“Excellence by cert” | WOWRACK – false advertising & shady certs

I recently had a brute force attempt come from a company named WOWRACK. Mind you that our infrastructure probably gets attacked like this about a dozen times per day (but I bet yours is far more!). I casually spoke to a small regional network operator that manages fiber networks in multiple states over lunch once about “cyber security”. They commented that one of their gateway routers is attacked 30,000 times per hour. Company’s all over the Internet tolerate this kind of behavior and of course…we don’t know why as it is 100% unacceptable and why we only might see a dozen attacks if that per day…we prevent them. Our attacker, WOWRACK is your typical hum drum so dumb virtual server infrastructure company. The problem here is that they falsely advertise how secure their network is and are shady in practice requiring you to sign an NDA (Nondisclosure Agreement) to find out if they are actually certified in what they claim to be certified in. This is why WOWRACK is worthy of my time to blog about and to reveal this shady industry practice (there are so many). The practice of making broad or even specific claims on competency by leveraging certifications and yet; when asked to show me the money all I get are fake checks or IOU’s. It reminds me of Wimpy from Popey how he’d say…”I’ll gladly pay you next Tuesday for a hamburger today” and the guy never shows up on Tuesdays! If you didn’t already know, we live in a world of bogus certifications, false accreditation’s, fake accreditation body’s, shady individuals and company’s touting their “excellence by cert” (a small list, there are more). Beware of anyone claiming competency via certification or accreditation. If the certifying body is legitimate it’s often an attempt to steal credibility from the governing body and apply it to themselves but certifications don’t mean competency in nothing more than passing a test or an audit. Furthermore, many of the certifications are procedural like HIPAA, it doesn’t tall you the “how” of doing something only that you must do something. Many certifications like PCI compliance you simply answer a questionnaire and check boxes off without any verification or very little verification. We’ve discussed this tactic before in other blog posts where less competent company’s gain perceived competency in the marketplace by name dropping their partner relationships (“We’re a Cisco Partner” or we got “Partner of the Year”). IT firms often like to boost their own non-existent credibility by stealing another company’s perceived credibility in the marketplace. CISCO or Microsoft seems credible in the public eye and perhaps competent regardless of how much we may complain about their junkware. Company’s trying to gain credibility then grab a certification and apply that perceived credibility to themselves. We’ll reiterate, having attained a certification does not make you as an individual or as a company, credible. The reseller VAR (Value Added Reseller) or MSP (Managed Service Provider) borrows or steals credibility from another company with more notoriety or trust in the marketplace and act as “middle men” that add very little value. This is nothing more than theft. Frequently you’ll find gross incompetence in certified company’s having made promises to make a sale or falsely promote competency by certification like WOWRACK does.

WOWRACK claims certifications in:

  • FIPS
  • FISMA
  • GLBA
  • SSAE 16
  • HIPAA
  • HIPAA HITECH
  • PCI
  • …probably whatever else they can spout off to try and impress you. Watch out! They are just blowing smoke up your skirt until they can actually post their certifications online, show me the beef!

I’m quite surprised they aren’t saying something about “blockchain” and how great their security tech is with blockchain (Shaking My Head). I love how company’s tout their vast intellectual prowess and expertise by using the latest IT buzzwords like “AI” and “blockchain”, the word “cloud” was like this several years ago. We’ve also written a piece about “cloud” and how company’s selling it don’t even understand it, what they’re selling is “hosting” not cloud. Many applications weren’t built for cloud use. Until legitimately proven their claims are bogus. If you’re suggesting you are certified show me the proof (Show me the money!) because seeing is believing! It isn’t hard! It’s like a background check. They are the one’s making the claim, they need to show proof. Their claim is that in doing so (if they did) it reveals super secret things about their infrastructure. That defense is again; shady as hell since tech is tech…IP addressing schemes, networking protocol’s, etc are ALL STANDARD STUFF. I can guarantee you they are using switches, routers, IP addresses, subnets, virtualization, SANs, operating systems like Linux, firewalls, blah blah blah blah blah, etc, etc, etc. There is no secret here and no certificate is going to reveal any of their secret sauce. It’s not like they have come up with something new (see my “typical hum drum so dumb…” comment). They are actually a commodity service broker. We’ve recently spoken on this issue in a paper article in Womens Lifestyle Magazine, also posted online detailing how IT company’s over value their service, how they all peddle the same thing and most economists as a result would suggest this drives prices downward but for some ungodly reason (we know why…it’s marketing) prices keep climbing! Don’t believe the hype!

On January 7th I received and email “Excessive Number of Failed Login Attempts from 208.115.113.52“. I then looked it up and sure enough, there’s our WOWRACK derps (they also have a history from this specific IP among others in their infrastructure). Apparently they also had another instance with me in 2016 that was similar, I submitted the abuse report and it went nowhere back then. I submitted this report in 2019 and guess what? The same thing…it went nowhere! I then followed up with sales asking if I could see their certification proof after visiting their website and learning how secure it’s supposed to be. Because they touted it so heavily on their website it caused me to inquire and follow up with this blog post! Braggers who can’t back it up! That’s when their sales person wanted me to sign an NDA. No thanks! That’s when I disclosed I was writing up a blog post about derpy losers who claim they have awesome security and certifications to no end but in reality let the hackers leverage their systems to cause harm and damage online, then vanish. The sales person then kicked me over to support after I explained they are a do nothing company helping the hacker community brute force and abuse the rest of us online.

Their support “engineer” <– a horrible term, said this:

Rolf,

Sorry for the inconvenience that happen.
Do you still experience any abuse from 208.115.113.52 till now?
if so, please forward new log entries after 10 January, 2019 because our customer has terminated VPS that using IP Address 208.115.113.52.
Thank you


Regards,
Taufik Hidayat
Support Engineer
US: +1.206.522.4402
E: support@wowrack.com
W: www.wowrack.com

Email from WowRack’s support desk softwar

Notice what the support person says…”…because our customer has terminated VPS“. This means the customer stood up a Virtual Private Server, started their hacking business trying to brute force the world and when the abuse reports started pouring in they blew it away and they terminated their account. The hacker likely moved their server to another WOWRACK like derp company like Amazon, RackSpace, GoDaddy, Google, Microsoft or a small player like a WOWRACK who doesn’t pay attention to security on their infrastructure.

The thing to look for in competence isn’t certifications, it’s industry credibility of their own earned over time. It takes time to build credibility and it isn’t earned with a certification. It’s showing people your credentials if they ask without signing an NDA, it’s posting your credentials online for all to see if you’re so proud of them. In three years I had two instances of abuse from WOWRACK which might be higher had I not been blocking half their network already. Who knows how often they abuse their own network let alone the Internet at large. Regardless of certification their security is poor, whom they allow to rent space on their infrastructure is poor, their accountability is poor and they certainly didn’t follow up with law enforcement to criminalize the abusers they supported and gave a platform to nor did they ban the user for life according to my knowledge.

If you need credibility, competency, security, reliability…look to EITS and our team of experts for technical expertise. We’ve been protecting networks and implementing your technical vision since 2002.

800-864-9497

Comments or questions are welcome.

* indicates required field