comes down to our drive to get something,” Tendell told me. They could have filed a legal claim to find the names of the people registered to the La Jolla and Santa Monica IP addresses they’d collected. Or they could have arranged so that when I clicked on their phishing links, programs could have been downloaded that would have given them full control of my laptop and/or phone. I’m neither rich nor powerful enough, however, to warrant that sort of time and effort.
“It’s good to be a little paranoid,” says Tendell, when I ask him what consumers should do to protect themselves online (see Azorian’s top five tips below). I was a bit paranoid, and that may be why I won this round with the cyberstalkers. (I was also extremely cautious while I was on vacation—something a quick look at anyone’s Facebook feed will confirm is not the norm.) My gizmos aren’t the digital bullhorns I’d imagined them to be, indiscriminately spewing telltale data into the ether. Indeed, there is still something standing between my personal information and would-be cybersnoops: me. I have control over whom I friend and follow on social media, control over which emails I read, control over whether I leave Wi-Fi and Bluetooth running on my phone and computer when I’m out and about.
Yes, it’s good to be suspicious when we’re online. But just as we don’t hide in our homes due to fear of getting in a car crash, that paranoia should be tempered by reality. Online, as in life, a little common sense goes a long way. Watch what you click, and you should be OK. And remember: If you decide to befriend a Hogwarts alum on Facebook, you’re asking for trouble.
Keep Yourself Cyber Safe
Azorian Cyber Security’s top five tips for how to keep your digital life secure.
1. Watch what you post
Do you really want to tweet about that bad day at the office or post that cute photo of your preteen kids on Facebook? Such oversharing is ill-advised, for anyone. As Azorian CEO Charles Tendell says, “Remember, the Internet doesn’t forget.”
2. Avoid fishy links
Even if it’s coming from a seemingly trusted source, think twice about clicking unusual links you receive via email or text. If it’s an email update from a social media site, log on to the site from your browser. If the email is from a friend, ask him, “Did you mean to send this to me?”
3. Limit GPS use
Lots of apps want access to your phone’s GPS data, which means they could be tracking you wherever you go. Turn off location services for all apps except for when you really need them, like for driving directions.
4. Google yourself
This isn’t about ego. By typing your name into Google as well as databases like pipl.com and dirtsearch.org, you’ll get a sense of what people can easily find out about you online.
5. Reign in your friends
Even if you’re being cautious about your online presence, that doesn’t mean your friends and family are too. Let them know what is and isn’t OK for them to post about you. A good rule? “Think ‘What happens in Vegas stays in Vegas’—for everything,” Tendell says.