Monday, June 04, 2007

Bongeni Jo!!!



Equity Bank’s website was defaced last week. Safaricom’s website is suspiciously unavailable. There is some mischief going around.

The cracker who defaced Equity’s site might not have caused serious loss to the bank apart from denting the reputations of the in-house IT team. However Bongeni Jo (let’s baptise him so - after one of his calling cards), exposes a security lapse that would have had more serious implications. I immediately recall the recent system intrusion of TJ–Maxx and its affiliates. During this incident over 45.7 million payment card details, owned by customers of this firm, were stolen. The more startling aspect of it was that this data was accessed during an 18 month period from around July 2005 to December 2006. The breach was only made public in March, 2007 (http://news.bbc.co.uk/1/hi/business/6508983.stm). The technical sophistication employed by the TJ-Maxx crackers was worrying.

The implication is obvious. How long was Bongeni Jo’s escapade? Did he compromise the bank's database? Of course Equity Bank would not have been so forthcoming if serious damage had been done. How many firms in Kenya have had intrusions and have decided to keep quiet?

It might have been a harmless prank but you have to note that cyber crime has become such a lucrative venture that criminal gangs are sponsoring their ‘bright’ members to pursue computer science degrees. The return now warrants this kind of investment.

It is one thing to apply defensive measures but there is no security system that is impregnable. The horse has already bolted in this instance. Equity bank therefore needs to embark on a computer forensic investigation that will not only identify the weaknesses of their system but also nab Bongeni Jo (he definitely left ample digital evidence). This would deter future crackers.

Computer forensics is a field that is slowly gaining global traction. It is something Kenyan firms who have a digital presence need to take seriously. I am initiating various projects in this regard however I shall discuss the relevance of computer forensics to the IT industry in Kenya in a future post. Due to its sensitivity I can only generalise but we need to start preparing for the cracker onslaught, it will surely come. Bongeni Jo was only a harbinger of things to come.

6 comments:

dan said...

it is saddening and yet exciting that we as a country are catching up with the rest of the world..taliban and al queda like executions are saddenin, and their posting of info on the net even scary, coz we had thought they were a rag tag army of illiterates who would soon be wiped out.
but now internet hacking..kalonzo's wa amusing..even the safaricom 'pumbavu job advert' might have been deemed hilarious..but with these guys targeting financial institutions..first kcb then equity, i have only one question..how safe is my money?

B.K.Muthoga said...

Welcome to the digitial jungle Dan. Things will get worse because we haven't yet developed the legal, institutional and social frameworks to protect us from cyber crime. The fact that there are no national boundaries in the internet is serious coz that gives the criminal predators a vast area to hunt at will.

How safe is your money...I would flip a coin if I were you!

..::dydx::.. said...

..::dydx::..
Its just gett1ng start3d and w1th continud gr0wth of IT w1ll equally make many a potential targ3t. Th0s3 wh0 hav th3 kn0wl3dg3 w1ll surv1v3..0th3rs, G0d hav M3RCY on thm!!
.....::::::::::::::::......

Stallion said...

I think it is time institutions stopped hiring Uncles, Aunties, sisters and such kind of stupidity in ICT sectors. I believe Kenya has not yet been hit big time. These pple usually hav 95% illiteracy in ICT (Ask them if they know the Booting Process of a Router, or a simple Windows PC and to make matters worse a Linux System!). They get monstrous salaries of up and above 250,000/= and yet they absolutely know Nothing. They get a professional IT Certificate and every employer is after them.
Stop being tricked! Test an individual b4 giving them a job.

It is time IT Dprts style up and clean their mess. IT is not medicine where u can follow a manual and get things working.

Watch the space and see, the movies has just started.

B.K.Muthoga said...

Thank you for your comments dydx and stallion. We need to create awareness of the security aspect of IT in Kenya. Simple SQL injection attacks could proliferate easily.

Suggestions, ideas, recommendations are welcome. This would enable us lobby Bitange, Kagwe, CCK and co. to seal the loopholes.

The mettle and skill of corporate IT depts will severely be tested in the not too distant future. It will be interesting to see who survives and who gets the thumbs down.

Comba said...

I agree with Stallion. However, BK the only way these people will listen is after more of these attacks happen. The next time equity is hit, that will probably send a stronger message.
rocaboy1uk at gmail dot com