Have you ever imagined of security is needed everywhere?

Security Everywhere

Nowadays, we theoretically call it the age of technology. But then, what is technology? People see computers, websites, networks, programs once you say technology. In fact, the word “technology” touches future more. Computer – it calculates the numerous calculations as rapidly as time passed. Website – used to search information – can be sized as scientists started this for their sake of information exchanges. Networking – for the information exchanges, of course, we need a better method to connect hops, devices and computers. Program – can be interpreted that “procedure”, – designed in advance to process the procedures of what will be followed up after an event, if a consequence of an event would be scored by a specific declaration which event will follow up or else the other event will be started functioning etc.
So, we need to consider, of course, the technology. What were computers, networks, websites and programs created for and why? Of course, we become need to build and use the better solutions, according to the difficulties and necessities of minute-to-minute, with every single eyes closed evolving.
Let’s consider the idea of a computer – A writer grandpa keeps using his old conquest-typewriter asked his grandson min mg mg “are there any different of your computer–you called it— against my typewriter? It apparently looks like, even copied my conquest’s typing-map, doesn’t it?” So what do you think of that, if the grandson was you? I don’t believe you would be answering that “Oh, the difference is my computer is a typewriter, associated with a TV”. Yeah? Just figure of speech. The grandson answered “computers are associated with computing programs. You will never need to calculate in your mind or on a paper then write it down and save the documents in folders and in iron cabinets. And you don’t need to have all day long to look for the documents, you want among the saved documents. You can do the typing and calculating at the same time and you can save these on a computer, this sound like you don’t need any geographical space to save the documents. And if you want to search what you want among your documents, so cool, there are search engine programs. At least, grandpa, you don’t need to replace carbon, occasionally. And the fundamental security process will be designed even on your own, easily, for instance copy data at other storage to cover the lost data. We called it backup.” Now, grandpa starts thinking to use a computer.
But, grandpa has something to be considerate “did you say backup?” he asked to his grandson. “Why backup? The computer – you called it – is not as safe as my iron cabinet?” Whew, min mg mg was facing a hard time.
But he weathered the storm instantly; “Grandpa, that’s about security. Let’s be considerate of iron cabinet – you called it. Even though you locked up your manuscripts in your iron cabinet with a gigantic iron lock, what will you say if your competitor tried to get rid of your iron lock and stole or rubbished your manuscripts by your target date? At this time I dare say that you would be so appreciate to have an idea of if you already have a copy of your manuscripts, while you will be sitting helplessly, hopelessly by your iron cabinet.”
That’s, the environment we are facing every day is the evolving. Every fact of what we want to protect, what we don’t want to lose, what don’t want to start from the beginning again, what we have to value the time passed for these sets the word “security” obviously in our thoughts.
If you believe that the security is not the necessary for yourself or no one wants to find out the weakness of a man like you, you have better be considerate of why every day do you wear clothes, why do you lock your desk’s drawers when you are out of office, why do you lock up your home when you are not at home, why do you wear shoes or slippers while going outside, why are you being under an umbrella in the rain or in the sunray, even if you are hitting a beach, why do you wear sunblock and sunglasses, when black exhaust smoke left behind of a car passed through, why do you block your nose and mouth?
Have you ever been curious of what is your neighborhood’s first thought while he sees your broadcasted wifi-hostpot around him?

