Daily Archives: July 13, 2018

What Drives a Ransomware Criminal? CoinVault Developers Convicted in Dutch Court

How often do we get a chance to learn what goes on in the minds of cybercriminals? Two members of McAfee’s Advanced Threat Research team recently did, as they attended a court case against two cybercriminal brothers.

The brothers, Dennis and Melvin, faced a judge in Rotterdam, in the Netherlands. This case was one of the first in the world in which ransomware developers appeared in court and were convicted for creating and spreading ransomware.

They were responsible for creating the ransomware families CoinVault and BitCryptor. CoinVault, the better known of the two, made its appearance in late 2014. The technically skilled programmers had examined the source code of CryptoLocker, the notorious ransomware family that first struck in 2013. The brothers were not very impressed and agreed that they could do a better job. What might have started out as a fun technical challenge turned into a criminal business.

The CoinVault and BitCryptor campaigns were not as widespread as CTB-Locker, CryptoWall, or Locky ransomware campaigns. Nor did they profit as much from it, but this case is nevertheless uncommon. It is rare that the developers of ransomware are caught, let alone confess their crimes. This case gives us an opportunity to understand what drove them down a path to cybercrime.

The challenge

Why would someone write malicious code and infect thousands of people? The judge asked the brothers the same question. Their response was “Because it was a technical challenge.” “But didn’t you realize you were dealing with people?” the judge responded. Both brothers answered that they did not; they were dealing with computers and never met their victims face to face.

The judge and prosecutor did not accept their explanation. CoinVault had a built-in helpdesk function to directly communicate with their victims, thus registering their pleas. The brothers standard reaction was merciless: “Just pay the money; otherwise we won’t decrypt.” According to the prosecutor, they had plenty of opportunities to see the consequences of their actions but choose to ignore them for money.

At the trial they said they were sorry and tearfully regretted what they had done. But were these mere crocodile tears because they got caught? During CoinVault’s lifespan, several versions of the ransomware were released. Every new version was a reaction to blogs written by security researchers and takedowns performed by law enforcement. Instead of realizing that they were making a mistake and stopping, the brothers saw it as a challenge, a digital game of cat and mouse, and constantly improved their malicious code.

Their continuing to improve the ransomware shows a lack of empathy with their victims. Was there no one in their social surroundings who could straighten their moral compasses and talk sense into them?

The payment

A ransomware criminal must decide the amount of ransom to charge. Generally the more targeted a ransomware attack is, the higher the ransom demand will be. CoinVault’s infections were not targeted at one organization; they charged only US$250. The two brothers explained that they chose that price to be low enough for an average person to pay while still making a good profit. The prosecutor remarked ironically that they were “very noble [to keep] their ransom demand affordable.”

The infection

The two brothers did not directly infect their victims with ransomware; they took a multistep approach. Their distribution method was via newsgroup channels. They hooked a small piece of malicious code to known software or license-key generators before posting the software packages on the newsgroups. Once victims installed the package or ran the key generator, they would become part of a botnet through the software the brothers named Comhost, which can record keystrokes, search for credentials, and steal Bitcoin wallets. Comhost can also upload and execute binaries received from the control server they named Sonar. (We believe Sonar is modified a version of the popular Solar botnet software.)

The Sonar botnet panel.

Once they had accumulated enough bots, they simply pushed CoinVault to all their victims and locked thousands of computers at once. This method made it hard for victims to figure out how they were attacked, because weeks could pass between the initial infection and the encryption. By spreading their ransomware via newsgroups with pirated software, they discouraged victims from going to the police out of fear of prosecution and copyright-violation fines.

The CoinVault lock screen.

The arrest

In April 2015, The National High Tech Crime Unit of the Dutch Police seized the control servers for CoinVault. After the police investigated, the two brothers, aged 18 and 22 at the time, were arrested in Amersfoort, Netherlands, on September 14, 2015. Systems were infected not only in the Netherlands, but also in the United States, Germany, France, and the United Kingdom. Their mistakes? Using flawless Dutch in the ransom notes and one time they did not use a Tor connection to log in into their control server, instead using their home connection.

Flawless Dutch in the ransomware code.

Although they used an obfuscator tool (Confuser) for their code, in some of the samples the full name of one of the authors was present, because they did not clean up the debugging path.

