Uncloaked: A Cybersecurity Podcast
Uncloaked: A Cybersecurity Podcast by BlackCloak takes you inside the world of Digital Executive Protection and personal cybersecurity.
In today's hyper-connected world, corporate leaders and high-net-worth individuals are prime targets for sophisticated cyber threats. But the weakest link isn't at the office—it's in their personal lives. And the line between digital and physical risk continues to blur.
Discover practical solutions, expert analysis, and behind-the-scenes stories on the unique and evolving security challenges faced by C-suite executives, board members, high-profile individuals, and their families.
Uncloaked: A Cybersecurity Podcast
Ep. 28 | How Cybercriminals Scout a Pro Athlete
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Cybercriminals are running a sophisticated playbook against today’s professional athletes. From social media exposure to technical gaps in a home network, their digital footprints often remain soft targets for cyberattacks. Join former NFL Wide Receiver and current Network Security Engineer Deon Butler for an in-depth look at how attackers scout high-profile targets and what it takes to build a world-class digital defense.
If you're interested in learning more, you can request a demo with BlackCloak here, or visit the BlackCloak website.
Welcome to Uncloaked, a podcast series brought to you by Black Cloak, the pioneer in digital executive protection and leader in personal concierge cybersecurity. I'm Dan Vasco, and today we're talking about how cyber criminals scout a professional athlete. Joining me for this discussion today is a special guest, Dion Butler, former NFL wide receiver and current network engineer and IT security leader. So, Dion, thank you so much for joining us here on Uncloaked.
SPEAKER_01No, I'm glad to be here. Um, definitely just to share my story. And obviously, you know, what we'll get into today, I think, is very important as the world gets more digital and everything like that, right? So a lot of ease of access to things. So definitely like securing our devices and our footprints are something that, you know, I think the world should definitely be aware of.
SPEAKER_00Yes, very true. Absolutely. And uh we're excited to have you here. You obviously have a unique and uh very compelling story as well from your journey as a walk-on all the way to the NFL and now in IT and cybersecurity. So a lot of great information to leverage here. And so looking forward to it. But, you know, before we dive in, obviously into the specifics of the pro athlete, their attack surface, all of that stuff, I would love to hear a little bit about yourself, uh, your career path uh from a walk-on in college to the NFL and now cybersecurity. You know, was this a passion of yours um outside of football before uh college, even? And uh yeah, just really interested in how that all progressed for you.
SPEAKER_01Yeah, um, I mean, uh it started out basically, I could say, with uh forensic file shows, right? I was right, CSI in Miami was like the hot thing back then. So that got the whole introduction into kind of forensics, and that's when I really started really liking that crime scenes, putting things together. Obviously, there would be some digital devices there. So kind of just growing up, that was what I watched on TV. And I always remember filling out a college questionnaire when you're trying to pick your major, which was like, well, what do you watch on TV? And I was like, oh man, murder shows and crime shows all the time. So, you know, take that, and that's how I entered college doing a forensic science major, you know, fast forward on the school side of things to where when I was finishing my NFL career, I got my master's in cybersecurity because one of the things in college was when we would do our forensic crime scenes, which were really cool actually, like fake crime scenes, and you had to go back and put it back together. And then they would show you a video and whatever you know, group got the closest, got the best grade. But you would have cell phones, you would have laptops and all those things, and they would show you like the digital footprint of someone, like how much information you could get when they think they actually erased something. So you would use those vulnerability tools and to recover information, and that really got me to thinking about digital forensics. So then when cybersecurity came about with kind of the first target point of sale breaches and things like that, I was like, oh, that's what I did just on the network side of things. So that led me to get in my cybersecurity master. So that's always been a passion of mine to just kind of transition from physical evidence on a crime scene to a network.