ရိုက္စားလုပ္တဲ့ အိုင္တီငနဲ

scamIT

“အဖုိးေရ၊ ဒီမွာ ကြ်န္ေတာ့္ရဲ႕ presentation ေလး အေၾကာင္းေၿပာၿပပါရေစ” ေၿပာရင္း မင္းေမာင္ေမာင္က presentation ကုိစတင္လုိက္ပါ တယ္။
မိတ္ဆက္ၿခင္း ။ ။ ကြ်န္ေတာ္က မင္းေမာင္ေမာင္ပါ၊ ဆိုက္ဘာ လံုၿခံဳေရးအေၾကာင္းကုိ ေလ့လာေနသူတစ္ဦးၿဖစ္ပါတယ္။ ကြ်န္ေတာ့္ ေလ့လာမႈေတြကေတာ့ “ဂူဂယ္” မွာ ရွာေဖြေလ့လာတာပါ၊ ၿပီးေတာ့၊ အဓိကရင္းၿမစ္ကေတာ့၊ Hacker High School (www.hackerhighschool.org) မွာေလ့လာသင္ယူၿဖစ္တာ ပိုမ်ားပါတယ္။ သူတုိ႕ကေတာ့ အက်ိဳးအၿမတ္အတြက္လုပ္တဲ့ အဖဲြ႕အစည္း မဟုတ္ပါဘူး၊ အရာ၀တၱဳေတြ ဘယ္လုိ အလုပ္လုပ္ၾကတယ္ဆုိတာကုိ၊ ပံုေဖၚၿခင္းနည္းလမ္းတစ္ခုအၿဖစ္ ဟက္လုပ္ၿခင္းအားေလ့လာႏုိင္ရန္ ဆယ္ေက်ာ္သက္ေတြကို ကူညီေပးၿပီး၊ အခုဆုိ HHS အကယ္ဒမီေက်ာင္း စတင္ဖုိ႕လုပ္ေနၿပီး၊ ဗြီဒီယုိသင္ခန္းစာေတြလည္း ရေတာ့မယ္။ ၿပီးေတာ့၊ ကြ်န္ေတာ္တုိ႕လုိ အခက္အခဲရွိသူေတြအတြက္ အခမဲ့သင္ခန္းစာေတြ ပုိ႕ခ်ေပးပါတယ္။ သူတုိ႕ရဲ႕ ေဆာင္ပုဒ္တစ္ခုနဲ႕ ဟက္ကင္းအေပၚ ခံယူခ်က္ကုိ အတိုခ်ံဳးအားၿဖင့္ ေၿပာၿပပါရေစ။ “အရာရာတုိင္းကုိ ဟက္ပါ ဒါေပမယ့္ မထိခုိက္ပါေစနဲ႕” ၊ ၿပီးေတာ့ “ဟက္ကင္းဆုိတာ ၿပႆနာေၿဖရွင္းၿခင္း နဲ႕ ေလ့လာသင္ယူၿခင္း ၿဖစ္ပါတယ္။” သိပ္မၾကာခင္မွာ၊ HHS ရဲ႕ ပေရာဂ်က္မန္ေနဂ်ာ တည္ေထာင္ေနတဲ့ (S4H) www.schoolforhackers.org မွာလည္း ဗီြဒီယိုသင္ခန္းစာေတြနဲ႕၊ ေလ့လာ သင္ယူ မႈေတြ လုပ္ႏုိင္ေတာ့မွာပါ။
အေၾကာင္းအရာ ။ ။ ကြ်န္ေတာ္ ေၿပာၿပမယ့္အရာကေတာ့၊ ကုမၸဏီတစ္ခုမွာ နည္းပညာကုိနားမလည္လုိ႕၊ ကိုယ့္အေပၚ ယံုၾကည္အားကုိး ထားတဲ့ သူေတြအေပၚ ရိုက္စားလုပ္သြားတဲ့ အလုိၾကီးအရနဲ အုိင္တီသမား တစ္ေယာက္အေၾကာင္းပဲၿဖစ္ပါတယ္။
လုပ္ငန္းစလိုက္ရေအာင္
တစ္စံုတစ္ဦးထံမွ၊ ကုန္က်စရိတ္အေၾကာင္းကုိၾကားလုိက္ရတဲ့အခါ စံုစမ္းသူ မ်က္လံုးၿပဴးသြားခဲ့ပါတယ္ “point to point ၾကိဳးမဲ့ ခ်ိတ္ဆက္မႈ ကုန္က်စရိတ္က၊ ေဒၚလာသံုးေထာင္ ဟုတ္လား? အကြာအေ၀းက ဘယ္ေလာက္လဲ၊ ၾကားမွာ ကြယ္ေနတဲ့ အေဆာက္အဦးေတြ ရွိလား? ၿပီးေတာ့၊ ဘာပစၥည္းေတြ သံုးထားလဲ?” ဟု စံုစမ္းသူက ဆက္ေမးခဲ့ပါတယ္။ “အဲ၊ အကြာအေ၀းက ကားလမ္းအားၿဖင့္ ၅.