I am often talking about different zones in the network and how you can create them. There is no a demo kit available for you to download and "play" with it: Server and Domain Isolation Demo
Roger
I am often talking about different zones in the network and how you can create them. There is no a demo kit available for you to download and "play" with it: Server and Domain Isolation Demo
Roger
I asked for feedback from you and got quite some. Some privately and some publically – thank you all who took the time to answer. One of the feedbacks I heard more than once was, that you are interested in my view on the region and the security there. So, what I will try to do is giving you some insights in trips I do to more "exotic" places (so I will most probably not cover my trips to Brussels and London next week).
So, I just came back today from Nairobi, Kenya. Let me share my impressions and my program. We mainly did three things
So, there are two main areas to share with you, let's start with KenCall: KenCall is a classical outsourcer for call center services. The interesting thing were the regulative hurdles they had to overcome. As an example: In order to use Voice over IP, they need a certification. However, the government did not allow them to use VoIP as they would see that as a competition to their telecom providers. What they could get, however, is a certification to do Video over the Internet, even if they do not use pictures J. An other story: They are outsourcing the call center for a company in Tanzania. As both governments do not allow data to cross the border between them, a call coming in to the company is routed to the US, from there via Satellite for Norway and then to Kenya J.
The more impressive part however was our visit in the Slums of Nairobi. We were visiting different training centers in the slums. You have to realize that 52% of the 36 million people in Kenya are heaving <1$ a month! So, there are organizations that do trainings on PCs with the people there. We are supporting them with our Unlimited Potential program. We met a carpenter there who went through the training. He decided to buy a PC (costs him about half a monthly salary) before he buys any machines. The reason for that is that he told us that he has to earn trust first and make a difference. Then he will get "access" to people ready to pay higher prices which would allow him to buy the machines. He showed a sense for business you hardly see in Small and Medium Businesses in Western Europe. These people are smart! We had to answer the question from one of them: What is the strategy of Microsoft if the applications move more and more to the web?
So, they are smart and they get trained. What is hindering them? Three things in my opinion:
So, they have a hell lot of challenges but seeing the potential there, I am more and more convinced that we have a very interesting market (and competitor) just in our neighborhood. My job is a similar one as in Nigeria: Make sure that take off in a secure and safe way (e.g. include Children's Online Safety into their curriculums).
BTW, we had to drive by the largest slum in Africa called Kibera, where approx 1.2 miollion people are living on 2.5 km2, which makes a density of 300'000/km2… It was depressing…
Roger
We all know that there are scammers telling you that you won in the lottery. A lot of security people think that the victims are naïve and dumb. We just started to run a story on lottery scam and part of it was an interview with a victim.
The victim – let's call him "Mr. Ericson" to protect his privacy, was a former bank manager and definitely is an intelligent and up to a certain point vigilant person. However, during the whole lottery scam he lost all his retirement savings and had to go back to work in order to survive. This is a very, very sad story and shows how ruthless these people are. The interesting thing was how they actually tricked him into losing about € 61'000. I saw the raw interview and it really makes you think. So, a friend of mine summarized the way they tricked him (read through it – it is worth it!):
'Mr. Ericson' – Victim of Advance Fee Fraud
On 23rd October 2006, Mr. Ericson received a personally addressed email telling him that he had won a prize of £500,000 in a lottery draw. It was the first time Mr. Ericson had seen a mail of this type and as it referenced a well-known company brand, and was addressed to him personally, he did not question its authenticity.
The email gave Mr. Ericson instruction to contact his designated fiduciary agent, to whom he was to provide his details, including full name and phone number. He replied as instructed and on 25th October, 2006 he received a reply in which he was told that he needed to pay an administration fee of £541.10 to start the process of claiming his prize, and that this would go towards couriering the prize money to his address. He was told that this payment was reimbursable. He was also asked to pay £1,620 in non-resident tax, which he did on 28th October 2006. Mr. Ericson was instructed to make these and future payments were made through Western Union.
On 1st November, 2006 Mr. Ericson was contacted by a man posing as an official from a UN anti-terrorist unit in Bangkok, who told Mr. Ericson that he would also have to pay a security deposit of US$14,600 to claim his prize money. The bogus UN official also told Mr. Ericson that he would be contacted by a Mr. MacRoberts, a legal attorney in London, to discuss 'attorney fees' once this payment was made. Mr. Ericson paid the supposed security deposit on 2nd November 2006 .
