Celebrity cybersecurity consultants protect stars from hackers
The celebrity entourage has a new member.
Now joining the ranks of hairdressers, nannies, brand managers and personal chefs are computer security experts, entrusted by the rich and the famous to stave off threats to social media accounts, smartphones and home networks.
Cybersecurity consultants to the stars are paid to spare their clients the type of trauma experienced by actress Jennifer Lawrence when hackers stole her nude photos or then-Sony Pictures Entertainment co-chair Amy Pascal after her emails were made public.
The job isn’t easy, as all Internet users run the risk of being targeted by hackers looking to make a buck – or a statement. But boutique security firms, which now count cybersecurity work for millionaires as their fastest-growing offering, say their clients’ wealth and prominence make them particularly appealing to hackers. And their large entourages offer criminals more digital doors to pry open.
Potential consequences of poor security go beyond embarrassment, embezzlement or identity theft. Many celebrities and executives fear stalkers and ransom-seeking kidnappers could access schedules or other personal details.
These concerns mean it’s no longer enough for security firms such as K2 Intelligence, Hillard Heintze and Guidepost Solutions to outfit homes and offices with cameras and alarms or serve as old-school private investigators. They must now offer robust cybersecurity services for high-profile clients.
Computer security vendors that generally serve corporate clients, such as Synack, and wealth managers including T3 Risk Management have also jumped in with digital tools for the rich.
It was the dissemination of private photos that led one actress to sign up with K2 Intelligence, according to Jordan Arnold, the firm’s senior managing director. The star had been among the 100 celebrities caught up two years ago in the so-called Celebgate – a widespread intrusion into email and Apple iCloud accounts that resulted in the leak of libraries of private photos.
Soon after the attack, the actress, a family member and several personal assistants took seats in her living room. Each clasped a smartphone, while external hard drives, tablets and laptops covered furniture. Arnold and a colleague walked the group through settings menus across devices and apps, erecting new barriers for intruders.
“You’re helping them feel secure again,” said Arnold, whose firm recently opened an office in downtown Los Angeles because of Hollywood demand. “It was really an effort to bring a level of comfort and confidence at a very fraught time.”
Over the past two years, such cyberhygiene lessons have been held at the homes of hundreds of celebrities, athletes and current and former executives worldwide, according to security experts.
High-profile data breaches have brought a flurry of calls to security firms. The News of the World phone hacking scandal in Britain rattled European nerves. The release of names of users of extramarital dating website Ashley Madison and the emails of Sony Pictures Entertainment employees sparked interest in the U.S.
Because authorities said Sony’s distribution of the controversial movie “The Interview” prompted the cyberattack, its directors Seth Rogen and Evan Goldberg worked with the firm Kroll to tighten their digital security, according to a person familiar with matter who was not authorized to speak publicly about the consultation.
Such services are not cheap.
Around-the-clock advice and monitoring can run thousands of dollars per month, with a single Cyber HouseCall -- as K2 Intelligence dubs it -- priced at $3,600.
Consider it a cost of fame: The wealthy must be extra cautious because they are more likely to face the most sophisticated attacks.
Someone could steal data from ritzy homes in Bel-Air by driving around and looking for unsecured Wi-Fi networks.
Phishing attacks – in which opening a document emailed by a hacker creates a door for thieves – can be frighteningly personalized because details of celebrities’ lives are well publicized.
This also makes it easy for thieves to trail public figures on a night out in hopes of snatching their smartphones. Hillard Heintze shows clients how it can unlock their phones by analyzing the location of finger grease on the screens – reminding them to choose stronger pass codes, adjust them often or invest in a cleaning wipe.
Consultants try to guard against these vulnerabilities. K2 Intelligence starts with a visual sweep of a client’s home, said Joseph Lawlor, associate managing director for computer-related incidents. One by one, all electronic devices get tested for vulnerabilities.
At the Celebgate victim’s house, specialists created a guest Wi-Fi network to make it harder for a nosy visitor to snoop around. At another house, a personal assistant had installed a wireless extender to improve coverage without securing it with a password.