၆ ကီလုိမီတာ၊ ဒါေပမယ့္ တုိက္ရိုက္ ၿမင္ေနရတာေၾကာင့္ အတုိင္းအတာအားၿဖင့္ ၃ ကီလုိမီတာ ေက်ာ္ေက်ာ္ေလာက္ ေ၀းတယ္၊ သံုးထားတဲ့ ပစၥည္း ကုိေတာ့အတိအက် မသိေသးဘူး။” ဟု တစ္စံုတစ္ဦးက ေၿဖခဲ့ပါတယ္။ စံုစမ္းသူက ၎ အရင္အလုပ္လုပ္ခဲ့တဲ့ ကုမၸဏီၿဖစ္ေနတာေၾကာင့္၊ ကုမၸဏီ abc အတြက္၊ စံုစမ္းရန္ ဆံုးၿဖတ္ခဲ့ပါတယ္။ ၿပီးေတာ့ ခ်က္ခ်င္း ဆုိသလုိ ထုိကုမၸဏီ abc ၏ အတြင္းေရးမႈဆီကုိ ဖုန္းအဆက္အသြယ္ လုပ္ခဲ့ပါတယ္၊ ဒါေပမယ့္ ဒီအေၿခအေနမွာ သိကြ်မ္းၿပီးသား ဆုိေပမယ့္ ဘယ္သူ႕ကုိမွ ယံုၾကည္လုိ႕ မရေသးတာေၾကာင့္ လူမႈေရးကုိ လုပ္ဇာတ္ခင္းၿခင္း (social engineering) ကုိ အသံုးၿပဳခဲ့ပါတယ္။
စကားစၿမည္ –
“ စံုစမ္းသူ ။ ။ အတြင္းေရးမႈးေရ၊ မေတြ႕တာၾကာၿပီ။ အားလံုးေနေကာင္းၾကလား?
အတြင္းေရးမႈး။ ။ ဟုတ္ကဲ့၊ ေကာင္းၾကပါတယ္။ အကုိေရာ၊ ဘာေတြလုပ္ေနလဲ?
စံုစမ္းသူ။ ။ အခုေတာ့၊ point to point wireless နက္ေ၀ါ့ခ္တစ္ခု၊ လုပ္ဖုိ႕လုိလုိ႕ အဖြဲ႕ေတြလုိက္စံုစမ္းေနတာ၊ ဒါေပမယ့္၊ ဖုန္းေတြက ဆက္လုိ႕မရၿဖစ္ေနတာနဲ႕၊ ဘာမွကိုမစံုစမ္းရေသးဘူးဗ်ာ၊ လူၾကီးကလဲ စံုစမ္းေပးဖုိ႕ ေလာေနၿပီေလ၊ ဒါနဲ႕ တေလာကပဲ အဲဒီမွာ၊ ခ်ိတ္ထားတယ္ ၾကားလုိ႕၊ လူၾကီးကုိၿပန္ေၿပာဖုိ႕ ခန္႕မွန္း၊ ကုန္က်စရိတ္နဲ႕၊ သံုးထားတဲ့ ပစၥည္းေလးမ်ား သိမလားလုိ႕၊ အကူအညီေတာင္းမလုိ႕ ဆက္လုိက္တာဗ်။ အပန္းမၾကီးရင္ ကူညီပါဦး ဗ်ာ။
အတြင္းေရးမႈး။ ။ ဟုတ္တယ္၊ တေလာကပဲ တပ္ဆင္ၿပီးတယ္။ ရပါတယ္၊ ကူညီႏုိင္ပါတယ္၊ ဒါေပမယ့္ ဘာေတြဆုိတာေတာ့မေၿပာတတ္ဘူး ရံုးက IT Manager တင္ထားတဲ့ ေစ်းႏႈန္းစာရင္းေတာ့ရွိတယ္၊ အီးေမးလ္ ပုိ႕ေပးလုိက္မယ္ေလ။
စံုစမ္းသူ။ ။ ေက်းဇူးတင္လုိက္တာဗ်ာ၊ “
မၾကာခင္မွာပဲ၊ ေစ်းႏႈန္း စာရြက္ နဲ႕ သံုးထားတဲ့ပစၥည္း စာရင္း ၊ email ေရာက္လာပါတယ္။ စံုစမ္းသူက၊ secretary@abc.com ဆုိတဲ့ေမးလ္ကုိ ရင္ခုန္စြာနဲ႕ ပဲဖြင့္လုိက္ပါတယ္၊ “ဟာ၊ သံုးထားတဲ့ ပစၥည္းေတြက point to point အတြက္မွ ဟုတ္ရဲ႕လား? ၿပီးေတာ့ ၀ယ္တဲ့ ဆုိင္နာမည္ရဲ႕ စာေခါင္းစည္း ၾကည့္ရတာလဲ တစ္ခုခုမွားေနသလုိပဲ”

