Search
Close this search box.
EPISODE 91
Mobile Device Security with Haseeb Awan

MOBILE DEVICE SECURITY WITH          HASEEB AWAN

About this episode

Haseeb Awan is the Founder & CEO at EFANI Secure Mobile. In this episode, we’ll hear about Haseeb’s cyber path, and we’ll explore some of the biggest mobile phone risks and what you can do about them.

In the beginning, Haseeb tells the story of how his phone number was compromised not once, not twice, but three times, with basically the same type of attack and how that forced him into cybersecurity.

Then, Kip and Haseeb go over some of the risks that mobile users can be a victim of and the ways your mobile number could be compromised from social engineering, bribery of account executives, to SIM swapping, and man-in-the-middle attacks.

In the end, Haseeb finishes off by discussing how cybersecurity is growing and that cyber risk is greater than ever and that more countries and organizations are building cyber armies.

What you’ll learn

  • How did Haseeb get into Cybersecurity?
  • What is SIM swapping?
  • What is an IMSI catcher?
  • What is location tracking?
  • Who should worry about their mobile security?

Relevant websites for this episode

Episode Transcript

 

Kip Boyle:                                      
Hi everyone. Welcome to Your Cyber Path. I’m Kip Boyle, and today I’m here without Jason Dion. He’s taking a well deserved vacation. Jason likes to go on cruises, and so I think right now he’s either getting on board a ship or getting ready to get on board a ship, but that guy goes on more cruises than anybody I’ve ever met. He really, really loves them, and I haven’t even been on one yet, so he’s trying to convince me to go on a cruise.

Well anyway, this episode, we’re going to focus on a couple of really cool things I think you’re really going to. We’re going to talk about mobile security and we have a guest that we’re going to do that with, but we’re also going to learn about our guest’s own cyber path, how he got into cybersecurity. And so I think these two topics are going to be really helpful.

And our guest, his name is Haseeb Awan, and Haseeb is the founder and CEO of a company called Efani Secure Mobile. And as you can guess why, he’s going to talk about some of the mobile security topics that we think would be helpful for you as a person who either wants to get into cybersecurity, or maybe you’re already in cybersecurity and you’d like to brush up on the latest risks with mobile devices. So Haseeb, thank you for being our guest. Welcome.

Haseeb:                       
Thank you Kip for having me on the show.

Kip Boyle:                                      
Yeah, absolutely. I think we should start with learning a little bit more about who you are and the work that you do, and then I would love to hear your story about how you got into cybersecurity. So what does it mean to be a founder and CEO of Efani Secure Mobile?

Haseeb:                            
So first of all, being a CEO of any security company is super stressful. And I’ll tell you the reason, because every day wake up, you hear about this company got breached, this company got breached. And it’s like you’re saying, okay, when is my number? When I’m next? And you know that everyone is trying right now, you will be sleeping and someone is trying to kill you, think about it. And you’ve built a fortress, think about it, you have built an external fortress around you and you are sleeping in the inside. But you’re sleeping and you don’t know what kind of attack are you getting, with the AI and everything, and who’s going attack you.

Like in a physical wall, you can say, okay, I live in San Juan, Puerto Rico, just to give an example, so what can you do for security? So you can say, okay, no one is coming in F16 or those planes that bomb me, but what can happen, there’ll be like some guy who want to get in, so you can protect against that. But otherwise in cybersecurity, it could be anywhere from anywhere in the world.

Kip Boyle:                                      
And I love your fortress example, like a castle or something like that. And what I tell people is that analogy is good, but we live in a day and age where people have drones, and so castles really aren’t that useful anymore, digital ones. So we’ve got to recognize that perimeter networks aren’t as useful as we thought they were.

