I have been working in the field cybersecurity for 5+ years. I first started in research and development, but expanded into investigative journalism. From running a very successful infosecurity site, CyberWarNews, I have gained a great wealth of knowledge. I've also continued to teach myself, and have even started part-time formal study towards some certifications in infosecurity. But one thing that only comes with experience and time are the skills to deal with hackers, leakers, and cybercriminals in general. And by now, I have gained a lot of insight into how the public can be misled by media reporting on security incidents.
Based on my experience, I have compiled a few tips for anyone who is considering writing anything about infosecurity, hacking, or those general subjects.
Dealing With Sources
I am frequently asked,"How do you get sources?" The answer is simple:
NEVER be afraid to message a hacker, leaker or source. If they have a public contact method, then they clearly expect to be contacted by someone at some stage. And as your work gets better known, you will also find them reaching out to you with tips or leads.
Treat all your sources with respect. They may be engaging in criminal conduct, but you are not there to judge them, but to understand and report on information they are providing. If a hacker is making claims about what they've done, do not hesitate to politely request some proof of their claims such as screenshots or a sample of data so that you can verify their claims. Simply repeating a hacker's claims without verifying them will lead to inaccurate reporting and mud on your face.
That said, never beg or get pushy with hackers/leakers and sources. They will most likely cut you off - or worse, make you a victim.
Be clear with your source about your ability to protect their anonymity if they request anonymity. Also be upfront about whether you are treating your communications with them as "on the record" and reportable. Hackers may frequently ask you after they've divulged something whether you can keep it off the record.
Not Everything is Hacked!
A lot of media reports headline all types of security incidents as "hacks." There are lots of different types of security incidents, and not all involve hacking. If the data was found on a insecure database, it's not hacked, but "exposed" or "leaked" data. If the data is being sold on the Deep Web, it's not "leaked," but it's "for sale." While "HACKED!" may seem like a sexier headline, you have a responsibility to report accurately.
Quote the Original Source, Give Link Love!
There is nothing worse then spending hours if not days on a piece of research or an article for it only to be ripped off by people, used as a source or mentioned by others articles without credit to the original source. This is not OK. Always cite the original source and link to their article.
Take the time to analyze data in a data dump. Your report should mention the types of information included in a data dump or paste, but it should also give some sense of how much data there was. Avoid an all-too-common mistake of confusing the number of records in a data dump with the number of unique individuals whose data have been involved.
If you have any suggested additions to my Tips list,