COVID-19 Scams Spread Like Their Own Virus

It’s a sad fact of life that within moments of any tragedy there is a scammer scheming to turn a profit on it. These sick fucks are the bridge between sociopaths and homeopaths; willing to sell their own sick grandmothers distilled water on their deathbeds with a sick smile on their faces. Or, as in the case of Unichem Royal Oak Pharmacy in Auckland New Zealand, they’ll sell you a cardboard card on a lanyard and tell you you’re safe from COVID-19.

To the rest of the world, New Zealand is a beacon of hope. As a country, we used science to guide the response to COVID-19 and have beaten it back like no other country. But while the rest of the world looks on in wonder at our success, there is still an undercurrent of fear and ignorance that scammers can latch on to. As an example, this sponsored post popped up in my Facebook feed yesterday:

It is a link to a Youtube video promoting the virtues of a card you can wear on a lanyard that creates a ‘one-meter protection zone’ against viruses and bacteria. This is, of course, absolute bullshit. Really, if I have to explain this to you, how are you even functional in the modern world?

I filed a complaint about this video on Youtube, but I don’t expect it to be taken down. This isn’t your standard user-submitted video. This is a paid-to-be-hosted video on Youtube. Want to know what gives it away? No matter how many times you watch it, there’s never an ad. When’s the last time you saw that on one of your videos?

As you can see above, I felt compelled to comment. That comment has been deleted, and I’ve been blocked from commenting on any of Unichem Royal Oak Pharmacy’s posts.

So, I made a post instructing people on how to file a scam complaint. You can do it too, if you’d like to participate in the exercise. First visit their post, and then follow these steps:

It will be interesting to see what happens if a lot of people report it for the scam that it is. Sad to say, I won’t be surprised if Facebook leaves it up. They have a surprising amount of tolerance for hosting scams when the poster is a paying customer. Here’s the response I received:

As you can see, Facebook’s acceptable community standards include selling people quack ‘quack virus shields’.

Making sense of the Kiwiburn map. :)

Having never been there, and having no frame of reference, you wouldn’t believe how much time we all spent trying to figure out how the town map fit against what we saw in Google Maps. It didn’t help that the Town Plan map was rotated 90 degrees, and that Google Maps shows the address on Cooks Road fairly far away from where it really is. Now it all makes sense. 🙂

Nebula: The Zero Trust Networking Tool You Didn’t Know You Needed

I first became aware of Nebula a few days ago, thanks to two excellent write-ups at Ars Technica. (here and here) It’s an open source product freely given to the world by the folks at Slack. (Best known for making billions putting a fresh skin on IRC.). While those two write-ups at Ars Technica do a decent job at introducing Nebula, I feel like a use case for Nebula that hasn’t been fully explained.

Nebula isn’t like the VPNs for which you are constantly bombarded with ads. It isn’t designed for you to hide your torrent traffic, or to mask your IP address. It is designed to secure communications between systems you control, and makes for an excellent building block in a Zero Trust implementation.

First off, what’s “Zero Trust”? It’s the idea that you can’t trust any of your infrastructure, any more than you could trust the Internet. It’s logical evolution of the old adage “never trust the client”. If you can’t trust the client, you can’t trust the network they are connected to either. Assume at all times:

  • There’s a compromised device on your network sniffing traffic.
  • All of those ‘Smart Appliances’ you got for Christmas are remotely hackable, if they weren’t flat out designed to attack your network from the inside.
  • Any machine can have zero-day malware that isn’t detectable yet.
  • The NSA has a tap on your AWS VPC (Virtual Private Cloud).
  • Any of the Five Eyes countries have taps on the switches/routers at your ISP.
  • The ‘free WiFi’ at the cafe is sniffing traffic to insert ads, or worse.
  • Your ISP is sniffing traffic for * reason.
  • Your SuperMicro server has the Magick Chip that sends data to China.
  • Your network gear has Huawei components.
  • One of your sysadmins didn’t get enough of a raise and has sold access to your network for fun and profit.
  • There are a thousand other risk factors not on this list.

The old paradigm was built around a division of realms: the trusted home/office/datacenter network and the wild west of the Internet, with firewalls in between. That paradigm is shifting with the acceptance of the reality that devices inside your trusted network are going to be compromised. By accepting that, and making design decisions with that in mind, the impact of your future compromise(s) just might be reduced.

Now that you are starting to embrace the appropriate level of paranoia, how does Nebula VPN help? Nebula lets you create a mesh VPN between the hosts in your network, whether or not they are on the same subnet or in the same VPC. It allows you to secure traffic that was otherwise difficult to secure, or that you wouldn’t normally consider securing because it takes place in a ‘trusted’ layer of your network. With Nebula it becomes trivial to encrypt MySQL, MongoDB, Redis, Memcache, etc, traffic; restricting access to hosts with the appropriate certificates installed while also limiting exposure if another instance in your infrastructure becomes compromised.

Unlike traditional hub and spoke VPNs, Nebula functions as something closer to a mesh. In a traditional VPN, two clients who want to talk to each other would have to route their traffic to the server and back. With Nebula, clients negotiate the best way to talk to each other, using the shortest route possible. This is a far more efficient use of bandwidth.

I spent a couple of hours adding a new column on my IP/subnet spreadsheet, creating certificates, and writing a Puppet module to deploy Nebula in my quirky infrastructure. I now have a virtual VPN subnet that spans systems across two continents, where I can now use the Nebula IP for a host to automagically encrypt traffic.

I haven’t used Nebula long enough to run into any gotchas, which means I’m still a novice. Despite that, I do feel secure in saying that it makes for a powerful tool in your Security toolbox.

If you want to give it a try, this write-up at Ars Techica will have you up and running in ten minutes or so.