Nigerian email scams

Nigerian email scams have become nearly as commonplace as the Internet itself. But one Australian woman wound up in jail after turning the tables–to the tune of $30,000–on a group of con artists.
The Courier-Mail reports that Sarah Jane Cochrane-Ramsey, 23, was employed as an “agent” in March 2010 by the Nigerians, but didn’t know they were scam artists. Her “job” was to provide access to an Australian bank account opened in her name where the Nigerians could then transfer money they had received from a phony car sales website. Cochrane-Ramsey was told she could keep eight percent of the transfers.
But, then she decided to steal from the thieves themselves. According to the Courier-Mail, she received two payments, totaling $33,350, but spent most of it on herself.
If you’re not familiar with the so-called Nigerian Scam, also known as the (419) scam, or Advanced Fee Fraud, here’s a brief explainer: the fraud works by convincing an individual to give money and/or bank account access to a third-party in exchange for future financial rewards.
Most commonly, the scam artist will claim to be a wealthy Nigerian individual looking to move his vast financial resources to another country. He then promises the fraud victim a hefty payment in exchange for a temporary loan or bank account access in order to facilitate the move. Of course, the fraud victim never receives the promised payout and instead usually ends up losing thousands of dollars in the process. According to Scam Busters, the Advance Fee Fraud scams often target small businesses and charities. And while the scam has been around for years, the U.S. Financial Crimes Division of the Secret Service still receives a reported 100 calls a day from people claiming to be victims of a (419) crime.
But, back to the Cochrane-Ramsey case. The real victims who thought they were buying cars online reported the scam to the police, who traced the account back to Cochrane-Ramsey. She was ordered to appear in Brisbane District Court and plead guilty to one count of aggravated fraud.

For now, the court judge is allowing Cochrane-Ramsey time to come up with the money to pay off the fraud victims while she awaits sentencing in March.
Interestingly, Cochrane-Ramsey is not the first person to turn the tables on Nigerian scammers. In 2008, the radio program This American Life ran a story on some anonymous pranksters who sent a Nigerian scam artist on a wild goose chase that spanned 1,400-miles into war-torn Chad for a promised cash payout at a local Western Union branch.
And they convinced him to do this while carrying an anti-Muslim/pro-George W. Bush note, which stated his intention to rob the Western Union. Their entire plan was spelled out on this website, dedicated to turning the tables on Internet con artists (Warning: contains Not Safe for Work language).
You can listen to the episode of This American Life here.

costing plans by mobile networks

Analysis firm Ovum studied global use of popular services like Whatsapp, Blackberry Messenger and Facebook chat.

It concluded that mobile operators must “work together to face the challenge from major internet players”.

Industry experts say operators can offset any losses through effective costing plans by mobile networks.

The report gathered usage statistics from the leading social messaging applications typically used on smartphones across the world.

As well as well-known names from popular social networks in the Western world, the study also included apps such as MXit – a massively popular program used mainly in South Africa.

Social messaging apps make use of a smartphone’s internet connection to send messages rather than the usually far costlier SMS – short message service – system.

ASP.Net Security

tecnologias ASP.NetMake sure you are very familiar with the following terms:

  • Authentication. Positively identifying the clients of your application; clients might include end-users, services, processes or computers.
  • Authorization. Defining what authenticated clients are allowed to see and do within the application.
  • Secure Communications. Ensuring that messages remain private and unaltered as they cross networks.
  • Impersonation. This is the technique used by a server application to access resources on behalf of a client. The client’s security context is used for access checks performed by the server.
  • Delegation. An extended form of impersonation that allows a server process that is performing work on behalf of a client, to access resources on a remote computer. This capability is natively provided by Kerberos on Microsoft® Windows® 2000 and later operating systems. Conventional impersonation (for example, that provided by NTLM) allows only a single network hop. When NTLM impersonation is used, the one hop is used between the client and server computers, restricting the server to local resource access while impersonating.
  • Security Context. Security context is a generic term used to refer to the collection of security settings that affect the security-related behavior of a process or thread. The attributes from a process’ logon session and access token combine to form the security context of the process.
  • Identity. Identity refers to a characteristic of a user or service that can uniquely identify it. For example, this is often a display name, which often takes the form authority/user name.

Principles

There are a number of overarching principles that apply to the guidance. The following summarizes these principles:

  • Adopt the principle of least privilege. Processes that run script or execute code should run under a least privileged account to limit the potential damage that can be done if the process is compromised. If a malicious user manages to inject code into a server process, the privileges granted to that process determine to a large degree the types of operations the user is able to perform. Code that requires additional trust (and raised privileges) should be isolated within separate processes.The ASP.NET team made a conscious decision to run the ASP.NET account with least privileges.
  • Use defense in depth. Place check points within each of the layers and subsystems within your application. The check points are the gatekeepers that ensure that only authenticated and authorized users are able to access the next downstream layer.
  • Don’t trust user input. Applications should thoroughly validate all user input before performing operations with that input. The validation may include filtering out special characters. This preventive measure protects the application against accidental misuse or deliberate attacks by people who are attempting to inject malicious commands into the system. Common examples include SQL injection attacks, cross-site scripting attacks, and buffer overflow.
  • Use secure defaults. A common practice among developers is to use reduced security settings, simply to make an application work. If your application demands features that force you to reduce or change default security settings, test the effects and understand the implications before making the change.
  • Don’t rely on security by obscurity. Trying to hide secrets by using misleading variable names or storing them in odd file locations does not provide security. In a game of hide-and-seek, it’s better to use platform features or proven techniques for securing your data.
  • Check at the gate. You don’t always need to flow a user’s security context to the back end for authorization checks. Often, in a distributed system, this is not the best choice. Checking the client at the gate refers to authorizing the user at the first point of authentication (for example, within the Web application on the Web server), and determining which resources and operations (potentially provided by downstream services) the user should be allowed to access.If you design solid authentication and authorization strategies at the gate, you can circumvent the need to delegate the original caller’s security context all the way through to your application’s data tier.
  • Assume external systems are insecure. If you don’t own it, don’t assume security is taken care of for you.
  • Reduce surface area. Avoid exposing information that is not required. By doing so, you are potentially opening doors that can lead to additional vulnerabilities. Also, handle errors gracefully; don’t expose any more information than is required when returning an error message to the end user.
  • Fail to a secure mode. If your application fails, make sure it does not leave sensitive data unprotected. Also, do not provide too much detail in error messages; meaning don’t include details that could help an attacker exploit a vulnerability in your application. Write detailed error information to the Windows event log.
  • Remember you are only as secure as your weakest link. Security is a concern across all of your application tiers.
  • If you don’t use it, disable it. You can remove potential points of attack by disabling modules and components that your application does not require. For example, if your application doesn’t use output caching, then you should disable the ASP.NET output cache module. If a future security vulnerability is found in the module, your application is not threatened.

The following steps identify a process that will help you develop an authentication and authorization strategy for your application:

  1. Identify resources
  2. Choose an authorization strategy
  3. Choose the identities used for resource access
  4. Consider identity flow
  5. Choose an authentication approach
  6. Decide how to flow identity

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication