Anatomy of a Cyber Murder

Picture this scene and if you are a Major Crimes or Law & Order fan, or lucky enough to remember Colombo then it should be easy.

The year is 2017 and two detectives arrive at a house after an earlier emergency services call – the regular house cleaner has found a body lying in a small pool of blood, no signs of a struggle, and a mobile phone on the bench.

Detectives are trained to take a holistic view of the scene that confronts them and to not jump to conclusions. In the world of criminal forensic analysis, there are a multitude of tools of the trade to assist the detective – finger print analysis, meta data of communications, DNA analysis of the victim and any foreign material, real time video capture cameras and in 2017 no doubt all of this capability is deployed as on-site sensors, drones and terrabytes of cloud information and smart apps available 24×7.

There are not too many causes of death – the primary challenge is to determine WHAT, HOW, WHY and WHO.

The Colombo type detective has a minimum of 15 years’ experience and learning, not just about the scene that confronts them, but how to use tools and methods and then how to interpret the results. Their most important ability is to think like a murderer.

Back to the scene. The injury to the body which apparently may have killed the person is a knock to the head from the edge of the kitchen bench. But how was this injury sustained? Further investigation of the corpse indicates that the victim has a “PumpIn” automated insulin pump attached to their body. [Google informed me that the term “PumpIn” is available – use it if you would like to].

Could a mal-function of this pump have caused the victim to pass-out, or die from an overdose? Could the overdose be intentional or accidental?

“An excess of insulin in the bloodstream causes cells in your body to absorb more sugar (glucose) from your blood. The liver also produces less glucose. These two things work together to create dangerously low glucose levels in your blood. This condition is also called hypoglycemia.” “More severe symptoms of hypoglycemia, sometimes referred to as diabetic shock or insulin shock, include: concentration problems, seizures, unconsciousness, death”

What do the detectives do now? What further evidence can be gleaned and what tools does they use to determine his hypotheses?

Another clue is a smart phone on the kitchen the bench. One of the detectives activates the phone, luckily no password, and reviews the APPS that are open. The PumpIn App is not in the foreground but a quick view via Setup indicates it is “running”. The blue tooth connection is open and a quick check shows Paired device “PumpIn – v2” is a known device.

Later that day, one of the detectives is working through the operation of the APP, careful to take screen shots of existing profiles and recent activities. At the same time, an autopsy is been performed by the medical forensic pathologist and confirms that the level of insulin in the body is at detrimental levels and quite possibly could have caused the victim to become unconscious hence sustaining the physical injury.

So, now the detectives are certain about WHAT the cause of death is. Now to the HOW, WHY and WHO.

What tools do the detectives now need to work through these questions? Fortunately, in 2017, one of the attending detectives has been trained in IT and Cyber Security and she comes to the fore. Could the APP have mal-functioned and instructed the pump to “keep pumping”, was the pump itself malfunctioning?

The forensic pathologist has removed the PumpIn and the “IT Detective” now has the smart phone and PumpIn in the lab. The other detective is establishing the background of the victim – who was he, where did he work, was it possible that someone wanted him dead – standard detective work. They now focus on using their respective skills to solve the death – or murder!

The PumpIn company has been requested to supply an identical insulin pump and the PumpIn device source-code to the IT Detective so both the victims pump and supplied pump can be tested. Both perform exactly the same – delivering the correct dose based on the smart phone calculations. A quick check of the Smart phone APP showed that it was updated to the latest version. Could the victim have accidentally mishandled the APP – the PumpIn company says “no – it is impossible – it has been trialed extensively in the lab”

So, is this a dead-end, dry creek, for the detective? Not yet.

The IT detective, with many years of software development, a keen understanding of the development life cycle, management oversight of IT budgets, and deadlines to bring products to market (at this time, reader, suspend your disbelief that such a person could exist!) now moves to a most interesting aspect of the investigation. Having seen that the system of APP and Device works the way it should, could it possible to set it up to work in a completely different or random way?

Being a well-resourced and competent IT forensics specialist, in 2017, she uses software integrity test tools that allows her to think and act like a criminal mind. Firstly, she sets up both the APP and Device to be tested by a protocol fuzzing tool – such a tool quickly determines where a network connected device or app will fail when a protocol is subtly altered – and fail they both do – spectacularly with the PumpIn emptying it insulin supply. The APP and Device connect at the blue-tooth level and she is aware that vulnerabilities exist which – Allows unauthorized disclosure of information; Allows unauthorized modification; and Allows disruption of service – and the particular version of Android on the victims phone is susceptible to this. The tests do not surprise our expert as she is aware of the very poor track record, generally, of application developers in regard to cyber security – even in 2017!

The next test she performs is on the device firmware – a binary code composition analysis. The PumpIn company did not wish to provide the source-code, as requested, of the PumpIn device – and a release warrant would take weeks to execute. The binary code or executable or firmware is the next best thing. The firmware was downloaded from the PumpIn website and matched that of the PumpIn device. The analysis provides a listing of all the known open-sourced and licensed components, embedded URLS, the licensing structure, and, most importantly, the status of the open-source code components and a fully listing of CVEs that relate to those components. CVE is Common Vulnerabilities and Exposures and a full listing (and getting fuller every day) is freely available on NIST(.gov).

