Oracle Fraud Alert
December 3, 2007 by Donald K. Burleson
Oracle technology consulting is
very lucrative and we are seeing a continuous stream of fraudsters
and fake Oracle experts on the web, all with glowing biographies and
seemingly unimpeachable credentials. However, upon closer
examination, these "experts" are fakes, questionable experts who
carefully hide any verifiable evidence of experience and expertise.
Today we see many foreign Oracle
experts who are not what they claim. Many are underemployed
neophytes who grant themselves the title "Oracle Expert" in hopes of
passing-off their at-home research as real-world job experience.
It's very easy to be taken-in by a
fake Oracle expert because they have all of the appearances of
expertise replete with flashy websites and superlative biographies.
But the posers are not only overseas, there are cases of phony
Oracle experts right here in the USA.
Fake Oracle experts in the USA
Here is a sample e-mail from a
fake Oracle expert that I received in 2004. Upon
investigation, I discovered that there was no Robert Allen, and the
real person was a fellow who had ripped-off consumers for tens of
thousands of dollars using the fabricated name of Robert Allen:
|From: Robert Allen - Oracle
Security Consultant <firstname.lastname@example.org>
Subject: I recorded it incase you missed it
Date: Thu, 28 Oct 2004 16:40:28 +0000
Hi. I just wanted to send you a quick note to inform you that my
"Hack-Proofing the Oracle Database" online class sold out in less
than 48 hours.
Many of you have been calling my office to ask when the next
course will be offered, but unfortunately I'm booked for security
consulting assignments straight through March, 2005.
But I do have some good news however...
I recorded my entire "Hack-Proofing the Oracle Database" onto 5
digital video CD-ROMs; and I even had the course workbook printed
I have 100 copies of this package available if you're interested.
You can get all the info on this package here:
Thanks for your time,
Senior Oracle Security Consultant
Here is a reproduction of Robert
Allen's web site where you see his phony photo and stellar
Oracle Security Expert
My name is Robert Allen,
and Iím the Founder of OraSecure, Inc. With over 9
years of trial and error from painstaking research, Iím now
acknowledged as a promising top expert in the field of
Oracle database security.
For the past 7 years, I've consulted dozens of Fortune 1000
companies on all areas of Oracle Database Administration.
The areas I've focused my most attention to are Oracle
Security Features and Security Audits.
I've personally audited over 400 Oracle
instances over the years, as well as taught and mentored
more than 80 DBAs to do the same.
I did some digging and discovered
that there is no Robert Allen. This fraud was reported in
magazine, and read about the unsavory details and the criminal
ramifications of being a fake Oracle expert:
Haskins' activities are clearly illegal,
though, according to Andrew August, a business attorney and
principal partner of San Francisco-based
Pinnacle Law Group LLP.
"What he's doing is clearly illegal under a
potpourri of federal and state statutory schemes," August said.
That includes laws such as the
CAN-SPAM Act, the
Computer Fraud and Abuse Act, and the
California Uniform Trade Secrets Act. But the likelihood of
Haskins being brought to justice is small, August said, given
the comparatively negligible amounts he owes his customers. "The
amounts are so small," he said. "What capable consumer rights
lawyer is going to take him on?"
Since these people are rarely
prosecuted, what can Oracle professionals do to prevent to be
taken-in my a fake Oracle expert?
The Merriam Webster dictionary
defines an expert
as someone "having, involving, or displaying special skill or
knowledge derived from training or experience". Hence, all
real Oracle experts will publish their experience, and you should
avoid any alleged experts who does not produce verifiable
Remember, you have the absolute
right to question the authority of anyone who proclaims themselves
as an Oracle expert. Don't take anything on faith, and demand
evidence and verifiable proof of expertise.
In my experience, all real Oracle
experts will brag about their resume (CV), while questionable Oracle
experts will become evasive and resort to name-calling and insults.
Read my important notes on
verifying the credibility of Oracle experts on the web.
In sum, always avoid any web sites
with anonymous experts and anyone who claims to be an expert but
does not publish their resume. Real Oracle experts are proud
of their experience, and their
easy to verify.
There is one other egregious made
by poseurs that is really easy to spot. They come up with an oracle
'best practices' document that has no relationship to the reality of
large Oracle environment. One classic 'best practice' is to use the
ip address in the listener.ora and tnsnames.ora instead of a dns
alias. Try doing that on a site that has multiple domains...