Government should move fast to make its websites and networks secure

On Monday, July 21, the country woke up to the news that the Twitter accounts of the Kenya Defence Forces (KDF) and its military spokesperson, Maj Emmanuel Chirchir, had been hacked.

Some unsavoury tweets had been posted on the sites. Anonymous Kenya claimed responsibility for the attacks.  KDF said it was handling the issue and would combat terror on all fronts, including cyber crime.

But no sooner had the accounts been recovered than the hacker regained access and continued the distasteful posts. It was not until three days later that the accounts were salvaged, thanks to Twitter’s intervention. But barely a week later, Deputy President William Ruto’s Twitter account was also infiltrated.

It was not the first attack on government accounts. About two years ago, 128 government websites were broken into by an Indonesian hacker. After the incident, the government promised to institute tighter controls. But it appears to have done little.

DN2 caught up with a renowned Kenyan hacker, Jonia Gichuki, to provide some insights. “What Anonymous Kenya exploited was a vulnerability on Zimbra, the government’s mail server application,” he says.

“The hacker used live http headers to authenticate and create an administrative account on Zimbra, thereby gaining access to and resetting passwords for all emails.

They reset the Twitter account passwords and requested a new password from Twitter.com. Gichuki, who now uses his knowledge to help secure internet sites and networks, says that between 2007 and 2009, he was part of a group that defaced Kenyan websites to show how unsecured these websites were.

“We would crack into a network and go to a file called NTLDR and delete it. When people booted their machines the following week, windows would just hang,” he recalls amid peals of laughter.

“We wanted organisations to wake up to the importance of protecting their websites and networks. But nothing has changed,” he laments. “They still remain vulnerable and sloppy with Web security.”

He says hacking has caught on in Kenya, with tech whiz kids being used to steal confidential business information, trade secrets and internal communications for competitive business advantage.

He cites a case in 2012 in which hackers stole more than Sh130million from a Nairobi bank using a rogue wireless access point they had set up in the bank’s network and hidden under a table, and could broadcast to their own network in a car parked outside the bank, as one of the cases he has helped unearth.

So, how do hackers do this stuff undetected? Gichuki blames it on the carelessness of Web masters and administrators. “Locally, technology hasn’t advanced to the point that its custodians can detect malicious codes,” he says.

Besides, hackers cover their tracks using proxies. “They make it look like the attacker is somewhere far off, like South Africa or Indonesia, when they are actually next door,” he says.

Gichuki is worried that major government transactions will soon be going online. “These developments are good, but they will be abused because there are no proper security measures. If we don’t get it right, it’s just going to be a big mess,” he warns.

Gichuki, who works mostly for financial networks, banks and governments, says even though in 2011 institutions started hiring people like him to secure their networks, many still don’t.

The Kenya Cyber Security Report 2014 released in June showed that cyber-attacks have more than doubled over the last year to stand at 5.4 million. They cost an estimated Sh5 billion.

The report further indicated that hacking of customer bank accounts between April 2012 and 2013 led to losses of Sh1.49 billion.

Kenya ranks among the top countries with most incidents of cyber crime, alongside the US, Brazil, China and South Korea, said the report, which was prepared by the Serianu Cyber Threat Intelligence Team, the Telecommunications Service Providers of Kenya (Tespok) and USIU’s Africa Centre for Informatics Research and Innovation (Ciri).

According to Serianu MD William Makatiani, spyware, social media, peer-to-peer networking, phishing and unsecured email were the most conspicuous threats. Yet most organisations do not report such attacks for fear of being judged by the public.

Speaking during the launch of the report, ICT Principal Secretary Joseph Tiampati said the government would soon launch the National Cyber Security Strategy to tackle some of the information security gaps.

Gichuki also blames the law. “Laws against abuse of social media are harsher than those against hacking,” he says.

Then there’s the question of competence. “If you hack into someone’s website and they report it, the police don’t know how to investigate the matter because they are inept,” he notes.

“If getting fingerprints is a challenge to them, asking them to solve cyberspace crime is like telling them to go to the moon.” He says nobody has ever been prosecuted because the people who made the cyber laws don’t understand cyber security.

“Organisations should test their infrastructures properly and regularly using professional penetration testers with a criminal background who understand how the criminal mind works. It should be quality over pricing, says Gichuki.

“Many organisations are being conned by quacks who claim to be doing penetration tests when all they do are ordinary network scans that can be done by anybody.”