On doing the analysis of PumpIn firmware, our detective discovers hundreds of vulnerabilities with a glaringly obvious start point – a 2012 version linux kernel with known vulnerabilities from 2010 – and at least one of the CVEs stands out to her – CVE-2010-2521

Ie. Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions.

The common theme of the known vulnerabilities found in this device is the ability for remote attackers to effectively take control of the software. And, she also knows that the longer that firmware continues to retain this level of operating code, the more vulnerable it becomes over time. And this version is not even licensed correctly! She shakes her head but not in disbelief, just in exasperation.

To complete this line of investigation, our IT forensic detective accesses the PumpIn registered user website – in a couple of minutes she has easily navigated to a page that contains names, addresses and individual IDs of PumpIn devices for each user. Another shake of the head.

The two detectives come together to discuss the case – the facts

– the victim died either as a direct result of insulin overdose and/or the blow to the head causing excessive bleeding leading to death

– the victim was a registered diabetic and a registered user of PumpIn – v2

– the tests of the PumpIn device showed that it performed according to the specification and the APP history showed no signs of apparent mis-use.

– the software analysis showed that the device had over 400 known vulnerabilities that could be exploited to make the device unstable and operate outside of its specifications and the application of the fuzzing tool proved that to be the case.

– the victim was a wealthy Bank Manager, overseeing the massive reduction of staff, being recently paid an excessive $20M bonus even after being found to have corruptly manipulated profit and earnings figures. He is also a known philanderer and child porn and PCP drug distributor.

It is pretty obvious as to the Motive – WHY he was murdered, beyond a reasonable doubt as to the Means – HOW he was murdered, but the question of WHO had the Opportunity to be the cyber murderer may remain a cold case for many years.

.. more to come ..


Sales and Business Development Mentoring is not a luxury or “tick the box” item for SME’s

Large companies selling products and/or services have a certain luxury when it comes to customers – usually, they have developed a name, a product preference and large reference list that have customers coming to them. They have dedicated Sales and Marketing teams that ensure the customers will make a decision for them! SME’s on the other hand, especially Services SME’s do not have that specific luxury. They do however, have a more special bond with their customers, based around trust and service and doing that bit extra because it counts. And, customers who are happy with that service are usually very sticky and remain loyal, sometimes in spite of possibly better offerings in the market place.

This IS the SME story.

SME’s spend a lot of time keeping that loyal customer base happy. Because of their size, once they feel that there is enough business to sustain them, or feel that taking on more business is too difficult, new business development is a 2nd or 3rd priority at the weekly management meeting. The nature of small business is reflected, mostly, in the nature of the principals of the business. That is, they created the business because they were very good and used their network to create the value chain.

In good times, the SME will flourish with their customers in a healthy ecosystem – in challenging times, they all share the same pain. It is curious, and perhaps part of the SME DNA, that the SME management team mostly accept that fate – or at least have done so in the past.

Here’s a simple fact – in challenging times, the SME Services company without a focus on sales and the process of business creation as one of the top 2 daily priorities will fail.

Here’s some more interesting observed behaviour – SME’s rarely want to invest in a dedicated Sales or BD Manager because “they’ll probably leave us once they’ve generated sales” or “they wasted our time and money”. Well, the first problem is a great problem to have. The second problem most likely could have been avoided.

And yet another observation – “We gave Bob, our lead engineer,  the Sales job part time, because customers like him and he’s generated a lot of follow on business in ACME Mining”. Most likely, Bob was really liked because he delivered and was personable and knows a lot about the customers business. Was he “selling”? – yes! Was he creating business? – yes! Was he creating NEW business? No!

So, how do you harness what you’ve got and align a sales and business development process to that? How do you generate new business in a challenging market? How do you exploit a speciality to create a new business line? A myriad of  Management and Sales 101 books will provide great guidance and tips and secrets and “10 steps” and “7 behaviours” but, without practice and game time, those books will remain dust collectors and tax deductions. Get help, get focused, just do it.

Customer Care – Self Care

For the majority of, if not all, telcos / CSPs, the function of Customer Care is a cost centre where management are in continual turmoil balancing operations cost against customer service. The CFO has incredible influence on Customer Care outcomes. The Customer Care director does the best within the budget and usually employs the begging bowl after Q1.

There are many KPIs that govern the day to day, month to month operation of customer care across the organization but, without any denial, the number 1 KPI is cost – cost per agent, cost per call, cost per transaction. Somewhere in the top 10 KPIs is a customer satisfaction index.

The emerging buzz terms for the customer care organizations are “net promoter score” and “self care” (sometimes referred to as “call avoidance” depending where you sit within the corporations balance sheet).

Net Promoter Score has been developed to be a company wide philosophy that rates interactions and processes against a scale (1-10) which links all those processes to customer awareness, feedback etc.