But Haseeb, I think all CEOs, no matter what their industry, should have the same concern that you just described, because everybody who’s doing business on the internet is a target, whether they realize it or not and everybody’s digital assets are at risk to the attackers. So let’s talk a little bit about, because we’ll get to that as far as mobile goes because there’s so many mobile risks, but before we do, I would love to know about your journey to become somebody who’s working in cybersecurity. Would you tell us?

Haseeb:                            
I got into that by force, so I’ll give you example of what force. Around 2019, around ’18/19, I decided I want to buy a bank. I know it looks pretty stupid, but I said, let me buy a bank.

Kip Boyle:                                      
Buy a bank, I don’t wake up with that thought. This is fascinating, keep going.

Haseeb:                             
So I said, okay, let me buy a bank. And the reason I want to buy my bank is because I worked in crypto industry since 2013, we built one of the largest Bitcoin ATM networks in the world. And for people, is like physical machines all across the world. You go to a machine, you buy a Bitcoin, and I said, there’s no crypto bank. We have a lot of crypto users, but there’s no bank linked to crypto. I like niche businesses. So we have exchanges, but banks are banks, there’s a need for that. Can we turn a regular ATM into a bank? So that’s a long story.

But long story short, one day I wake up and, I’m sorry, I’m working on my computer and I got an email that, sorry to let you go. Wait a minute, what do you mean let you go? So I knew about SIM swaps and everything, but what the hell happened? So for a few seconds I was in disbelief that it happened to me, because the challenge for cybersecurity, any incident is that you’ll say, oh man, it happened to someone, it doesn’t happen to me. People get hacked every day. During our podcast, thousands of people will be hacked and we don’t know. And we always think it’s not going to be me, it’ll be someone else, because I’m not important enough and I keep my low profile.

So anyway, I got hacked. I tried to call, and how do you call? My phone is hacked. I can’t make a phone call. So I said, okay, what do I do? I literally picked up my car and I went to a store and they said, sir, we have no idea because you don’t exist in our records anymore. You’re not a customer. So I’ll pick up a random name, which is not the case, so think about you’re a Verizon customer, your phone gets hacked, and you walk into a store and say, Kip, you’re not in our system anymore.

Kip Boyle:                                      
Do you mean the store of my mobile provider?

Haseeb:                             
Provider, yeah. I’m just picking up a Verizon name or T-Mobile name, I’m just picking up names just for people to understand. So I walk at T-Mobile store say, Kip, you are a customer but you’re not a customer anymore. Okay, so which company I’m customer of? I don’t know. What do you mean? I basically go into a store by store and find out whose store my number-

Kip Boyle:                                      
You’re holding your phone that used to work and doesn’t anymore.

Haseeb:                              
It doesn’t anymore. And they say, yeah, but someone just moved. You used to be a customer yesterday, now you’re not a customer. And who is the new customer? I don’t know. And I said, what kind of a stupid problem this is? I didn’t do anything. And so I called the fraud department and again, how do you call? You call from a cell phone which I don’t have it, and they will not help me out because-

Kip Boyle:                                      
You are not a customer anymore.

Haseeb:                             
… they’re not a customer anymore. And I said, man, like what kind of stupidity is this? So I called from a different line and they said, sir, I can’t see you because you’re not customer anymore. And I said, okay man, I’m not your customer, I did not become your customer, I didn’t do that. And they said, we don’t know, because you’re not a customer so we don’t have any information.

Kip Boyle:                                      
Oh gosh. And you want your phone number back.

Haseeb:                             
I want my phone number back. So long story short is that, I spoke to fraud department and I told them specifically what happened, and they said, oh okay, now we know what happened, but you’re not a customer anymore. So how can I help someone who’s not a customer? I said, but this is exactly the fraud, that I was your customer and I’m not a customer anymore.