On the 7th November, 2006 the scammer posing as a legal attorney contacted Mr. Ericson and asked for a further £3,102 in attorney fees, with the promise of this payment would also be reimbursable. This payment was made the day after, only for the scammer to make contact again to ask for £1,522 in processing fees the following day. At this stage the scammers were contacting Mr. Ericson via telephone, thanking him for his payments, enthusing about his win and good fortune, and informing him about next steps. The people that Mr. Ericson was in contact with were always very polite. Despite the English-sounding names, all but one of the scammers spoke English with distinct foreign accents.
Chronology and detail of payments
|
27-10-06 |
£541.10 |
Administrative Charges |
|
28-10-06 |
£1,620 |
Non-resident Tax |
|
02-11-06 |
US$ 14,600 |
Security Deposit |
|
08-11-06 |
£3,102 |
Attorney Fees |
|
10-11-06 |
£1,522 |
Processing Fees |
In addition to payment requests covering legal fees, administration charges etc., the scammers also asked Mr. Ericson for a series of 'Guarantee Payments' between 17th November and 12th December, 2006 to guarantee that the prize money was paid out. Mr. Ericson felt reassured as a result of the conversations he had had with 'attorneys' and other 'officials'. He paid the following amounts:
|
17-11-06 |
£3,000 |
Guarantee Payment |
|
23-11-06 |
£3,826.30 |
Guarantee Payment |
|
24-11-06 |
£3,826.30 |
Guarantee Payment |
|
25-11-06 |
£1,500 |
Guarantee Payment |
|
01-12-06 |
£3,000 |
Guarantee Payment |
|
02-12-06 |
£3,000 |
Guarantee Payment |
|
11-12-06 |
£2,500 |
Guarantee Payment |
|
12-12-06 |
£2,500 |
Guarantee Payment |
Finally suspecting that something was wrong, Mr. Ericson went to his local police on 6th December, 2006. The police told Mr. Ericson that he was being deceived and told him to stop making payments. They said as the payments had been made abroad, there was not much they could do to help.
By this time, Mr. Ericson was hooked and had become emotionally reliant on the scammers and the fact that they could make all his dreams come true. Despite going to the police, he still felt deep down that the scammers were authentic. However, after the last payment of £2,500 on 12th December, 2006 Mr. Ericson's life savings had gone. He told the scammers he had no more available funds and that he would not be able to continue the payments. He was then told that if he made one final payment of £4,600 the prize money would be released. Mr. Ericson did not make this payment.
On 11th April 2007, Mr. Ericson received a cheque from 'attorney' Mr. Mac Roberts for £7,700, followed by another a few days later for £9,200. Mr. Ericson was told to that these cheques were to help him make a final insurance cover payment of £24,000 'insurance cover'. Mr. Ericson paid the cheques into his account and from his own funds sent £16,900 to the scammers to cover the insurance fees. Three weeks later he was informed by his bank that the two cheques he had been sent had bounced.
Mr. Ericson confronted the scammers over the phone, one of whom admitted that 'he felt ashamed' and that he would repay him. Needless to say, Mr. Ericson has not received any of his money back and has not heard from the scammers since. He and his wife are working towards putting the experience behind them. He lost a total of almost £46,000 (Euros 61,000, USD$90,000).
He was asked during the interview whether he never got suspicious and there were two remarkable statements he made:
So, we made a two minutes podcast on the whole story, you may look at here. Even though we were taking to the EFCC in Nigeria (again J), I would like to make it very, very clear that this is not a Nigeria only problem. Most of the scams are coming from other countries – not Nigeria.
Roger
Well, only partly. I commented several times already about WabiSabiLabi. I especially like their statement "closer to zero risk". At the moment there is an SAP vulnerability at stake. It is initially priced on €4'000. If you read their blog, Focus on: SAP MaxDB remote code execution, it seems to be clear that is vulnerability is a very high risk. So in order to get "closer to zero risk" they sell it to whomever is ready to spend enough money (e.g. organized crime) – I still question their view of the world…
Roger
Remember this post OEMs: Join in to "Secure by Default"? I wrote it in June…
Now, HP just confirmed a vulnerability in their software delivered on 82 laptop models on all the different Windows versions: HP Quick Launch Buttons Critical Security Update
What about the Security Development Lifecycle for third-party applications? There is a reason, why I always flatten OEM PCs and just install, what I need…
Roger