Self Care or Call Avoidance is about 2 things only – reduce cost at the call centre coal-face (end game = no calls hence no need for call centre agents) and empowering customers to resolve their issues on-line or on-device and submit “trouble-tickets” on-line. This initiative has truly significant impacts on the bottom line but, with that, comes the risk of mishandling and confusing the customer – with predictable negative outcomes!

Engaging on a self-care initiative is not a quick fix approach. It needs to be part of a closed-loop initiative, company wide, and part of a NPS initiative if there is one.

However, even if the organizations within the CSP are all aligned behind the strategy, how can it be realized at a reasonable cost that a CFO will sign-off on?

Most CSPs are now putting activation and billing processes on-line and on-device for iOS and Android. Some CSPs are engaging social media (Gen Y world) to alert on issues and respond to problems where, then, the twitterverse will start to produce proxy Q&A’s across all CSPs and telcos. Gen X’ers may even dabble in a bit of on-line troubleshooting but will expect a voice at the other end when the on-line experience is not what they expect (or can not navigate).

On-device self-help is an obvious approach to support the overall strategy of Self Care and Call avoidance.

Most “problem” issues for mobile broadband users (of dongles) are :

  • Can not connect (usually an installation or APN problem)
  • Poor performance (usually coverage)
  • Incompatibility (drivers and platforms)
  • Bill shock

with other issues well down in the small percentages. 

Most “problem” issues for mobile PDA users are :

  • coverage
  • poor performance (mostly latency)
  • bill shock 

On-device tools are the cheapest and most effective way to provide immediate triage of the 80% of problems.

For 3G/4G dongles, a smart App that oversees the installation process, reports on the configuration of the system, provides feedback on performance of the service AT THE CUSTOMER END – the last metre –  is a first step towards empowering the customer AND at the same time, informing the CSP of the “satisfaction” level of a customer.

PDA users are passionate about how they use it, the “cool” things it does for them and it’s role in supporting their business or social lives. When it doesn’t work to expectation, it’s a personal affront and an issue that has to be resolved immediately. Waiting in a call centre queue, being asked your name and identifying yourself, maybe 3 or more times in the one call, does not qualify as “immediate” and is mostly a negative issue.

A smart App that takes on the work of the customer contact centre AND records that for the CSP satisfies 2 key processes ..

  1. The customer takes an immediate action and should get a result some actionable/useful feedback.
  2. The CSP is aware of that action been taken and has the record of that on which is can take a decision to act – to close the loop. 

Network tools and network and operations engineers are not geared to understand customers issues and to provide immediate feedback and actions to resolve customer issues. However, in many cases, the CSP /telco management expect them to be the fountain of knowledge, the source of truth. 

A sensible combination of the myriad of systems and data that supports the operation of the “machine”, the network or networks, AND an on-device capability that acts as the “proxy” for the customer enables a strategy of Call Avoidance and Self-Care to be executed.

Closed Loop Telco Customer Care

Closing The Loop – realisable actions to address customer issues to build and maintain brand loyalty

An emerging (and obvious) need for Communications Services Providers (CSPs) is to close the loop as far as customer experience and network operations is concerned.

As an example, recent discussions with an Australian CSP indicates there is still a yawning gap between taking “corrective” actions in the Radio Access Network and then verifying the action in terms of Customer Experience. That is, there is usually some form of aggregated complaint which is analysed from an engineering perspective with action taken to address that complaint. However, there are no formalised or systemised actions to check if those underlying complaints have been resolved.  As a proxy for the customer, some CSPs use network probing to be the “voice” of the customer. The cost of probing the 3G and LTE networks at the RAN edge is prohibitively expensive. RNC’s and e-nodeb’s do not have the capability to provide a customer perspective “report” out of the billions of transactions that they need to focus and report on.

There are many aspects of Closed Loop customer experience and the RAN aspect is just one use-case that can be addressed by an on-device APP. Of course, there are other processes that need to be developed or refined to complete a 360deg sweep for care. Most CSP’s are organised in efficient pillars of operations – Networks build and deliver networks,  Operations operate them, Product groups own the resultant combination of networks and selling processes, and Customer Care organisations struggle with the complexities of triaging incoming calls. But, most CSP’s are not organised to effectively close the loop with the customer. Smart CSP’s are now addressing this through cross pillar advocacy groups but there is a long way to go to permeate the management lethargy to be effective day to day processes.

On-device APPs are the customer proxy as far as their user experience is concerned and they provide a missing information vector to help close the loop – BUT – the CSP must willingly want to close the loop and be prepared to disrupt the organisation to align towards the customer. The business case stacks up very neatly but in many cases the momentum of business-as-usual and apathy are powerful negative forces preventing the initiative.

It’s an exciting era in competitive communications and telco’s who do not actively address the “closing the loop” challenge are opening up opportunities for customers to churn away from them – a creeping poison that has a very costly antidote if not treated early.    

“It’s about Customer retention”