SPEAKER_00Gotcha. Yeah, that's that's fascinating. And um I I was a big forensic files fan myself. I always joke, like, um, you know, a lot of people will go to fall asleep to like white noise or like some sort of like rain app or something like that. I have forensic files playing in the background, the soothing voice thing. I'll soon go to sleep. But yeah, no, that's a it's a great point, too, about the level of information that can be accessed well after someone's deleted it, right? A lot of people, and and even still today, the the number of cases we know about, you would think more people recognize uh that just because you delete a photo or delete, you know, some sort of message, it's it's not deleted forever. And um that that obviously lends itself to the d digital forensics across the board. So as an NFL player, you you walked on at Penn State, you get drafted, and you were there during a unique point because you were in playing in college and in the NFL in the late 2000s, early 2010s, which was really that time where social media completely uh you know blew up, uh, was taking off. Celebrity news is now amplified, it's more accessible than ever before. When you look back to that time, how much of an impact did that accessibility have on the daily life and the daily lives of you and your teammates? Just the fact that so much information of you was out there and um everyone seemed to be taking interest, right? You're a public, you know, figure at this point, and a lot of people know who you are, and they're all interested.
SPEAKER_01Yeah, I mean, I think obviously with the boom of just like cell phone cameras and just everything connecting to the internet that fast, like everyone almost became a pseudo, you know, news reporter, right? Like right there on the spot where, you know, before you would tell a story, like unless you were there or one person that had the camera was actually there with you, they could show you what happened. But now at that point, it turned into, well, like, hey, I didn't need to be there, but so-and-so uploaded it to, you know, whatever Facebook at the time or whatever was going on. And it was like, now the news spread that quickly. And then to your point, it's like, you know, being a professional athlete, you are someone who's very recognizable. So people know where you are and people want to take pictures with you. People want to take a picture of you or just say that they saw you. So whether they just comment that, whether they actually take a picture of you unknowingly, or you actually take a picture with them, you know, that's another portion of like, okay, now my location is being known pretty much wherever I'm going and, you know, talking about being a target or things like that. And then the flip side to that is actually as part of your brand as an athlete, you don't want to come across as inaccessible or as someone who just thinks they're better than someone else. So, like, hey, I don't take photos, I don't do this. So you you want to interact with your fans that helps your brand, that helps like, oh, personable and like, oh, I just love them. And so it's kind of a you know, a thin line of like, hey, well, how do how do you balance that with you know protecting some of your digital footprint and the information um that is out there about you because you also do want to come across as a you know personable guy and and and someone who the fans can like relate to somewhat.
SPEAKER_00Yeah, it's interesting that you bring up the you know fans taking pictures with you because one of our best practices that is often talked about when posting about your location is never post while you're on vacation and sh show people uh that you're away when you're away. But if you are in the public eye as a professional athlete or a celebrity, that doesn't take into account people taking pictures of you and giving you away your location. So yeah, I mean, was that was that a concern even early on during that process, or did it take a little while and like was it more of a a hindsight thing once we realized, you know, the level to which uh this information could get out there?
SPEAKER_01Um it took a little bit of getting used to, right? And I would actually say it started at Penn State, right? Like Penn State in itself, where I went to college, right, is a huge football state, right? Like as far as Penn State football runs Pennsylvania, right? No disrespect to anybody that went to Pit, but it you just hear about Penn State. So it's like one of those things, you you're almost like a bigger rock star on a campus than almost as much as I was in NFL. But it was to that point, it was like wherever you went, people could take photos of you and you wouldn't even know it. And then, or someone else would say, like, oh hey, I saw that you were at wherever. And it's just like, well, how did you even know? Um, so that information traveled so quickly, and then you started to get used to it, where like, okay, this is just a thing. Like, I can't control other people who take photos of me or things like that. So you've kind of got to move with, you know, some awareness about you, and that, you know, goes back into then as you start to think, like, okay, am I gonna be a person that has on a bunch of jewelry around when I go out? Like, maybe I do want to wear jewelry because I just like jewelry, but like I've got to make smart decisions now because other people are taking photos, and if there's someone who's interested in that, then now they know my location. Now they can, you know, be nefarious as they want to be and know where I'm at. So it's like one of those things you you can't change that people will take photos of you, just like you said, but you've just got to be able to adjust to it, especially in the NFL where money's involved, where now you have to be able to say, okay, look, how I move, I need to make sure I'm being aware of my surroundings, where I'm at, putting myself in good situations and not per se just like, hey, I'm gonna be out at 3 a.m. in a bad side of town by myself and kind of like hope for the best. Because it's sure, you know, you're putting yourself in a bad situation.