Y ကုမၸဏီ
သုိ႕ : အိုင္တီ မန္ေနဂ်ာ (abc ကုမၸဏီ)
အေၾကာင္းအရာ။ ။ point to point wireless ခ်ိတ္ဆက္မႈ အတြက္ ကုန္က်စရိတ္

# Item # Description Qty per Item Total
1 AM-5G20-90 4.9-5.9GHz airMAX Base Station, 1 850 850
Cisco Air 20dBi, 90 deg w/ rocket kit
2 ROCKETM5 5GHz Rocket MIMO, airMAX 1 350 350
3 PBM5 5GHz PowerBridge MIMO, airMAX 1 650 650
4 TC-Carrier TOUGH Cable, Level 2 1 100 100
6 IL-SRV2 Complete Setup Installation 1 1000 1000
TOTAL US$ 2950

“အင္း ေသခ်ာၾကည့္ရင္ ေခါင္းစီးက ၀ါးေနသလုိပဲ၊ scan ဖတ္ၿပီး၊ ၿပန္ၿပင္ထားပံုရတယ္၊ ေသခ်ာတာကေတာ့ နံပါတ္ ၁. AM-5G20-90 က Ubiquiti model ပါ၊ Cisco Air ဆုိတာ ဘာၾကီးလဲ? ေနာက္ၿပီး TC-Carrier က ဘာလုိ႕အဲဒီေလာက္ေတာင္ လုိအပ္တာလဲ?” အဲဒီကုမၸဏီကုိ ဖုန္းဆက္ၿပီး တစ္ခုခု သိေအာင္ၾကိဳးစားၾကည့္ဖုိ႕၊ စံုစမ္းသူက ဆံုးၿဖတ္လုိက္ပါတယ္။
စံုစမ္းၿခင္း တစ္နည္းဆုိရင္ လူမႈေရးလုပ္ဇာတ္တစ္ခု။
စံုစမ္းသူ။ ။ ဟလုိ၊ Y ကုမၸဏီကပါလား?
Y ကုမၸဏီ။ ။ ဟုတ္ကဲ့၊ ဘာမ်ားကူညီရမလဲ ခင္ဗ်ာ?
စံုစမ္းသူ။ ။ ကြ်န္ေတာ္က ကုမၸဏီ abc က နည္းပညာ အၾကံေပးပါ။ ကြ်န္ေတာ္တုိ႕ ကုမၸဏီက တေလာက ခင္ဗ်ားတုိ႕ဆီက၊ wifi ၀န္ေဆာင္မႈကုိ၀ယ္ယူ ထားပါတယ္၊ အခု ကုမၸဏီ စာရင္းစစ္ဌာနက၊ အသံုးစရိတ္ အစည္းအေ၀းမွာ တင္ၿပဖုိ႕၊ ေၿပစာေလးေတာင္းလာလုိ႕ပါ။ ကြ်န္ေတာ္တုိ႕ အုိင္တီ မန္ေနဂ်ာက၊ နယ္ခရီးလမ္းမွာေရာက္ေနေတာ့၊ ဆက္သြယ္လုိ႕မရဘူးၿဖစ္ေနပါတယ္။ ေက်းဇူးၿပဳၿပီး၊ အဲဒီေၿပစာေကာ္ပီေလးကုိ၊ ကြ်န္ေတာ္တုိ႕ ရံုးရဲ႕ စီမံဌာနကုိ၊ ေမးလ္ပုိ႕ေပးဖုိ႕ အကူအညီေတာင္းခ်င္လုိ႕ပါ။ ကူညီေပးႏုိင္မလား ခင္ဗ်ာ?
Y ကုမၸဏီ။ ။ ကြ်န္ေတာ္တုိ႕၊ အေရာင္း မန္ေနဂ်ာကုိ အတည္ၿပဳၿပီး ရင္ၿပန္ဆက္သြယ္ေပးပါမယ္။
စံုစမ္းသူ။ ။ ၿဖစ္ႏုိင္ရင္ ဖုန္းကုိင္ထားပါရေစ၊ အခု ကြ်န္ေတာ္တုိ႕ ဒါရိုက္တာကလည္း ကုမၸဏီအသံုးစရိတ္ အစည္းအေ၀း အတြက္ ေစာင့္ေနတာေၾကာင့္၊ အခက္အခဲရွိေနလုိ႕ပါ။ ဒါမွမဟုတ္၊ အဲဒီတုန္းက စုစုေပါင္းကုန္က် စရိတ္ကုိပဲ အခုေၿပာေပးလုိ႕ရႏိုင္မလား၊ ခင္ဗ်ာ။