So that’s a funny part that we got, so we spent some time and it took me almost a day or two to get my number back. And during that time, the guy is looking into my bank account, he’s calling my bank, he’s calling my friends. So Kip will call him, he’ll disconnect the call, say Kip, I’m in trouble right now. I can’t talk that, but can you send me some money? Or they will have a call, so what will happen is you’ll call, and I’m just texting, hey, I can’t talk right now, I’m in a hospital or something. Man, what is happening? He tried to go into online and he tried to get into my bank account, and try to get into my emails, because it’s very easy, simple. Once you have a telephone number, you can get into, because everyone has a Facebook account, have social media, so they’ll go on each and every account, Gmail, Hotmail, do a password reset.

So I got my number after two days, that was such a stressful time. So they said, okay, we’ll give you a new account number and now you can’t get hacked, and so I was placed on a very high risk. Guess what happened? After a couple of months, I got hacked again. And the same thing, you’re not a customer anymore. So I changed my provider, happened to me for a third time, And then for the fourth time. And I was kind of like, my life [inaudible], I’m only sitting here, I couldn’t function anymore, Kip. I thought that I’m very good in cybersecurity, I thought I’m those guys who can show off, do whatever you want to do, I’m protected. But if my fortress is getting breached every day, as you mentioned by a drone or something, I cannot do anything in my life because I’m always afraid about, oh someone’s going to hack my bank account.

An example I used to give to people, I said imagine you come to your bed, you’re at work and you come back and you want to sleep and there’s a note on your bed, I was here. That’s it.

Kip Boyle:                                      
That’s awesome, that’s such anxiety.

Haseeb:                              
And you can’t sleep anymore, what the hell is this? He would not do anything, but you know that someone has accessed the most private thing in your life, which is your cell phone.

Kip Boyle:                                      
Yeah, it’s traumatizing and you feel violated, and then you start looking over your shoulder all the time. I totally get what you’re saying. So now, do you think that you were being targeted for hacking? Do you think it was just random? Because you said you were working in Bitcoin, so I just wonder if that raised your profile as somebody to attack?

Haseeb:                             
It did, certainly it did. I was high profile, but I also realized that once you get hacked, the chance of it becomes higher and higher. Now with the AI stuff, it’s getting even crazier, because people can ask bots to build me a hacker. Find me a list of 100 vulnerable people in the world, just to give an example, and [inaudible] people to create something.

Kip Boyle:                                      
Yeah, it’s computer assisted now.

Haseeb:                             
So you can actually use those bots to take up, because a lot of people don’t know that, you can train AI models. You can just take it, train it and they can work for you.

Kip Boyle:                                      
Well, I’ve been playing around with ChatGPT, and so this is the first time that we’ve really had something available to the general public that’s AI/ML and that you can start to actually experiment with in the way that you’re talking about.

But I want to go back to a comment, you said okay Kip, I got into cybersecurity because I got hacked. One day I woke up and I wanted to buy a bank, that was a great way for you to start your story. So then you got hacked and you got hacked multiple times, so at what point did you say, I’m sick of this, I’m going to start working in cybersecurity? What was that moment like?

Haseeb:                             
So I didn’t think of cybersecurity, I just said how stupid this is that this cell phone, which is my life, anyone can come in and breach and go? How stupid? I can set up my VPN and I can set up my password manager, I can setup firewalls, I can do whatever, but if someone can [inaudible]. I was actually very, very surprised on what can we do around cell phone security, like how stupid is this?

So I asked my friends who are very [inaudible], I said, what do you do for cell phone? Say we have someone who goes to AT&T store on our behalf and they buy the number for us? I wondered that, how can we make it much cleaner?

Kip Boyle:                                      
So that’s a bribe, is that what you’re saying? Is that somebody actually-

Haseeb:                            
It’s a bribe and social engineering. I was in crypto so I went online, there is a lot of eBays for illegal stuff so you can buy drugs, you can buy stuff. And there are people who work in the store and they say, I’ll hack any number for you for $200, $300, give me money. And what they do is they will get hired in a store, and you’ll be surprised that getting hired in a store is similar to getting hired in McDonald’s. You walk in, you fill up an application, boom, you are [inaudible]. Now, anyone who’s there can now look into anyone’s account and make changes to the account.