SPEAKER_00Yeah, and that makes perfect sense. And you know, I noticed you you got your master's degree in homeland security as well. And you know, obviously that it's talked about a lot, the the concept of a soft target. Can you explain why a pro athlete, I mean, this is almost like interesting that they are the among the strongest people on earth many times, and yet they can often be considered some of the most soft digital targets. Can you explain a little bit uh why that is the case?
SPEAKER_01I think we touched on one is that right, you can't help who else takes photos of you, right? Um, I mean, it's just that easy where other people take videos, photos, so you can't really hide your location in that part, right? And then another part of it too is just you usually do have a team around you, right? And it's almost like with any corporation and things, like you really understand that a lot of times it's not even that corporation exactly or that person exactly that gets compromised. It's a third-party vendor that they integrate with, or if it's people, it's his financial advisor and the system they use, then they got through that person to get to him. So it's like not only do you have to think about protecting yourself, but then you have to think about the people that you put around you. And do you always think about that realistically? No. Right? Like I can't control if you're my marketing manager and someone sends you a, you know, a bad link talking about a marketing opportunity for your client, which would be me. Now, if you click that and then it gets back to me somehow and to my accounts or whatever I have going, it wasn't me, it was you. But, you know, so like that as well as trying to now protect people around you or make sure that they have the safeguards in place and are moving with the same amount of awareness as you, I think makes it a tough thing. And I think one of the last top things is that, you know, your salary is public information, right? Like, that's one of the funny things I think about of when I came in the corporate world and it was kind of like I remember I was starting to like, all right, well, what should I be making getting my first job? And I think I like asked one other person, like, what range should I be thinking? And it was like taboo, right? Like you don't ask people what they make, but I was coming from a world was like, your contract is online. As soon as you sign it, people know. There's no hiding that. So then you talk about being a soft target. That's another thing. Like, if I easily know the amount of money you're making, I don't have to guess, right? So though those things I think are some of the top reasons where you'll have athletes that become soft targets because of the circle around them, because they can't control the other factors of people and like locations, and then because they're usually their salary is public knowledge.
SPEAKER_00Yeah, and and their schedules, people on the road for two-week stretches. We've seen the the home burglaries, right? Of these pro athletes. Um, when they're on the road, they know that hey, it's a Monday night game and they're across country.
SPEAKER_01So I feel like that's almost became like a like its own niche, like field of like, hey, there's this group of burglars, right? And we target athletes when they're away. Yeah. Right? Because to your point, like it's it's risen definitely within the last couple of years to the fact that, right, there's ESPN articles and all of these things. So like they're doing their research, they're they're and they're realizing like, hey, this is uh an actual thing where we could, you know, come away with whatever money or jewelry or you know, items that they can turn around and sell. But to your point, they know the location. We know that person's not here, so what's the likelihood then of someone else being there? We can just do a little recon and figure that out, but we know they won't be there.
SPEAKER_00Yeah, yeah. And they and they can sit there for a while, right? I mean, I I think um some of the the average times that uh dwell time that a cyber criminal could spend in some of your accounts could be almost an entire year. I think it was like 200 days or something like that. So the you know, they're in it for the long play, and just when the moment's right to strike, they are prepared at that point. I mean, you mentioned the personal teams, which uh brings me to this next question because it's super important. I mean, they are surrounding themselves with a lot of trusted advisors, um, some may even have family offices, all of that stuff, uh, managing a lot of their sensitive information and and key accounts. Is this a case where cyber criminals often will almost target the weakest links within the inner circle to gain the backdoor access to the athletes themselves? Because like we hear talk about digital executive protection, because you know, executives are routinely being targeted, not necessarily for what the executive has, although of course that that plays a factor, but as a gateway into the enterprise or the organizations for with which they work. And in the athlete's case, it could be that family office or that wealth manager uh to get access to the athlete.
