The news has been a little slow this Holiday season, so I am going to take the opportunity to go on a mini rant of sorts, explaining just how clueless business executives and “professionals” can be when it comes to their online or data security. I got motivated to write this after reading an article by Information Security Magazine, discussing how passwordless authentication is going to become the next “Big Thing” of the future.
However, that article was nothing more than a literal :facepalm: for me to read because I know it is exponentially harder to crack passwords than it is pins – which passwordless authentication relies on. Put another way, it is much easier to run Brute Force attacks against a series of numbers, such as those contained within a pin, than it is a series of numbers, letters and symbols – such as are included in passwords. Why anyone working specifically in the field of Information Security would then write an article advocating for passwordless authentication as a good thing for the industry is completely beyond my understanding.
With that established, here’s a look at a few other examples which also have me shaking my head in disbelief.
The other week I featured an article discussing two emerging businesses, Starlink internet service and Space Belt data storage. In fact, executives at Space Belt were so impressed with my coverage that they sent me an email explaining that the company had just raised another $100 million dollars, asking me to write a press release about it in the future.
While I told their Chief Commercial Officer I would be happy to cover an update for them, I also used the opportunity to point out some serious flaws in their websites security. For example, the site does not even have an active Secured Socket Layer (SSL) certificate – something which costs, on average, between $3-$20 to install. I explained to him that without an SSL certificate, any hacker or interested 3rd party could intercept/steal the information that visitors input on spacebelt.com – it also puts their site at advanced risk of DDoS attack. I explained to them how it is not a good look for a company trying to literally sell itself as world-class security specialists to have the words “Not Secure” featured on the front page of their website – the first thing any customers/visitors sees upon accessing their website. For example, I also have an online business website, and I wouldn’t be caught dead trying to sell security with an unsecured website – get it?
Well, apparently Space Belt executives didn’t like my email or constructive criticism very much, because not only did they not thank me for bringing this to their attention, but they have now ceased replying to all my emails and still haven’t even fixed the security issue. Below is a screen shot of the very problem I am talking about.
Askar Refugee Camp
It is a generally known fact that the international cyber espionage/hacking capital of the world is Israel, whom has been granted immunity for this sort of activity over the decades. Not only this, but last month I featured a report explaining how 22% of Palestinian women have gave up and stopped using the internet entirely, after regularly coming under cyber attack and facing sexual harassment online. Not only this, but I personally got a hacking group know as “PinkiHacks” banned off Twitter entirely after they announced something known as #OpIslam and #OpGaza, an online hacking campaign designated at attacking Arabic educational institutions and anyone living in the disputed territories around Israel.
It should go without saying, but perhaps no one in the world is more vulnerable in 2018/2019 than Palestinians, both online and off. For this very reason I reached out to Amjad Rfaie, Director of Askar Refugee Camp, offering to install online security for his website and host his email servers privately. In fact, I was even willing to volunteer to pay money out of my pocket just to do this. However, for reasons unknown, perhaps because I am an America, he has declined.
I was afraid for him because he runs a completely unsecured website lacking even the basic security measures, and runs all camp emails through an outdated Yahoo email account. For those of you unaware, literally every Yahoo account which has ever been created has already been hacked, and Yahoo remains perhaps the most insecure email hosting platform in the world. Given the tensions in the region and the important role he serves in his community, I feared that Amjad could one day soon become an easy target for Israel hackers – if he hasn’t been compromised already. Once again however, he seems utterly disinterested in allowing me to help him and for reasons I simply do not understand, doesn’t even respond to my emails or texts anymore.
New York City Public Library
Here’s another interesting experience I’ve had while trying to launch my online security startup, this time involving the New York City Public Library (NYPL) system. One day I noticed all the free/public classes the library offers, and given my knowledge in the field of cyber security and the tutorials I have already prepared, figured it would be a good opportunity to share my knowledge with the world and get my name out there. However, shortly after handing in my application to the front desk I could hear people talking in back about how “we have to sabotage this application.” Explaining how they couldn’t let me work/teach there because the week beforehand I had used the library’s printer to print out a Visa application to Russia. To this day I have not heard one word back from the library and suspectedly, they just threw out my application the moment I handed it in.
Not only this, but one day I also reported a bug effecting their laptops. For example, the NYPL claims that every time a session expires all the data from the previous user gets automatically deleted so it can not be read by the next user, something which I found to be untrue. Not only did I personally find multiple resumes left on the computer from previous users, but I also tested the system myself. To do this I purposely left my resume open in a Word document and let the session expire. I then went to the library front desk and told them to open the lap top with a new account where, surprise, you could find my open resume right there on screen – a serious data security bug built into their systems. Only instead of thanking me for pointing this out to them, the person behind the desk grabbed the laptop out of my hands and threatened to “tear up” my library card. While their supervisor over ruled them, it just serves as yet another reminder how belligerent people get when you try to teach them something about security, even when you are trying to help.
Every Job I Have Ever Applied for
There is also a reason I am attempting to create my own news and security company, because my work in these fields has made me completely and utterly unemployable for the better part of the last 4 years. Rogue Media Labs is my 5th website, after closing my previous 4 domains. Despite small changes here and there, over this time I have always covered hacking events and cyber security developments, much as I do today. However, despite my unique skills and knowledge, everyone seems to be scared off by what or how much I know.
Look no further than the “Hacking News” section of this very website, which seems to scare the living daylights out of everyone for some reason. I say this because over the course of the last +3 years I have applied for well over 300 positions around the country/world, and have only received 2 call backs over this time, with one interview and 0 hires. As a result, I currently live and work out of a homeless shelter, where I have lived for the better part of the last 9 months – with no one in the world willing to allow me to work or even volunteer for them. I literally cant even pay money out of my own pocket to help secure someone – just ask Amjad about that. Because of the very news I write about, literally no one in the world wants anything to do with me.
My Side of The Story
I’ve tried explaining to people that there is a reason why can interview hackers, intellectually cover data breaches and publish leaks without the same hacks or hackers effecting me, because we both know how hard I am to hack. Some of the worlds most powerful hackers have personally demonstrated to me how it is easier to take down ProtonMail than it is my own website. I keep trying to tell people that if you hired me in the first place, your website wouldn’t have been hacked and your data would still be safe. There is a reason I am trying to start an online security company, because I know what I am doing – even if you don’t.
Still though, people just see me reporting about hacking and think I must be the most underground secret criminal in the world, or that I can’t possibly be trusted to handle any sort of data – nevermind do legitimate business with. It is almost as if employers or executives give no thought whatsoever to the fact that in order to learn how hacks are pulled off and how to mitigate them, you have to study hacking. It doesn’t occur to anyone that you can only learn how to prevent hacks by learning how others are being exploited. The only way I’ve ever learned anything about securing myself was by getting targeted by world class hackers and cyber attacks, experience which can not be taught or replaced. There is a reason no one can hack my website today, because Ive put in the dirty work and research to learn trade secrets. Still though, it doesn’t seem to matter.
But then again, maybe I should be thankful? With the corporate worlds refusal to learn how to secure themselves, I should have no shortage of hacks and leaks to continue writing/reporting about in the future. So, don’t tell me there isn’t a silver lining to every story.
Categories: Hacking News