Example:

 c:\Users\**********\Desktop\Coinvault\coinvault-cleaned\obj\Debug\coinvault.pdb

From grabbing keys to No More Ransom

During the investigation the Dutch police obtained all the decryption keys for CoinVault and partnered with the private sector to build a decryption tool for CoinVault ransomware, successfully mitigating a large portion of the damage caused by CoinVault. This effort idea gave birth to No More Ransom, an online portal supported by the public and private sector with the largest repository on the planet of free ransomware decryption tools. No More Ransom now has decryptors for 85 ransomware versions. This global initiative has prevented millions of dollars from falling into the hands of cybercriminals. McAfee is proud to be one of the founding members of No More Ransom.

Nomoreransom.org

The next steps

Extorting people with ransomware is wrong, and perpetrators must be held accountable. It is sad to see two talented young people choose a pathway to cybercrime and waste their skills—skills sorely needed in the cybersecurity sector. We hope they will have learned a lesson as they endure the consequences of their actions. The sentencing will take place in about two weeks. Perhaps after they serve their time, they will find someone willing to give them a second chance.

The post What Drives a Ransomware Criminal? CoinVault Developers Convicted in Dutch Court appeared first on McAfee Blogs.

CVE-2013-0570 (network_operating_system)

The Fibre Channel over Ethernet (FCoE) feature in IBM System Networking and Blade Network Technology (BNT) switches running IBM Networking Operating System (aka NOS, formerly BLADE Operating System) floods data frames with unknown MAC addresses out on all interfaces on the same VLAN, which might allow remote attackers to obtain sensitive information in opportunistic circumstances by eavesdropping on the broadcast domain. IBM X-Force ID: 83166.

CVE-2017-13092 (-)

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including improperly specified HDL syntax allows use of an EDA tool as a decryption oracle. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13095 (-)

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including modification of a license-deny response to a license grant. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13094 (-)

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including modification of the encryption key and insertion of hardware trojans in any IP. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13096 (-)

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including modification of Rights Block to remove or relax access control. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13091 (-)

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13097 (-)

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including modification of Rights Block to remove or relax license requirement. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2017-13093 (-)

The P1735 IEEE standard describes flawed methods for encrypting electronic-design intellectual property (IP), as well as the management of access rights for such IP, including modification of encrypted IP cyphertext to insert hardware trojans. The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP. Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.

CVE-2016-9493 (php_formmail_generator)

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

CVE-2016-6563 (dir-818l(w)_firmware, dir-822_firmware, dir-823_firmware, dir-850l_firmware, dir-868l_firmware, dir-880l_firmware, dir-885l_firmware, dir-890l_firmware, dir-895l_firmware)

Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha. The following products are affected: DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L, and DIR-850L.

CVE-2016-9492 (php_formmail_generator)

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

CVE-2016-9491 (manageengine_applications_manager)

ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.

CVE-2016-6567 (resident_download_manager)

SHDesigns' Resident Download Manager provides firmware update capabilities for Rabbit 2000/3000 CPU boards, which according to the reporter may be used in some industrial control and embedded applications. The Resident Download Manager does not verify that the firmware is authentic before executing code and deploying the firmware to devices. A remote attacker with the ability to send UDP traffic to the device may be able to execute arbitrary code on the device. According to SHDesigns' website, the Resident Download Manager and other Rabbit Tools have been discontinued since June 2011.

CVE-2016-9498 (manageengine_applications_manager)

ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system.

CVE-2016-9485 (secureconnector)

On Windows endpoints, the SecureConnector agent must run under the local SYSTEM account or another administrator account in order to enable full functionality of the agent. The typical configuration is for the agent to run as a Windows service under the local SYSTEM account. The SecureConnector agent runs various plugin scripts and executables on the endpoint in order to gather and report information about the host to the CounterACT management appliance. The SecureConnector agent downloads these scripts and executables as needed from the CounterACT management appliance and runs them on the endpoint. The SecureConnector agent fails to set any permissions on downloaded file objects. This allows a malicious user to take ownership of any of these files and make modifications to it, regardless of where the files are saved. These files are then executed under SYSTEM privileges. A malicious unprivileged user can overwrite these executable files with malicious code before the SecureConnector agent executes them, causing the malicious code to be run under the SYSTEM account.