And I said that, shoot man, our entire security comes down to this person. And then every customer company is now outsourced, so they have call centers outside who have access to everything. And the interesting part is, the people who work in the call centers, they’re not even employees of the main company. So now carriers basically have call centers, they will give a contract to a company, and then they’ll give it to us.

So I start talking to people and I said, I need to fix this. I started a company for myself, I said, I can’t do anything unless I fix this problem, because it’s like my mental health is gone. I can’t think anymore. Because every time I’m looking up, I’ll wake up at 2 o’clock in the morning, and I’ll look at my phone if it’s hacked or not. I cannot go to a bank anymore.

Kip Boyle:                                      
So you’re like a lot of entrepreneurs, you felt some pain and then you decided that you wanted to do something about it. Now, a lot of people are feeling that pain as well, and so those people can become customers for you. Am I following your story?

Haseeb:                             
Correct, yeah. So I asked my friend, I said, hey man, I have found a service that will basically protect your phone and this is what they’ll charge. How many people will buy it? So I think I put up a Google Docs page, a Google forum on the weekend, we got three, four thing. And people are nice, they like it, they like the idea, but unless you get paid for something, like if I come to Kip, I’m working on making this chocolate, it’s the best chocolate in the world. Kip would say, man, this is the best chocolate in the world. But unless I say Kip, from now onward, I want you to pay for it, that’s where you understand if my product have merit or not, right?

Kip Boyle:                                      
Yes.

Haseeb:                              
So I went and I [inaudible] people paying for it, I think within a week we had 12 paying customers. And I said, man, I will not disclose the name of the company yet, but if you don’t like it, you can take your money back, but I want to have 100 people before I can decide they will like to take the customer. So we got to maybe two dozen customers, I said, okay man, that’s good enough that we are getting customers. So I set up a telecom company, I said, how do you set up a telecom company? So we went to Google, and so myself, I came from how to buy a bank to how I buy a carrier?

Kip Boyle:                                      
That’s great.

Haseeb:                            
So to figure it out, I spoke to some people and when there’s the will, there’s a way, so I figured how to start a telecom company in the US. And what I said is, we’ll do only one thing, no one can get access to your account. And obviously, Kip will say, okay, that’s fine, but why should I trust you over Verizon? If Verizon goes down, I can say Verizon screwed it up, but if you went down, I just talk to a random person who just decided to start a company. So I said, okay, I will buy you an insurance policy and if you get hacked, you get $5 million in damages. And here’s the policy, here’s my number you can verify, so if something goes wrong, I’ll pay you $5 million. And I paid the premium upfront.

Kip Boyle:                                      
Okay. So you’re up in the game, you’re telling people, this is not going to happen if you become my customer and these are the things that I’m going to do. And if somehow it does happen, don’t worry, you’re still covered, because Haseeb, you and I both know, nothing’s hack proof, right? Nothing is absolutely 100% secure all the time. So I think it’s really wise of you to do something with insurance to manage the risk that somehow somebody might find a way to mess with your customers.

This is a fascinating story that you’re telling right now. Could we now talk about risks to mobile security? So you’ve already put the first one on the table, which is that account representatives at major telecom providers can be compromised by bribery and social engineering. What about other risks like SIM swapping is a big one, right?

Haseeb:                              
SIM swapping is obviously the easiest one. We have IMSI catcher, you have a lot of stuff, but SIM swapping is something where literally someone in a store can screw your entire life. Obviously, other things require a lot of information about how to access them, malicious links are simple, they send you a link and you click on the link, or there could be scams where they call you and say they are my IRS agent or those things. But SIM swapping is such a simple thing and the most effective way to hack someone. I can say, oh, I never send someone money on the call, I can say everything, but SIM swapping is something that I don’t control, because it’s on a different carrier.

