F.A.K.E. Security – Exposing The Snake-oil Salesmen

We recently posted an article about RSA and vendors making promises about their products. In some cases these promises are not technically possible, or the vendors  are overstating what they can really do.

The RSA booth from F.A.K.E Security was epic! There is no other way to describe it. When we posted the original article we weren’t immediately sure, who was behind it or their motives, but it seemed like an amazing troll.

This lead us and other readers to want to better understand attribution. Why? So we understand more? Why they did this? So we can thank them? So we can just know? Because we’re curious people and need answers?

Shortly after posting, even before we could start our own research, we were contacted by Tina Velez with our first tip:

One of their social media posts included “Silo Saloon” in the photo. Authentic8, though they’ve denied it.  Trolly magnificent and provoking gimmick, regardless. Left with the Nation State Salve, sprinkled it all over AWS.

We replied asking a few more questions and got another reply:

I started poking around immediately. The social media accounts were all fairly new, and their “website” wasn’t HTTPS. I was on a mission to figure out what was going on. Still not 100%, but think it’s likely 🙂

It seemed like we quickly had our answer, but not fully satisfied, we decided to dig a bit more.

We started out with a few assumptions:

  • The responsible party(ies) have money available for such a stunt
    • A 10×10 booth at RSAC went for $13,000, and that’s just the space. We don’t have pricing available for the General Store, but believe that there must have been some additional dollars spent to bottle all that snake oil, obtain the ukuleles, and keep those mustaches so perfectly groomed.
  • The responsible party(ies)’ game plan and overall strategy was not immediately clear.
    • Would they keep their identity a secret? A challenge to solve?
    • Was this spectacle intended to provide nothing other than criticism of the overall state of the industry and the common themes on the vendor floor?
    • Would they be using this as a setup for a future vendor announcement or launch?

If we wanted to further validate that it was Authentic8, or someone else, why not start with their website and social media?

Clues From The Website:

In looking at the website, we didn’t find a whole lot. It was clear that the owner intended to ensure that this for the most part was anonymous.

From their website they have now stated:

Francis and his team of cybersecurity heroes are constantly moving from town to town, but you can stay in touch by subscribing to his newsletter here.

The footer of the website has:

©2018 F.A.K.E. SECURITY. All rights reserved. Site by A Daisy if you Do Design Corp.

Page Source:

<title>F.A.K.E. Security | The finest cybersecurity solutions</title>

<meta name=”description” content=”Francis Archibald Keyes, Esq. comes from a long line of cybersecurity busters, dedicated to saving the good people of the world wide web from cyber outlaws, APT bandits, virtual pirates, malware hoodlums, and the sort.” />

<meta name=”keywords” content=”Fake Security” />

<meta property=”og:locale” content=”en_US” />

<meta property=”og:type” content=”article” />

<meta property=”og:title” content=”F.A.K.E. Security | The finest cybersecurity solutions” />

<meta property=”og:description” content=”Francis Archibald Keyes, Esq. comes from a long line of cybersecurity busters, dedicated to saving the good people of the world wide web from cyber outlaws, APT bandits, virtual pirates, malware hoodlums, and the sort.” />

<meta property=”og:site_name” content=”F.A.K.E. Security | The finest cybersecurity solutions” />

<meta property=”og:url” content=”http://www.fakesecurity.com/” />

 

Domain Information

Before GDPR takes away Whois, we decided to see if there were any clues:

https://whois.icann.org/en/lookup?name=fakesecurity.com  (they used a proxy registration)

Registrant Contact
Name: Registration Private
Organization: Domains By Proxy, LLC
Mailing Address:DomainsByProxy.com, Scottsdale Arizona 85260 US
Phone: +1.4806242599
Ext:
Fax: +1.4806242598
Fax Ext:
Email:[email protected]

Image Recognition Search:

Could we do some searches say using Google Image search to track down some of the people that were clearly working the booth? Do we have pictures that are reasonable or do those pesky mustaches screw this all up?

What about finding who the people are in the YouTube Video posted on their website?