Y ကုမၸဏီ။ ။ ကြ်န္ေတာ္တုိ႕ အခုပဲ အေၾကာင္းၾကားၿပီး၊ ဖုန္းလႊဲေပးလုိက္ပါမယ္၊ ခဏေစာင့္ပါ ခင္ဗ်ာ။
Y ကုမၸဏီ အေရာင္းမန္ေနဂ်ာ။ ။ ကြ်န္ေတာ္တုိ႕ ကူညီေပးႏုိင္ပါတယ္၊ အဲဒီတုန္းက စုစုေပါင္းကုန္က်စရိတ္က ၁၆၀၁ ေဒၚလာပါ၊ ဒါေပမယ့္ ေကာ္ပီကုိေတာ့ စီမံဌာနရဲ႕ အီးေမးလ္လိပ္စာကုိပဲ ပုိ႕ေပးႏုိင္ပါမယ္၊ ခင္ဗ်ာ။
စံုစမ္းသူ။ ။ ဟုတ္ကဲ့၊ ေက်းဇူးတင္ပါတယ္၊ ကြ်န္ေတာ္တုိ႕ စီမံရဲ႕အီးေမးလ္လိပ္စာက secretary@abc.com ကုိ ပုိ႕ေပးပါ၊ ကြ်န္ေတာ္တုိ႕ ဒါရိုက္တာ ရံုးခန္းကုိ တုိက္ရိုက္ေရာက္ပါတယ္။
ေကာ္ဖီတစ္ခြက္နဲ႕၊ ကြန္ၿပဴတာေရွ႕ထုိင္ေနတဲ့ စံုစမ္းသူဆီ၊ ကုမၸဏီ abc ရဲ႕ secretary ဖုန္းေခၚဆုိလာပါတယ္။ ၿပီးေတာ့၊ “အခု Y ကုမၸဏီက အီးေမးလ္ တစ္ေစာင္ ၀င္လာတယ္၊ ၿပီးေတာ့၊ သုိ႕ ေနရာမွာ၊ abc ကုမၸဏီ IT Manager နာမည္နဲ႕၊ ၿဖစ္ေနၿပီး အီးေမးလ္ရဲ႕၊ subject မွာ as mr. investigator’s request လုိ႕ပါေနလို႕၊ ဖုန္းေခၚလုိက္တာပါ။” လုိ႕ေမးခဲ့ပါတယ္။ စံုစမ္းသူက “ဟုတ္တယ္၊ အဲဒါ စာရင္းအမွန္ပဲ၊ Y ကုမၸဏီ ဆီကေန၊ ေတာင္းလုိက္တာပါ အဲဒီထဲမွာပါတဲ့ စာရင္းကုိေသခ်ာ စစ္ေဆးၾကည့္ႏုိင္ေအာင္လို႕ abc ကုမၸဏီ ရဲ႕ အတြင္းေရးမႈးဆီပုိ႕ ခုိင္းခဲ့တာပါ။” လုိ႕ ေၿဖခဲ့ပါတယ္။
ကုိရိုက္စားရဲ႕ အားနည္းခ်က္ကေတာ့၊ သူကုိယ္တုိင္ ကြ်မ္းက်င္မႈမရွိပဲ၊ သူ႕ေလာက္မတတ္တဲ့ သူေတြအေပၚ လွည့္စားခ်င္တဲ့ သေဘာထား ပါပဲ။
ကုမၸဏီ Y ရဲ႕ မူရင္းစာရင္းကုိၾကည့္ရေအာင္ ။ ။
Y ကုမၸဏီ
သုိ႕ : အိုင္တီ မန္ေနဂ်ာ (abc ကုမၸဏီ)
အေၾကာင္းအရာ။ ။ point to point wireless ခ်ိတ္ဆက္မႈ စာရင္း
# Item # Description Qty per Item Total
1 AM-5G20-90 4.9-5.9GHz airMAX Base Station, 1 164 164
20dBi, 90 deg w/ rocket kit
2 ROCKETM5 5GHz Rocket MIMO, airMAX 1 98 98
3 PBM5 5GHz PowerBridge MIMO, airMAX 1 297 297
4 TC-Carrier TOUGH Cable, Level 2 70 M 0.6 42
6 IL-SRV2 Complete Setup Installation 1 1000 1000
TOTAL US$ 1601