CVE-2016-9486 (secureconnector)

On Windows endpoints, the SecureConnector agent must run under the local SYSTEM account or another administrator account in order to enable full functionality of the agent. The typical configuration is for the agent to run as a Windows service under the local SYSTEM account. The SecureConnector agent runs various plugin scripts and executables on the endpoint in order to gather and report information about the host to the CounterACT management appliance. The SecureConnector agent downloads these scripts and executables as needed from the CounterACT management appliance and runs them on the endpoint. By default, these executable files are downloaded to and run from the %TEMP% directory of the currently logged on user, despite the fact that the SecureConnector agent is running as SYSTEM. Aside from the downloaded scripts, the SecureConnector agent runs a batch file with SYSTEM privileges from the temp directory of the currently logged on user. If the naming convention of this script can be derived, which is made possible by placing it in a directory to which the user has read access, it may be possible overwrite the legitimate batch file with a malicious one before SecureConnector executes it. It is possible to change this directory by setting the the configuration property config.script_run_folder.value in the local.properties configuration file on the CounterACT management appliance, however the batch file which is run does not follow this property.

CVE-2016-9497 (dw7000_firmware, hn7000s_firmware, hn7000sm_firmware, hn7740s_firmware)

Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, is vulnerable to an authentication bypass using an alternate path or channel. By default, port 1953 is accessible via telnet and does not require authentication. An unauthenticated remote user can access many administrative commands via this interface, including rebooting the modem.

CVE-2016-6566 (etrakit3)

The valueAsString parameter inside the JSON payload contained by the ucLogin_txtLoginId_ClientStat POST parameter of the Sungard eTRAKiT3 software version 3.2.1.17 is not properly validated. An unauthenticated remote attacker may be able to modify the POST request and insert a SQL query which may then be executed by the backend server. eTRAKiT 3.2.1.17 was tested, but other versions may also be vulnerable.

CVE-2016-6564 (alfa_6_firmware, colorful_k45i_firmware, cube_5.0_firmware, hot_2_x510_firmware, hot_x507_firmware, lead_2s_firmware, lead_3i_firmware, lead_5_firmware, lead_6_firmware, pro_2_firmware, studio_6.0_hd_firmware, studio_c_hd_firmware, studio_g_firmware, studio_g_plus_firmware, studio_x_firmware, studio_x_plus_firmware, voyager_2_dg310i_firmware, zero_2_x509_firmware, zero_x506_firmware)

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

CVE-2016-6562 (shortel_mobility_client)

On iOS and Android devices, the ShoreTel Mobility Client app version 9.1.3.109 fails to properly validate SSL certificates provided by HTTPS connections, which means that an attacker in the position to perform MITM attacks may be able to obtain sensitive account information such as login credentials.

CVE-2016-6559 (freebsd)

Improper bounds checking of the obuf variable in the link_ntoa() function in linkaddr.c of the BSD libc library may allow an attacker to read or write from memory. The full impact and severity depends on the method of exploit and how the library is used by applications. According to analysis by FreeBSD developers, it is very unlikely that applications exist that utilize link_ntoa() in an exploitable manner, and the CERT/CC is not aware of any proof of concept. A blog post describes the functionality of link_ntoa() and points out that none of the base utilities use this function in an exploitable manner. For more information, please see FreeBSD Security Advisory SA-16:37.

CVE-2016-6545 (itrackeasy)

Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password.

CVE-2016-6557 (ea-n66_firmware, rp-ac52_firmware, rp-ac56_firmware, rp-n12_firmware, rp-n14_firmware, rp-n53_firmware, wmp-n12_firmware)

In ASUS RP-AC52 access points with firmware version 1.0.1.1s and possibly earlier, the web interface, the web interface does not sufficiently verify whether a valid request was intentionally provided by the user. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

CVE-2016-6558 (ea-n66_firmware, rp-ac52_firmware, rp-ac56_firmware, rp-n12_firmware, rp-n14_firmware, rp-n53_firmware, wmp-n12_firmware)

A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode parameter does not contain a valid state. If the input provided by action_script does not match one of the hard coded options, then it will be executed as the argument of either a system() or an eval() call allowing arbitrary commands to be executed.

CVE-2018-10631 (n’vision_8840_firmware, n’vision_8870_firmware)

Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programmer, all versions, and 8870 N'Vision removable Application Card, all versions. The 8840 Clinician Programmer executes the application program from the 8870 Application Card. An attacker with physical access to an 8870 Application Card and sufficient technical capability can modify the contents of this card, including the binary executables. If modified to bypass protection mechanisms, this malicious code will be run when the card is inserted into an 8840 Clinician Programmer.

CVE-2018-1000207 (modx_revolution)

MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68.

CVE-2018-1000210 (yamldotnet)

YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.

CVE-2018-1000209 (sensu_core)

Sensu, Inc. Sensu Core version Before version 1.4.2-3 contains a Insecure Permissions vulnerability in Sensu Core on Windows platforms that can result in Unprivileged users may execute code in context of Sensu service account. This attack appear to be exploitable via Unprivileged user may place an arbitrary DLL in the c:\opt\sensu\embedded\bin directory in order to exploit standard Windows DLL load order behavior. This vulnerability appears to have been fixed in 1.4.2-3 and later.

CVE-2018-1245 (rsa_identity_governance_and_lifecycle)

RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 contains an authorization bypass vulnerability within the workflow architect component (ACM). A remote authenticated malicious user with non-admin privileges could potentially bypass the Java Security Policies. Once bypassed, a malicious user could potentially run arbitrary system commands at the OS level with application owner privileges on the affected system.

CVE-2018-7535 (totalav)

An issue was discovered in TotalAV v4.1.7. An unprivileged user could modify or overwrite all of the product's files because of weak permissions (Everyone:F) under %PROGRAMFILES%, which allows local users to gain privileges or obtain maximum control over the product.

How to Get Paid for Proposals

Proposals are one of the most expensive things you will spend your time on in a small business (or a large business, for that matter). You not only spend tons of time discovering and understanding what the client needs, but you also spend countless hours (often late at night) putting the proposal together, polishing it, tweaking the numbers and creating a whiz-bang presentation to accompany the proposal.

All of that for free, and often for nothing.

I’m very much against charging by the hour, but in this case calculating your effective hourly rate is a good exercise:

Let’s say that you recently landed a project and you’re going to make $10,000 from it. You’re going to spend 50 hours delivering the project so you’re earning $200 per hour (this is your billable rate). Easy calculation. But when you figure in the time that you spent on putting the proposal together – lets say another 20 hours – you’re only generating around $142 per hour, or a 25% drop in your effective hourly rate. Add in the other non-billable time you spent with the client and you’re easily pushing your effective hourly rate – for that project – down below 50% of your billable rate.

Pushing your effective hourly rate down is of course not the only bad thing that happens.

It breaks my heart

You put your heart and soul into understanding what the client really needs, give them the benefit of your experience to make sure they don’t fall into traps and put a lot of thought and effort into how you can help them solve their business problem. You’re invested – both in time and in emotional energy.

So when they turn you down, there’s a double whammy. You’ve just done a lot of work for nothing and you’ve just had your emotional investment kicked in the face (or that’s how it feels, at least at first). That hurts – especially when you’re new to the game. Over time you learn that opportunities come and go and you get less emotionally invested, but each time a proposal doesn’t hit the mark you take an emotional hit.

But what if there’s a better way? What if you could actually get paid for your proposals? And have your client like it that way?

There is a way to do this, and it starts with understanding the value of the proposal.

Proposals are valuable

By the time a client asks you to put together a proposal, you’ve already been dancing for a while. You’ve had some initial meetings, a couple of discovery sessions and they like what they see.

Now they ask you to do a proposal, and you’re going to have to spend more time with them. You need to make sure you understand exactly what they need, how much you can get done within their budget, what takes priority and where the skeletons are. You’re going to apply your expertise to dig into details, find out what else needs fixing and so on…the point is you’re going to spend more time with them.

Then you head off to your cave, put together the proposal and present it to them. And they say thanks, great work, we’ll get back to you. So far so good.

How much value did your potential client get from this proposal development process? The answer is: a lot.

They’ve just had an expert analyse their problem, dig into the details and tell them what they need to do to solve the problem. They now understand their problem a lot better and know what needs to be done to fix it (even if they don’t have the expertise to do it themselves). And of course you may not be the only one submitting a proposal, so the client has received a lot of valuable advice – from multiple experts.

And you gave it to them for free.

Doctors charge for “proposals”

Think about it this way: when you go to a doctor with a complaint, they will diagnose you, maybe run some tests, make some recommendations and perhaps prescribe some medicine. Then they’re going to ask you to come in for an extended treatment or checkup to see if things have improved. And you’re happy to pay for this initial consultation.

When you develop a proposal for a client, you’re effectively doing what a doctor does in an initial consultation. You’re listening to the “patient”, running some tests to find out if there’s a deeper cause for the problem, and applying your expertise to recommend a way to get rid of the problem.

You’ve provided a lot of value, but you’re willing to give it away for free because that’s the way your industry usually works. Doctors don’t work like this; they charge for the “proposal” phase of their work with you.

The first key in moving from free to paid proposals is to understand that your proposal is tremendously valuable to your client. 

But you need to present it to them as something valuable; and you need to deliver that value. The way to do that is to provide a roadmap.

The differences between a proposal and a roadmap

A proposal is usually a document that defines a scope of work, the number of hours required to do it and a price. If you’ve been at this for a while you will know that you need to base the proposal on the client’s ROI (Return On Investment) – what they get in return for their investment in your services.

A roadmap is also a document, but in this case the document clearly spells out what the client will need to do (or get done first), second and so on. A roadmap sometimes includes a timeline to help the client understand how long the whole process could take. Again, justifying the business case is critical to help the client make the right decision.

A roadmap is the output of one or more roadmap sessions. A roadmap session is like a discovery session, but includes co-development of the roadmap.

If you’re familiar with project planning, you will already have noticed that a roadmap is a high-level project plan.

But there are more differences between a proposal and a roadmap:

A difference in process

When you follow the proposal route of getting work, your engagement with the client looks something like this:

  • initial meeting to see if there’s a fit (make sure you can you help them);
  • a series of meetings to discover what they really need;
  • crafting the proposal;
  • (if you’re experienced) working with the client on the draft proposal to make sure you’re hitting the mark;
  • presenting the final proposal to them; and
  • hoping for the best.

When you use the roadmap route, the engagement looks a little different:

  • initial meeting to see if there’s a fit (can you help them);
  • present the roadmap option (standard for each client); and
  • hope for the best.

A difference in what they get

Your client can do only one thing with a proposal: say yes or no (or haggle a bit). A roadmap is something they can use; on their own, with you or with someone else:

  • A proposal effectively says “here stuff I will do for you”. A smart proposal says “here’s how I will solve your problem and here’s the ROI”.
  • A roadmap says “here’s where you need to get to, here’s the road you need to follow and here are the stops along the way. You can use this roadmap on your own, with me or with someone else.”

A difference in the size of the commitment

Saying yes to a proposal is a big step, because it usually requires the client to make a big financial investment. The risk for the client is high and their objections will reflect that.

Saying yes to a roadmap exercise is a much smaller commitment. My roadmap sessions typically run for half a day (usually with a couple of hours before and after) and therefore cost a lot less. Much easier for the client to say yes to this much smaller investment.

A difference in how they perceive your expertise

When you present a roadmap option you are clearly placing yourself in charge of the situation. You know exactly how you’re going to go about building the roadmap, you have a defined process and the confidence to present this as the right option for the client. (This is why the client is hiring you in the first place: you are the expert, you know how this should be done and you know exactly how to go about doing it.)

When you present a proposal, you are to some extent asking the client to approve not just the expenditure, but also to make a judgment on whether this is the right thing to do. You’ve given up some control of your expertise.

A difference in the amount of time involved

The proposal route is a big investment (in time) for you and for your client. It is not uncommon to spend tens or even hundreds of hours on discovery meetings, user requirements analysis and proposal polishing for a large contract. A roadmap approach, on the other hand, is a lot smaller investment for you and for your client. You’ve spent maybe two or three hours with the client and then it’s up to them to decide.

(There are more differences, for example the idea that a roadmap is a collaborative exercise versus a proposal which is something you give to the client, but I think you get the point.)

Roadmaps don’t contain pricing

None of my roadmaps contain pricing. The whole idea is that the client can use the roadmap now, later, on their own, with me or with someone else – so I don’t want them to confuse the roadmap with a proposal. Where appropriate, I will send a proposal for some or all of the work in the roadmap; the proposal can be very short because the heavy lifting has already been done in the roadmap.

So how do you move from (free) proposals to (paid) roadmaps?

To get a client to pay for a roadmap, you have to deliver value. That value comes from three places:

  • the roadmap itself: the output of the roadmap session(s) – a tool the client can use;
  • the process you will use to create the roadmap: this is where your expertise has to shine; you must know exactly how you’re going to go about creating the roadmap; what happens before, during and after the roadmap session(s); what the output will look like, and how you’re going to get the client to co-develop the roadmap;
  • your confidence: you have to be confident that this is the right thing to do, the right way to do it and that it delivers substantial value to your client.

This is not an easy road by any means, but there is a way to build up to it:

  • Start by taking proposals you’ve done in the past and turning them into roadmaps. Can you make them look like high-level project plans? Can the work be clearly grouped into relatively small chunks where each chunk builds on the previous one? Is there value from each chunk of work?
  • Define your process for creating a roadmap. Before you head into a roadmap session, there’s likely some pre-work that you need to do, for example running an analysis on their website (if that’s part of the problem) or doing an analysis of their business using something like the Tornado Method. Then define what the output would typically look like, and what you need to do during a roadmap session to get there. Then define what happens after the session. Turn it all into a collection of checklists.
  • Trial and refine your process. Find a friend or a willing client to be your first roadmap client. Follow your process and make sure you make notes of what’s working and what needs to be improved. Refine your process and repeat the exercise. Each time you do it you will gain more confidence.

Remember that a roadmap is a short, low-cost exercise and therefore relatively easy to sell to potential clients. You have to stress that the exercise delivers a roadmap that they can then use themselves, with you or with someone else; and you will follow up with a proposal if and when they’re ready for it.

A roadmap gives your client clarity on their problem and what they need to do to solve it. They may not have the expertise to do it themselves (that’s where you will eventually earn your keep), but just the process of building the roadmap provides them with peace of mind and builds trust that you can solve the problem for them.

Finally, a roadmap educates your client. They will understand that there is a well-defined process for solving the problem, the sequence in which the work needs to be done and what they get out of each part. An educated client is a collaborative, engaged and enthusiastic; your expertise just helps them solve a problem.

What you can do now

It took me about two years to move from free proposals to paid roadmaps. You can get there a lot faster because you can tap into articles like this and a growing awareness amongst professionals that even proposals are highly valuable.

I will be releasing a step-by-step guide on how to move from free proposals to paid roadmaps in the near future. To get notified when this is released, sign up for my newsletter here – you will get access to more articles like this, I promise I won’t spam you and you can unsubscribe at any time.

And if you have questions or comments, please drop me a note!

US indicts 12 Russian intel officers for hacking Democrats in 2016

Special counsel Robert Mueller and his team have received an indictment for 12 Russian intelligence for hacking Democrats leading up to the 2016 presidential election. The spies are accused of digitally infiltrating the Democratic National Committee and Hillary Clinton's campaign, along with stealing information of 500,000 US voters, and releasing emails with the express purpose of influencing the election.

Via: CNBC

Source: Indictment: United States of America vs. Defendents | DOJ

CVE-2018-14047 (pngwriter)

** DISPUTED ** An issue has been found in PNGwriter 0.7.0. It is a SEGV in pngwriter::readfromfile in pngwriter.cc. NOTE: there is a "Warning: PNGwriter was never designed for reading untrusted files with it. Do NOT use this in sensitive environments, especially DO NOT read PNGs from unknown sources with it!" statement in the master/README.md file.

CVE-2018-9070 (smart_assistant)

For the Lenovo Smart Assistant Android app versions earlier than 12.1.82, an attacker with physical access to the smart speaker can, by pressing a specific button sequence, enter factory test mode and enable a web service intended for testing the device. As with most test modes, this provides extra privileges, including changing settings and running code. Lenovo Smart Assistant is an Amazon Alexa-enabled smart speaker developed by Lenovo.

CVE-2018-14043 (mstdlib)

mstdlib (aka the M Standard Library for C) 1.2.0 has incorrect file access control in situations where M_fs_perms_can_access attempts to delete an existing file (that lacks public read/write access) during a copy operation, related to fs/m_fs.c and fs/m_fs_path.c. An attacker could create the file and then would have access to the data.

CVE-2018-6969 (tools)

VMware Tools (10.x and prior before 10.3.0) contains an out-of-bounds read vulnerability in HGFS. Successful exploitation of this issue may lead to information disclosure or may allow attackers to escalate their privileges on the guest VMs. In order to be able to exploit this issue, file sharing must be enabled.