Kip Boyle:                                      
Right. And SIM swapping as I understand it, this isn’t where a mobile carrier account rep is being bribed, but they’re being tricked, that’s the social engineering. If I want Haseeb’s account, then I would call Verizon and I would say, hi, I’m a Haseeb and I have a new handset. Would you please port my number to my new handset? And then I trick them, maybe I have some confidential information of yours that I can use to impersonate you, and then if I’m successful, your service turns off and then I get your service on my handset with my SIM and now I can actually start hacking your life. Is that kind of how it works?

Haseeb:                             
Exactly that’s how it works. So SIM swapping is right now, you can go online, you can buy data on anyone. There are companies who have billion [inaudible] just because they sell people that. So yeah, that’s what happens, you can get someone’s social security number, you can find someone’s driving license number, and everything that’s required to do.

So other person on the call, he doesn’t know you personally.

Kip Boyle:                                      
Right, never heard my voice before.

Haseeb:                                
Yeah, he’s just looking at your name and as soon as it check marks, they say, okay man, I’m doing it. And he’s like a robot, he just identifies what needs to happen. And the carriers actually, so they have laws around it where carriers have to act on a number swap very fast, it’s within hours. If you don’t swap within hours-

Kip Boyle:                                      
Because that’s supposed to be a consumer-friendly law, right?

Haseeb:                              
Correct, yes. It was basically the carriers, so carriers know that, if they stop someone, they can get sued.

Kip Boyle:                                      
So how do I protect myself against SIM swapping? What do I do?

Haseeb:                            
Easiest and the most effective way is obviously us, which I’m obviously biased. That’s the easiest way, you go to our service, the Efani service, and you do it. Otherwise, you can just call your carrier and say, don’t port my number. Now, they don’t work, but still it’s something that is like a scale of zero to one, if you’re a zero to take you to one or two at least. So just tell them to put a lock on my number. But that’s a real risk, because that’s the weakest lin.

Kip Boyle:                                      
Okay. Now what about, there’s some other mobile risks that we need to be aware of, like IMSI catchers, I’ve heard of that before, but I don’t think I could tell you how it works in the way that I kind of knew how SIM swapping works. Would you mind just telling us what is an IMSI catcher and why do we need to be concerned about that?

Haseeb:                              
Yeah, IMSI catcher, international mobile subscriber identity, which is every SIM card have an identity. So the way it works is we have public number which is our SIM card, which is our number, but actually it’s translated into a different identity that is only listed by carrier. So I’ll give you very simple example, if you don’t get a coverage in your house, you set up a booster sometime, a cell phone booster. That booster could be legitimate, but that could be a rogue one as well. So I can give you a rogue booster, which basically sends one to signal and one to the rogue thing, so that would happen.

So what happens normally in these catchers is that people build those and they will give it to people or they’ll install in locations where all the carriers, so the cell phone will think this is actually the closest tower. Normally what happen is that if you have multiple towers, it’ll connect to the strongest one which is the closest one, generally the closest one. So it connect to that and you are talking to someone, so you can be making a call to 911 and the tower can actually redirect you to a different person. So if you’re talking about extreme example, what can happen is you call 911 and the call gets directed to a random center and the person says, help is on the way, but it’s not help, basically the guy is trying to kill you.

Kip Boyle:                                      
Okay. And now you said IMSI is how you pronounce I-M-S-I, right?

Haseeb:                              
That’s right, yeah.

Kip Boyle:                                      
So an IMSI catcher is like a man in the middle attack, it’s a fake-

Haseeb:                              
It’s a fake tower.

Kip Boyle:                                      
… it’s a fake tower, okay. Now, I’m aware that police sometimes use this, or intelligence agencies sometimes use this. Okay, thank you. All right, now that actually makes a lot of sense. Now, what can I do to detect whether my mobile device is talking to an IMSI catcher, is that something I can even know?