ကြ်န္ေတာ္တုိ႕ေတြ၊ ကုိယ္နားမလည္တဲ့ နယ္ပယ္ေတြမွာ ကုိယ္စီ ရိုက္စားလုပ္ခံရတာေတြ အၿမဲၾကံဳေတြ႕ေနရပါတယ္။ ဒါေပမယ့္၊ တကယ္လုိ႕ ကူညီေပးမယ့္သူ တစ္ေယာက္ သာ ရွိခဲ့မယ္ဆုိရင္လုိ႕ ကြ်န္ေတာ္တုိ႕ အၿမဲေတြးတတ္ၾကပါတယ္။ တစ္ခါတစ္ေလ၊ ကြ်န္ေတာ္တုိ႕ အားကုိးတဲ့ သူေတြကပဲ ကြ်န္ေတာ္တုိ႕ကုိ ရိုက္စားလုပ္ ႏုိင္ပါတယ္။ ဗိုလ္ခ်ဳပ္ေအာင္ဆန္း မိန္႕ခြန္းတစ္ခုၿဖစ္တဲ့ “အနီးဆံုး ရန္သူကုိ ရွာတုိက္”၊ ဆိုတဲ့အတိုင္း၊ ကိုယ္ကုိယ္တုိင္က အနီးဆံုးရန္သူလုိ႕ယူဆၾကည့္ပါ၊ ကြ်န္ေတာ္တုိ႕ ကုိယ့္ကုိယ္ကုိ အရင္ဆံုးၿပန္ေမးရမွာက၊ “ဒါ ၿဖစ္ႏုိင္ရဲ႕လား?” လုိ႕ၿဖစ္ပါတယ္။ ကြ်န္ေတာ္တုိ႕ရဲ႕ ယံုၾကည္လြယ္ၿခင္းကုိ၊ အရင္တုိက္ထုတ္သင့္ပါတယ္။ ၿပီးေတာ့၊ အတြင္းလူ။ ယခု ရိုက္စားလုပ္ၿခင္းမွာ၊ ကုမၸဏီရဲ႕၀န္ထမ္းတစ္ေယာက္ၿဖစ္တဲ့ ကုိရိုက္စားက ဘာေၾကာင့္ ဒီေလာက္အထိလုပ္ရဲ တာလဲ? ကြ်န္ေတာ္တုိ႕ရဲ႕ စီမံေရး၊ အုပ္ခ်ဳပ္ေရး၊ ၀န္ထမ္းေတြအတြက္ ဗဟုသုတပညာေပးၿခင္းေတြ လုိေနလား၊ ဒါမွမဟုတ္ သူတုိ႕ ကုိယ္တိုင္ပါ၀င္ ပတ္သက္ေနတာလား? ၀န္ထမ္းေတြမ်ားစြာနဲ႕ အလုပ္လုပ္ေနတဲ့၊ ကုမၸဏီတစ္ခုက၊ တံခါးေပါက္မ်ားတဲ့ အိမ္တစ္လံုးနဲ႕ တူပါတယ္။ တံခါး တစ္ခ်ပ္တည္းကုိ လံုၿခံဳေအာင္ ဂရုစိုက္ေနတာက တစ္အိမ္လံုး မလံုၿခံဳႏုိင္ပါဘူး။
ဒါေၾကာင့္၊ ကြ်န္ေတာ္တုိ႕လုပ္ငန္းေတြမွာ၊ က်င့္၀တ္ညီတဲ့ ဟက္ကာတစ္ေယာက္ရွိဖုိ႕နဲ႕ ခုိင္ၿမဲတဲ့ ကြန္ၿပဴတာ၊ နက္ေ၀ါ့ခ္ လံုၿခံဳေရးေပၚလစီေတြ ရွိဖုိ႕ ေသခ်ာကုိ လုိအပ္ပါတယ္။
“လူမႈေရးကုိ ဇာတ္လမ္းဆင္တဲ့၊ လူမႈေရးဇာတ္လမ္းဆင္ၿခင္းေတြ ဆုိတာ၊ လိမ္တာေပါ့?” လုိ႕ အဖုိးကေမးခဲ့ပါတယ္။
“လူူမႈေရး ဇာတ္လမ္းဆင္ၿခင္းဆုိတာ၊ လူေတြရဲ႕ စိတ္ဓါတ္ေရးရာၾကိဳးကုိင္ၿခင္းလုိ႕ အတိုခ်ံဳးသိႏုိင္ပါတယ္၊ တရား၀င္တဲ့ လိမ္လည္ၿခင္းေပါ့၊ ဒါေပမယ့္ ရုပ္ရွင္ရံုလုိ လူထူတဲ့ေနရာေတြမွာ “မီးဗ်ိဳ႕” လုိ႕ေတာ့ မေအာ္နဲ႕ေပါ့ ဗ်ာ။ လူူမႈေရး ဇာတ္လမ္းဆင္ၿခင္းကုိ အေသးစိတ္ေၿပာရရင္ေတာ့။။”

How Not to Scam the IT Guy

scamIT

Introduction

My name is Min Mg Mg, I’m studying cyber security. I’m studying by “googling” and the main source of my studying is Hacker Highschool (www.hackerhighschool.org). They are a non-profit organization that helps teens learn hacking as a method to figure out how things work, and to keep from getting scammed online. And for people like us, who can’t afford to pay much to learn technologies, we can learn free lessons there. Video trainings will be available soon and they are even starting ISECOM academy. Let me mention their motto of them and definition for hacking: Their motto is “Hack everything but harm none,” and their definition: “hacking is a method of problem-solving and learning.” And very soon, I’m going to study at the new org that’s being built by HHS’s project manager, called School for Hackers (www.schoolforhackers.org) where tutorials and videos are being developed as well.

One security vulnerability all organizations face is that they have to rely on IT consultants. They can gouge you, or give you a great deal, and it’s hard to know which. In this case, doing some investigation proved the consultant was ripping us off. Instead of a sneaky and exorbitant profit, he got nothing, and our company learned a valuable lesson.

Let’s get our hands dirty

The investigator was good but his eyes popped when he heard the price quote for “what, for point to point wireless installation only costs about US$3000?” he asked. Then, “what’s the distance, what are the devices they used and is there some blockage between the points?”

“The distance is 5.6 km by car, but it is only about 4 km as the crow flies. I don’t know the devices used exactly” someone answered. Our investigator decided to get his hands dirty based on experience with his previous company. He made an immediate call to the secretary of the ABC company. (Obviously the names are changed.) She’s already a friend, which makes her a pore, or a place where a trust is being given. Because she trusts our investigator, she’s not trustworthy to her employer when he uses social engineering.

Conversations

Investigator: Hello, Ms. Secretary, it has been so long. And is everyone good?

Secretary: Of course, everyone is doing well. And you and what are you doing there?

Investigator: I’m well too, and now I’m getting busy to find some providers to set up a point to point wireless connection but the lines are busy and I can’t get this done. And my boss is breathing down my neck. I’ve heard that at your company the wireless connection was installed recently. Could you help me with some information on this? I need to get my boss some kind of numbers or I’m in trouble.

Secretary: Of course, I could give you a hand but don’t quote me. I’ll send you an email with the price list our IT Manager applied for approval.

Investigator: Oh thank goodness!

Very soon after the conversation, the price list and the device information were sent from secretary@abc.com, and the investigator looked at them and seemed puzzled. “Umm, all of these devices are for point to point connection?” And the letter head seemed sketchy, less than professional.

Y Company
Att: IT Manager (ABC Company)
Subject: point to point wireless installation cost

# Item # Description Qty per Item Total
1 AM-5G20-90 4.9-5.9GHz airMAX Base Station, 1 850 850
Cisco Air 20dBi, 90 deg w/ rocket kit
2 ROCKETM5 5GHz Rocket MIMO, airMAX 1 350 350
3 PBM5 5GHz PowerBridge MIMO, airMAX 1 650 650
4 TC-Carrier TOUGH Cable, Level 2 1 100 100
6 IL-SRV2 Complete Setup Installation 1 1000 1000
TOTAL US$ 2950

“This lesser looks like a bad photocopy after someone modified the contents. And, the number one AM-5G20-90 at the top of the list is surely a Ubiquiti model but what actually is a Cisco Air ? And why is this size TC-Carrier being used? That’s so interesting.” And he decided to call the supplier company and try to know something real.

Investigation followed by social engineering

Investigator: Hello, is this Y Company?

Y Company: Yes, May I help you?