SPEAKER_01No, absolutely. And I mean, these people are smart, right? Like anybody that's been in this field knows like the bad actors are smart, they're just using it for you know bad reasons, but they are very smart. They're not gonna just walk up to the front door, they're not just gonna go after the main person, they're gonna find that weakness, to your point. They're gonna recon in some accounts and sit there passively and wait until it's the right time or anything like that. But it's like, yeah, they could compromise your marketing manager's account and you know, within the first couple months, but like they're not doing anything yet. So I'm gonna just wait there. But I do know I have access when I want to. And, you know, and then start to build a profile and things like that. So I definitely believe that that's the things that we even see within our, you know, network security, our, you know, I'm in the telecom space, but just cybersecurity in general. The recon that these bad actors do is amazing, right? And they find different ways. Um, obviously AI is a new wave, and that is helping to really, you know, get granular with specific messages when you talk about phishing and things like that. But definitely as far as just going out to the weakest link to get in, is because all you need is a foot in. And then once you get in, you usually start to get access to the other members of that team because they're all usually integrating at some point in time. So once you're in, you just kind of, you know, we say you just start moving east and west and seeing how many other people I can get into and kind of now I've got all of these people in place that are around him, and then I can go after, you know, the main target that I'm I'm looking to get to.
SPEAKER_00Yeah, I mean, you even just think about you know how many of those people are all connected to that same home network, for instance, right? Um you're used to watching game film, of course, to scout opposing defenses to find a weakness within the defensive back you're gonna be facing one-on-one that week. Similarly, obviously, cyber criminals uh scout their targets. Um, can you explain a little bit? I I we and we've touched on this throughout this conversation, but how they leverage OSINT or open source intelligence to create a scouting port report of their own on an athlete before they even do uh initiate an attack.
SPEAKER_01Oh, absolutely. I mean, it's just, you know, and I think that's one of the big things too, people don't take into account is just building a profile, right? When I say a bad actor builds a profile, right? Like, I can just steal your phone number from your Publix account, I can get maybe your address from your Uber account. I can, and I mean, but it's just like I'm slowly gonna build this digital like, you know, profile of you to then, you know, use it to, you know, then try to do a password reset of something. But now I know the school you went to, so if the question is, what's the mascot of your high school? Ding ding, I already got that. You know, and if I'm in your email, then I can reset, send everything there. And so it's just like you, they're definitely really good on building that profile and taking information. And we we touched on it earlier. We send so much information out, right? Like, who really, when they're downloading an app, scrolls through and says, hey, this app needs access to, hey, look, because if I don't say okay, I'm not getting the app. Obviously, I want the app, so okay. But you don't look and say, like, well, my camera needs access to my cash app. So now if the camera gets compromised, I would have never thought, well, actually, it has access to your cash app. Oh, I didn't know that. Well, it was in this in the fine print. You know, so that I mean, there's different ways like that, and the access that all of these apps have, and then that information that we're putting out, whether it's social media pictures with locations or our credit card information stored in different applications. But I mean, and it's another thing you touched on, like these bad actors, they'll take their time. They're not gonna just, hey, I only got one week to try to grab all of this. I've got a year, I got a year and a half. I'm just waiting for a slip-up. Boom, I got that one piece of information. I'll wait for another one. Oh, okay, now that piece of, and I'm gonna slowly take my time to build that. And being that you're, you know, an athlete, you're in the public light a lot. So a lot of your whereabouts are known. A lot of things as far as your social media accounts and things like that are known. And if you don't, like we said, also make sure the team that's close around you is moving with that same security awareness, um, they can be easily compromised as well. And then, you know, that means you are as well.