In looking at Authentic8’s management team there are few things that stand out right away.

In this tweet, the man standing with them in the picture is Scott Petry, Authentic8’s co-founder and CEO. Furthermore, one of the snake-oil salesmen looks a lot like Authentic8’s Head of Marketing, Drew Paik. The other could be Les Dunston, Head of Operations, though it was less clear. In the YouTube video with an interview, the resemblance the snake-oil salesman has with Drew Paik is even clearer without his glasses.

Phone Number:

The have a phone number on their website:

+1 (413) 367-7226

When you call the number, it rings five times then goes to a voicemail. The message is from a very smarmy male voice and says:

“Hi, This is Francis Archibald Keys, Esq. If you would like to purchase some FAKE security solutions, please leave a message. If you’re a bill collector, go away.”

Newsletter:

They do have a newsletter you can sign up for on their website.  And if you do, this is what is returned:

From: “Francis Archibald Keyes, Esq.” <[email protected]>
Mime-Version: 1.0
To:
Message-ID: <[email protected]>
Subject: We received your email. Thank you.
X-Drip-SendingAccount: 1123814
X-SG-EID: 3PlYPeTafYspdZQhAsCxlOFZITk92/SsXdl2NW0C1kGU6YgJSwd5kke1pHn8p2WN+2JKB6WrTaiLvf hYb6Yxf/RrEzDQB2krOBmduXGnxNqO/3lwjkDilky8IM2w1oijBhFbe1blM7D43Cs0XlTuNX3ndH45 x9YZt24mIN9cQX2/i01m4hXiZnC4cdQXj8qVjrdtTZMy8UUwBt+jclUHj0L/nuyqF9v8gZobK5bJSK BkLyHwnMke754XUr7T36m7
X-SG-ID: 6l1ICXxVk1U2NQBE+KPgxy+2kzw4JSm9ghS+NmEC4xbfce0/cQhZGyKZonCYKo4nwOR/Eg/vaS9AG3 MKZmd0xxzBExTeiBhc/H3vtRPhzcI4zTm5MIww+LCIUnTeF/QBKMVE/pA8BJgi3q1qspEwGEPFFib/ ReB1OJJtqRbVa3cBnjcfHi/MkMO7bHezIGr+rsSvZBDN2wW6HK6Z9HDPEyFH1rDofHW+LLrPaFRDH9 9x48Jvri9xPe60Bh7SlKDT

–cc19b5d9674a421b5c4629239601ca7be203fcda11aaffaac9b458087ad1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Mime-Version: 1.0

Thank you.

We received your email address and you’ve been added to our
F.A.K.E. Security mailings.

Francis Archibald Keyes, Esq.

The Social Media

Social media links on fakesecurity.com led to the following:

  • Twitter – @FAKE_security: created in February, 2018. First post on April 1st, 2018. What a coincidence.
  • Instagram – @fakesecurity: created in late December, 2017. The first post then was of partial Authentic8 styling – one word: security.
    • Just like the Twitter account, true posting began on April 1st, 2018.
    • @authentic8 also “liked” one of the posts
    • More importantly, one of the posts included the “Silo Saloon” and with the power of NCIS style zoom enhance, Authentic8 can be seen on the sign.  

Authentic8’s own Facebook page confirmed they had “invited Francis Archibald” to speak truth to power on April 17th.

As mentioned earlier, the name of the booth was “Silo Saloon”. Authentic8 has a product named “Silo”. Additionally, the open lock on top of the F.A.K.E. Security cart in the booth is in the same style as Authentic8’s logo.

We had some comments on our LinkedIn post that confirmed that is was Authentic8 as well.

Responsible Party?

Unlike the majority of attribution cases, we are pretty darn confident in our conclusion. All roads lead to Authentic8 from the beginning, and as we looked we found more and more. Nothing technical was involved in our investigation, just some poking around on the websites and social media.

Thanks for the laughs, Authentic8. Or Russia.

Shout out to Tina Velez for working on this post with us!