Haseeb:                            
Not for consumers it’s critical. We have built protections against it, but frankly we don’t even give it to our customers. Because it’s so complicated, it’s not convenient for people because sometimes you have false positive, and secondly, no one needs this stuff and costs a lot of money to us, so we don’t even give it to customer. But we do have give it to high-profile clients and some agencies, because there’s laws around it. Sometime interception is done lawfully, so you don’t want criminals to know that they’re being intercepted.

Kip Boyle:                                      
Exactly.

Haseeb:                             
So without talking into that, yes, you can protect against that, but it’s slightly complicated.

Kip Boyle:                                      
Probably not a great subject for the podcast here, but maybe I could put something in the show notes to send people to a webpage where they could read about it.

Haseeb:                            
Yeah, but again, we don’t sell it to consumers. Even if they come to our website, we can’t give it to them.

Kip Boyle:                                     
Got it, okay. Well let’s move on then, what about location tracking just in general?

Haseeb:                              
So location tracking, you may be sitting somewhere and you get a signal, like an amber alert, there’s a flooding happening or this is happening, so those things happen by location. Any subscriber in the world, you can actually find their location just by having the telephone number. It’s a ping thing, think about a ping, so you can ping someone, and normally carriers do that.

But what happens is, I’ll give you a simple example, it’s like confirming someone’s bank information. Banks have a way to figure out if this bank account is valid or invalid.

Kip Boyle:                                       
So they ping the account.

Haseeb:                             
They ping the account. So if I have a Russian career, I can put someone and I can find their location to confirm, and I can exactly find where they are right now. So that is used mostly for, you may have heard about that someone just got killed in a bomb blast and the person was very important person, he was traveling in XYZ place. That’s what happened, the carrier will basically find out where the person is and just ping the response and find that person.

Kip Boyle:                                       
And I’ve heard that you can also do location tracking by mobile tower triangulation, there’s other ways to do it.

Haseeb:                              
Yeah, that that’s the way to do it. So mobile triangulation is how you do it, but you need your telephone number and you just ping the phone and it gives you a location.

Kip Boyle:                                       
Okay. Now, I’m a little bit aware of this because I have helped political activists who are working in repressive countries and they’re trying to organize citizens to protest against the policies of oppressive governments. And so I’ve actually been involved in trainings where we talk about this location tracking and that sort of thing, and how very careful they have to be. I even tell them, if you cannot carry a mobile phone if you’re going to go to a protest, that’s really your best bet. But that’s difficult, because people need to get text messages and they need to communicate.

Haseeb:                             
Yeah, [inaudible]. A lot of times our work is very, very difficult because you don’t want to over share because anything that a person can use in a positive way can also be used in negative way. So it’s like a sword, you don’t want to teach guns to everyone.

Kip Boyle:                                     
Yeah, absolutely.

Haseeb:                              
So a lot of times, that’s why the service I told you, we don’t publicly tell how it works, so we just say, come to us, we’ll see if you qualify and we can help you out. And frankly, things are getting better now, there are a lot of tools out there that he can use to protect.

Kip Boyle:                                       
Could we talk about something that’s been very high profile in the news lately, which is the kind of cell phone surveillance that’s enabled by the NSO Group or organizations like them? It seems very insidious, but what’s your take?

Haseeb:                             
Certainly, so I’ll come back to zero-day exploits. zero-day exploit basically is something that has not be fixed. zero-days effectively, we mean zero-day is today, no one knows that. And NSO group is, they have a marketplace online, and that’s another way how people make their career in cybersecurity. They’ll find a bug and they will sell it online on forum and say, I know how to get into someone’s Microsoft account, and then people will bid on them and they’ll sell it. NSO Group is the one that buys a lot of exploits, NSO is one of the thousands of groups. And they buy exploits and then they sell it to different nations, and they have contracts that okay, I want to monitor social media just to give an example, and they will say how to get into Facebook. So once they find the bug, they will go to different countries and find out.