SPEAKER_00Yeah, and given that they'll they'll wait so long to attack, it's because I mean we think of the payoff, right? It it's worth it to them. They're like, hey, if I'm gonna be getting millions, not just we're not talking a thousand here or something like that, we're talking millions, uh, it's worth it to them to to take their time and and make sure that the moment's right um when they can strike. So yeah, that that brings up the vigilance aspect of it because it it really is just one moment that that can lead to having it all unravel. Um when it comes to I I know that you work in in telecoms and obviously uh the corporate security side of things, but when it comes to looking at a high profile individual like an athlete's entire home network, and our homes are now becoming more and more interconnected than ever before, what would you say is the most you know common technical vulnerability that would make a network engineer like yourself cringe a little bit?
SPEAKER_01You know, that's a really good question because it's funny because once you start, right? I'm in a corporate network, um, but you start to think about your own network as its own little mini office network or something, right? Right, remote office network. So you talk about that, and like one of the things that cringes for me is just like people that don't change their default router password, right? You get your router. What people do is they change the Wi-Fi password, right? So they're like, oh, I get the Wi-Fi password, I changed that, like I'm good. And it's like, no, but like still that default password or the default that you can usually Google for like, hey, if it's this vendor, if you don't change that, people can log into your router and from there they can control, you can block you from the internet, lock other people. I mean, they can do so much damage from in there, but it's something that even like because I write the guy that comes in and usually installs the first thing they talk about is like, all right, here's your your Wi-Fi password, you can change that. They don't really walk you to like, hey, but you may also want to change your router password. Like, obviously, it would take someone kind of technical to even know about that. However, there are technical people enough to know like the router default IP address or your IP address because I can see it on the router on the sticker. Then therefore, if you don't change that password, I know what the default is, I can take it long shot. And if you haven't changed it, which you usually don't think to do, because you think you've done that at the Wi-Fi level, you think you've changed everything. Then once again, like I can get into there, I can block your whole internet to the house, and you're wondering why I can't do this. So that that is one of the things that that I cringe at, and then just other devices that are connected to your home network that don't use multi-factor authentication, right? Because literally what we just touched on, right? Like, oh, well, who cares if my printer's on here? Like, that's an easy way people will try to get in is through something that you don't care about, or my refrigerator, or oh my Alexa app, like whatever it is, there's other devices that you don't give much security thought to. But just like we talked about, they integrate with your home network, which is then okay, if I'm on your home network and then you're at home going to your Bank of America, well, now maybe I'm sniffing traffic and trying to see, okay, I know you got a Bank of America account that can send me in that direction to try to see if I can see you, you know, passwords. If I catch a password in plain text from somewhere else, maybe I'll take a guess and see if that's your password that you use in there. But it's it's just so many things like that. Once they're on that home network and start seeing all your traffic to all the personal things that you go to, that profile building gets really strong.
SPEAKER_00Yeah, then they can send you some targeted emails and say, Hey, uh, you you purchased this, remember? Like we're you and and now you can trust us because we we are we you we know that you purchased this.
SPEAKER_01Right. So that means this is legit. I'm clicking on that link. Right. Right. So it's just like, and now you've clicked the link. I didn't look at the link, but now that's being redirected, and I mean so. Just all of that thing as far as just thinking about that safety and those little measures of two-factor and those things of like, okay, well, what is connected to my network? And I think it would probably shock people if they were like, okay, let me log into my router and see what devices it shows are connected. I guarantee they'll probably be like, there's a couple on here that I don't know. Like whether it's an old device or something that you just didn't even know had internet connectivity. Like, I didn't even realize my toaster connected to the internet. Like, okay, wow. Um, so yeah, things like that are definitely just when you start to think in the security mindset, the little things.