“It wasn’t malicious, but it’s a problem,” Lawlor said.
His team helps clients enable two-factor authentication, so no one can log into Gmail or Twitter accounts without also entering a unique code that gets sent to their smartphone. They’ll set up a password management app, so clients can employ more complex log-ins without needing to memorize them.
K2 Intelligence installs tracking software on devices to automatically detect abnormal behavior. It’s the online equivalent of a security camera, sending an alert to K2 Intelligence’s monitoring center when, for instance, a device is communicating with someone from China for the first time.
Other firms provide monitoring by attaching a firewall device to home routers or setting up a proprietary online locker for families to store sensitive files.
Consultants urge some clients to buy new phones every few months -- even for their maids and butlers. Making sure that the household has insurance coverage for cyberattacks is another suggestion.
The experts steer people away from apps known for security flaws and toward services like virtual private networks, or apps including Signal, that make data unreadable to most hackers. People who handle the client’s private affairs, including lawyers and financial planners, get the same advice.
Children, whose views on privacy and security may be more liberal than their parents’, can pose a problem. But K2 Intelligence hopes a new, one-day Family Security Summit education program will send the message through cautionary tales.
“They need to hear what happens, the narratives, for the security risks to really resonate,” Lawlor said.
K2 intelligence shares details about attacks with law enforcement when clients allow, Arnold said. He declined to comment about specific cases.
It’s hard to measure whether it’s worth the potential six-figure cost of bringing to the home security practices that are becoming the norm at corporations. Consultants say they primarily provide peace of mind, which usually is good enough. But they also note that criminals are quick to move on when they meet any kind of resistance since so many people have close to zero defense.
“Just by putting a wall up as a high as we do, it deflects just about everything,” said Tom Anderson, chief executive of Private Client Cyber Security.
Though breaches could cost sometimes 10 times more than protection, K2 Intelligence said more often than not that it first hears from prospective clients after something goes wrong. The firm recently stepped in to resolve several ransomware incidents, in which hackers lock data on a computer until clients pay a bribe.
Frances Dewing, chief operating officer for security company Concentric Advisors, relayed the story of a wealthy East Coast businessman who only sought counsel months after an executive assistant had been duped into transferring money to a hacker.
Dewing’s team, which charges $500 to $3,000 a month for cybersecurity support, improved his passwords and provided ongoing intrusion detection.
In other cases, paranoia brings clients. A retired executive who sits on the board of a publicly traded company thought someone was breaking into his Yahoo email account to view undisclosed financial results, according to an account provided by Maryland firm Private Client Cyber Security. The consultancy said it helped him switch to an encrypted email service and get cybersecurity software for his homes.
Publicists for several celebrities, including Rogen, Goldberg and Celebgate headliner Lawrence, didn’t make them available to speak about security measures.
But one group has been forthcoming. Filmmaker Oliver Stone, actor Joseph Gordon-Levitt, actress Shailene Woodley and others involved in the production of upcoming thriller “Snowden” opted to use a secure chat-and-file-sharing program developed by Hollywood-focused cybersecurity company RED-E Digital.
Hackers are eager for an early glance of the biopic about Edward Snowden, who leaked bombshell documents detailing secretive National Security Agency surveillance programs.
RED-E’s Ralph Echemendia, a technical advisor for the film, had people touching the script or video buttress defenses on personal devices and systems to augment his company’s software. “They are keeping up with it too,” he said. “A great majority of the crew is more secure because of ‘Snowden.’ ”
But cybersecurity consultants’ influence only goes so far. “Snowden” DVDs have been sitting unsecured in mailboxes across Los Angeles after distributor Open Road Films sent them to guild and academy members for review, Echemendia said. Sometimes, physical locks and keys still do the trick.
FOR THE RECORD
June 6, 9:54 a.m.: This article states that Open Road Films had mailed some copies of “Snowden” for review. They have not yet been sent, according to RED-E’s Ralph Echemendia.