So with the NSO bug, the details on a lot of this is not public because we can guesstimate about how things work out, but technically it’s just location tracking, where people can find location and that’s how they were able to [inaudible]. But even as of today, a lot of people in the world are being surveilled because it’s legal in most of the countries.

Kip Boyle:                                       
Yeah. Well, I know that zero-day exploits and remote zero click exploits and that sort of thing, is how the technology works. It used to be that they would have to send you a text message and you’d have to click on the link, and now they’ve evolved their technology to where they just have to send something and you don’t have to take any action, and then your phone becomes silently compromised and they can conduct remote surveillance. And there’s been a lot of high profile investigative journalism on this, and I’m just curious to know, is this something that you in the service that you provide through Efani, is this something that you have to deal with?

Haseeb:                             
Yes, certainly. Absolutely. We do work like, these are services that we don’t advertise, so we have to look at a person we sell to. It’s like a gun, who do you sell the gun to? And then the challenge is because we have to go with specific laws too.

But yeah, it does become a challenge. It’s a real concern because a lot of those bugs are left intentionally, so governments can also tap into those people too. But again, there are people who work in government, they pass on the secrets and then people in the [inaudible]-

Kip Boyle:                                       
Or those secrets just get lost or stolen, like NotPetya and WannaCry were both enabled by a cyber weapon called EternalBlue that the US government had stockpiled, and then it had been stolen or somehow had gotten loose, and then it was used to actually launch those attacks.

And there’s a really great book by the way about zero-day exploits that I listened to recently, I like to listen to audiobooks, and they talked in that book a lot about how the market for zero-day exploits actually developed, and how the NSO Group and other organizations have weaponized and how governments have weaponized this in order to enable digital surveillance.

But tell me if I’m wrong, it seems to me like ordinary citizens don’t really have to worry about the NSO Group or somebody like them hacking their phone. Is that right?

Haseeb:                            
No, no. You can get a lot of people hacked, those are expensive attacks because you can only conduct them specific over time. It’s not like you can go after everyone. If someone finds my location, what can they do? But if someone can get into my bank account, that’s more interesting to them. Sometime it’s like money part, sometime it’s other stuff. So ordinary people do not have [inaudible]. Why spend so much money where you can just pay $100 and get into someone’s account and steal all their money?

Kip Boyle:                                       
Right, yeah, because it’s expensive, this stuff’s really expensive. And so an ordinary citizen is probably not going to become a target for this kind of technology, but it really is fascinating I think and to know that it happens. And if you’re a cybersecurity professional and you’re working in a company with high profile executives, then they might be targeted with this kind of technology. Is that fair to say?

Haseeb:                             
Again, a lot of times those people who get targeted, they’re either working with government stuff, they’re working with some high profile secrets.

Kip Boyle:                                       
Or journalists.

Haseeb:                             
Yeah, journalists. But journalist is also, it’s one of the things too, but I would say that unless [inaudible], it becomes very expensive. A simple example, some client called me, he says, I’m being targeted. And we just give him a ballpark, I said, how much did you spend for a cell phone? She said, I spent $30. I said, what if you have spent $200 for a cell phone per month? He said, I can’t afford it. I said, don’t worry, no one’s coming after you. If you can’t spend $200 per month, no one’s spending half a million dollars to hack you.

Kip Boyle:                                       
I like that, I like the way you talked about that. That’s great.

Haseeb:                             
So we just say, hey man, I’ll give a simple example. A lot of time when people get divorced, they think, well, the spouse is working on them and as per them, everyone have access to those tools. No man, these tools are really expensive. So a ballpark figure would be, an attack may cost $100,000. So are you that important that someone needs to spend $100,000 on just finding your location? Yes, in some cases it is, but in some cases, it’s not. But otherwise, someone can [inaudible] $200, if they have to steal your money. These motivations are beyond money and in that case, they’re not looking into your bank account, they’re looking into you.