SPEAKER_00Exactly. Yeah, a single port, a single vulnerability. It's all it takes. It's all it takes. Uh, really appreciate your time here, Dion. Before we go, um, I could say I saved the best for last because this is uh an exciting one with the NFL draft uh coming up next week. Let's go with a hypothetical example here. You're the chief information security officer for a top NFL draft pick. What are the first pieces of advice that you would give them regarding their digital footprint? I know that's a it's a wide-ranging one. There's probably a million bits, but um, yeah, what would be some of those top key pieces of advice?
SPEAKER_01Right. I think just what we talked about as far as right, multi-factor authentication, get some type of two-factor for your important things, whether it's your bank account, whether it's you know, investment accounts that you have or different things like that, like definitely lock those down your email for sure, right? Because that's almost like a home base for everything, right? So make sure that's secure. If we need to change the password, let's change the password on the email just to kind of refresh, you know, some things like that. And then definitely as far as like the digital footprint, understanding, like, hey, there will be people that take pictures of you. So I want you to adjust on how you go out, where you're going out, what you want to do. It's not always gonna be perfect. However, move with that in mind, right? Obviously, we touched on the home network and the router, and like, hey, let's unlock that down, make sure we're changing that. But things like that, I think, will be some of the top things that I would say. And then definitely to hey, your inner circle, let's see who it is. You define that to me, whoever that is, and we're gonna put the same parameters on them. And they have to understand that as far as because they're gonna be protecting you, you protect them, but it's it's a whole thing around you. If it's that team, they're also a vulnerability where people will be looking for and kind of just honestly having a conversation with them, like right. Like I said, that inner circle, just having a conversation, like, hey, you know, let's be aware of phishing, right? Because everybody's gonna be, oh, well, we're so-and-so company looking to do a deal with. Well, hey, there should be a like, hey, you reach out to his brand manager or something. Like, you're not coming through me. So why am I clicking a link to talk about a brand deal? And I'm just the cousin, right? Like, doesn't make sense. So just kind of some awareness around that. I think that would be some of the top things that I would initially talk about.
SPEAKER_00That's great. Yeah, and you also think, you know, in in corporate environments, you know, yearly people have to do certain trainings to catch up on some of the latest fishing attacks and things like that. But if you're working for an athlete or a celebrity or whatever it may be, you're not necessarily subjected to that kind of like training on a yearly basis. So yeah, to your point, it's important to have those conversations, which may be uncomfortable for some, but extremely important to have those talks because at the end of the day, it is your information and it's your money that's at stake.
SPEAKER_01Absolutely. And I think just like you know, corporations have processes in place, right? So, once again, like I said, with just the example, if you're the brand manager and you're getting something talking about financials and an investment deal, hey, that's not my lane. I I push that email to so-and-so. They know who they're dealing with, or you know, if they, oh yeah, I talked to so-and-so already, they said it's fine. Fine, you still gotta go talk to them, right? And just having those processes in place, even if it's the athlete, hey, that they approach you, you send them to me, right? Like, but just having those swim lanes and those processes in place that help mitigate and help, you know, make that attack surface smaller. Because to you, like you mentioned earlier, they will try to find a weak link of someone who just clicks on stuff, right? So it's just like, you know, if you have that kind of conversation, and maybe like you're saying it's yearly and it can be quick, but it's just like, hey, all so-and-so stuff goes this way, all so-and-so stuff goes that way. Let's let's not try to get out of our bubble, right?
SPEAKER_00Yep. Keeping things organized and uh making sure that all of those layers of protection are in place. It's that's great stuff. Dion Butler, thank you so much for joining us here on Uncloaked. This has been a very insightful discussion and really appreciate your time.
SPEAKER_01No, thanks for having me. Appreciate it.
SPEAKER_00You can listen to all episodes of Uncloaked at blackcloak.io slash podcasts or on your platform of choice. And if you're interested in becoming a member or want to learn more about how to protect your digital life, visit us at blackcloak.io. Thank you for tuning in, and we'll see you next time on Uncloaked.