How Companies Prey On Your Ignorance of Tech and Your Fear of Hackers

Originally posted on dev.to

"Everything Else Is Insecure"

Meet Nomx.
nomx
The "patent-pending nomx protocol provides secure, encrypted e-mail, messaging, audio and video communication services through a platform-agnostic protocol." This innovative protocol is delivered to you via a physical device that "allows users to transmit and receive secure communications using traditional email or messaging client."
Nomx: Everything else is insecure
shutupandtakemymoney

Would you buy this product? Think it over...I'll wait.

What if I told you that inside that Nomx box was a Raspberry Pi? Are you still impressed? Okay and then...what if I told you Nomx's special protocol was outdated versions of Postfix and Dovecot running on Raspbian?

Are you beginning to understand where I'm headed now? If you guessed "Nomx is full of sh**", you guessed correctly. Scott Helme, a UK-based security researcher was asked by BBC to examine the Nomx device because a lot of people were getting pretty excited about it. The company was claiming that they were the most secure because Google and Yahoo had already been hacked and they could guarantee that user's emails wouldn't be hacked. Scott Helme found that Nomx was largely underwhelming. I won't rehash it all here, but if you're interested check out his write up on his blog.

"SSL's that actually protect you are very expensive and have a long process"

Next up, shortly after the ISP legislation everyone began to seriously consider using VPNs for all of their browsing needs (except for Netflix). During that period of time, a company called MySafeVPN popped up to get in on the action. There were a few problems here. The first problem is that MySafeVPN presented itself as an affiliate of another company called Plex. Plex vehemently denied having any ties to MySafeVPN.

tweet

Crazy? It gets crazier, MySafeVPN's billing site (which oddly took you to myvpnhub.com) was not secure. A lack off HTTPS on a VPN site doesn't inspire confidence. The quote above was their response when asked about the missing SSL certificates. Well things went down hill from there. Turns out Plex had a data breach a few years ago that revealed email addresses, so that explains how Plex customers all received an email saying this new VPN service was associated with Plex. The whole ugly situation devolves into a twitter battle between security researchers and MySafeVPN, a racial slur, and a sketchy phone call.
tweet
You can read about it on Troy Hunt's blog. MySafeVPN's Twitter account is now suspended (probably because of the racial slur or the lying and using stolen email addresses to promote their business, it's hard to tell).

Nothing is 100% Secure

Companies, like Nomx and MySafeVPN, rely on the fact that you more than likely have no idea how encryption, networking, hacking, etc. works. They throw together a bunch of really technical terms that sound like they make sense and pray you can't tell the difference. ("Our billing site doesn't need SSL because we actually send that traffic back through our own VPN encrypted hyperloop tunnel" Did I do it right?). They feed on your fear that you can be hacked at any moment while telling you that you're powerless unless you buy their product.

Don't be fooled by their claims, there are things you can do to avoid being tricked into buying mediocre security services

  • Do your research on a product before you buy it. Chances are someone (probably a security researcher) has already reviewed it and written about it.
  • Don't trust any company that says it wrote its own encryption algorithm. Seriously. Just don't. Ever.
  • Be wary of any company claiming to be World's Most Secure thing. The truth is, 100% security is a myth and anyone who tells you otherwise is playing you like a violin.

We have this saying in security, "It's not a matter of 'if', but 'when'" when we talk about a hack or a data breach. It happens to everyone, both companies and individuals, on differing scales and differing degrees of impact. In your personal life and at work, you are your best defense against a breach. Taking the time to inform yourself of a risk before taking action is the best way to protect yourself.

Check out Matt Kiser's The Normal Person's Guide To Internet Security for tips.


Antoinette Stevens

Antoinette Stevens

Writing about tech and security.

comments powered by Disqus