Kip Boyle:                                       
Okay, got it. So we’re coming to the end of our time together. I want to tell people that the book that I’m talking about is called, This is How They Tell Me The World Ends, The Cyber Weapons Arm Race, and it’s by Nicole Perlroth, I believe is how you say her name. It’s well worth your time if you’re interested in zero-day exploits, how the market in zero-day exploits has evolved, and then what’s the intersection of that in mobile security, which of course is our topic today.

So Haseeb, thank you so much for being here, and as we wrap up the episode, I just wanted to ask, is there anything else that you wanted to share with the audience? Or maybe if somebody wanted to connect with you, how would they do that?

Haseeb:                           
I’m pretty easy to find, you can Google my name and you can find out I’m CEO of Secure Mobile, and I’m sure you will have a link too. But I think I want to clear one thing about cybersecurity which is, cybersecurity is actually growing right now because it’s an industry that’s, now we have some jobs working from the basement, it’s not like that, countries have cyber armies now. Why would you send a bomb to someone when you can just destroy their communication? That will become an army, so every country will have their army, so that can be one thing.

Another part is, I think it’s one of the easiest careers to get into, but it’s also one of the most difficult careers to get into too. The difficulty is, if you walk into someone, hey, I have a cybersecurity degree from this university, I don’t know if still the thing that they have learned in the degree is relevant anymore. And every day attacks, like zero-day, zero-day is important, but we don’t know what zero-day is today. And the other part is, but if you get into bounties, you can go into a lot of bounty forums and you can actually start hacking stuff, you can make good money. You can make $20,000, $30,000 per day if you are actually good at it, by just hacking stuff. It’s illegal, it’s a career, and you can get hired, you can be a freelancer.

We have a [inaudible] program, someone comes to our account, we just pay them. So we just say, hey man, this is our problem, fix it and we’ll pay you.

Kip Boyle:                                       
Listen, I want to echo what you said, Jason Dion and I also feel the same way that if you want to get into cybersecurity, it’s not really about what credentials you have or whether you have a degree or not. It’s really about can you solve the problems that need to be solved, and however you acquired that capability is okay with us. You still have to be ethical, so if you’re somebody who black hacks all the time and then you think, oh, I’m going to get a legit job for the day, that’s probably an issue. But short of that, go out there and if you want to get into cybersecurity and get your hands dirty, go out there and do a bug bounty program or do hack the box, I mean there’s just so much.

And Jason and I have published a lot of episodes that you can go back to on Your Cyber Path and you can learn about different ways that you can get some hands-on experience. But I absolutely agree with you Haseeb, that is really the way that I think people should go, is just get your hands dirty.

Well, thank you Haseeb for being on our podcast today, for being in this episode. And listen everybody, as with every episode that we published, you should check for the episode notes and I’m going to add some notes for this one as well. All you have to do is go to YourCyberPath.com/ and then you put the episode number that you want to know more about and it’ll bring up a page that’s dedicated just to that episode, so just use your favorite web browser.

And while you’re there, I think you should consider signing up for something that I send every other week, it’s called Mentor Notes. And what I do is I teach you how to get into cybersecurity, and if you’re already in cybersecurity, I teach you how to succeed. And my Mentor Notes are practical and short. They’re only about 500 words, so it’s very easy and quick for you to read. But this is my best thinking for you for free, how you could be successful. And it’s easy to unsubscribe, if you want to give it a try and you don’t like it, no problem, just unsubscribe. We’re not going to pester you or make it hard to unsubscribe. It’s actually very easy. But I just want you to know that this is a free resource that’s available, YourCyberPath.com. Go check it out, sign up, see what you think.

But listen, whether you do that or not, I hope you have a great week and I hope we’ll see you again next time on Your Cyber Path. See you later.

Headshot of Kip BoyleYOUR HOST:

    Kip Boyle
      Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

    Jason Dion
      Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!