Investigator: I’m the consultant at the IT section of the ABC Company. Recently our company purchased a wireless service from your company. Now, I have to ask a favor, could you email me a copy of the receipt for the point to point service? Send it to our manager’s mail and I’ll bring it up at our budget meeting with the director. I just asked the favor because our IT Manager is travelling and we couldn’t contact him yet. Would that be ok?

Y Company: We’ll contact you back after the confirmation with our sales manager, sir.

Investigator:Iif I may, I’ll hang on the line because all including our director is waiting in the meeting room and I’m getting to a dead end. Or, just tell me the total amount of the cost, please?

Y Company: Hang on a moment, I’ll inform him and put you through.

Sales Manager at Y Company: We can help you with this, sir. The total amount of the cost was US$1601. But I’ll only send the softcopy of it to the address of your management’s email.

Investigator: You are so kind, our management’s email address is secretary@abc.com and it goes directly to director office.

While investigator was sitting at his computer with a cup of coffee, the secretary of ABC Company gave a ring. And “I’m calling you because now I just have received an email from the Y Company. They sent it to us but the subject says your name: per Mr. Investigator’s request,” she said.

“Yes, I asked them to send it to the secretary of ABC Company. That’s the real receipt of the real cost from Y Company so that you can confirm the price,” Investigator said.

The real weakness of the Mr. Scammer was: his deception required victims who were less technologically aware than he was..

So, let’s take a look at the real price list of the Y Company:

Y Company
Att: IT Manager (abc company)
Subject: point to point wireless installation cost
# Item # Description Qty per Item Total
1 AM-5G20-90 4.9-5.9GHz airMAX Base Station, 1 164 164
20dBi, 90 deg w/ rocket kit
2 ROCKETM5 5GHz Rocket MIMO, airMAX 1 98 98
3 PBM5 5GHz PowerBridge MIMO, airMAX 1 297 297
4 TC-Carrier TOUGH Cable, Level 2 70 M 0.6 42
6 IL-SRV2 Complete Setup Installation 1 1000 1000
TOTAL US$1601

We will close a curtain on the scene that followed.

We all have been scammed in areas we don’t understand, both with and without our knowledge. But there will be someone who can help us, frequently we think. Sometime, even the very one who is trustworthy to us might scam us. Let’s assume ourselves as the closest enemy of our own according to the one of the speeches of General Aung San; “get rid of the closest enemy, the first question we should ask ourselves is ‘Is it possible?’ And firstly we have better get rid of credulousness. And think about an insider. In this case, even if he’s a company’s IT staff why he was too bold to scam that amount? Does our management team need to be educated in technology related issues, or were some of them partners of the Mr. Scammer?

A company that’s using a lot of technology is like a house with many windows and entrances. Securing only some of the windows and doors doesn’t secure the house. That’s why we deeply need to engage an ethical hacker, and design tight computer and network security policies. Social Engineering can be called psychological manipulation, in short, a legitimate lie, but yelling “Fire!” in a crowded movie theater is unlawful. The issues here are not simple, and some experience and training is mandatory. That means we need to bring up more young security professionals, which is exactly what we are working to do at Hacker Highschool and School for Hackers.

Written By

Htet Aung @ Starry Sky
Translator at Hacker Highschool
Security Professional and IT Officer

Hacking to Live

Gosper's Glider Gun

Hackers are clever techies.

The word “hacker” actually has nothing to do with crime: a brilliant engineer would hack out a smart solution to the problem at hand, and consider it a compliment to be called a hacker. There’s a whole culture built on this idea: see https://en.wikipedia.org/wiki/Hacker_culture.

We are a community dedicated to learning and teaching. We don’t think knowledge should be deep, dark and secret – far from it. Everyone with the interest should be free to pursue hacking. Sure, if you want to, you can learn Linux and bash and networking. But you don’t have to do all those things, or any of those things, to be a hacker.

Consider how we do higher education: you are expected to take out loans and spend years living in poverty to get a college degree that may not fit anything in the job market, or even worse, might be passed by while you’re getting it. Who makes money on this arrangement? Hint: It is not designed for your benefit. You can be a brilliant hacker by learning skills that give you power – power because you are in demand. Hack the whole system by getting someone else to pay for your education!

We don’t restrict our discussion of hacking to just Linux, programming and networking, though we do talk about those things a lot. Feel welcome to bring us food hacks, lifestyle hacks, hacks of any and every system. Because that’s what we do: hack it to learn it, and hack it to teach it.