Monday, June 04, 2007
Equity Bank’s website was defaced last week. Safaricom’s website is suspiciously unavailable. There is some mischief going around.
The cracker who defaced Equity’s site might not have caused serious loss to the bank apart from denting the reputations of the in-house IT team. However Bongeni Jo (let’s baptise him so - after one of his calling cards), exposes a security lapse that would have had more serious implications. I immediately recall the recent system intrusion of TJ–Maxx and its affiliates. During this incident over 45.7 million payment card details, owned by customers of this firm, were stolen. The more startling aspect of it was that this data was accessed during an 18 month period from around July 2005 to December 2006. The breach was only made public in March, 2007 (http://news.bbc.co.uk/1/hi/business/6508983.stm). The technical sophistication employed by the TJ-Maxx crackers was worrying.
The implication is obvious. How long was Bongeni Jo’s escapade? Did he compromise the bank's database? Of course Equity Bank would not have been so forthcoming if serious damage had been done. How many firms in Kenya have had intrusions and have decided to keep quiet?
It might have been a harmless prank but you have to note that cyber crime has become such a lucrative venture that criminal gangs are sponsoring their ‘bright’ members to pursue computer science degrees. The return now warrants this kind of investment.
It is one thing to apply defensive measures but there is no security system that is impregnable. The horse has already bolted in this instance. Equity bank therefore needs to embark on a computer forensic investigation that will not only identify the weaknesses of their system but also nab Bongeni Jo (he definitely left ample digital evidence). This would deter future crackers.
Computer forensics is a field that is slowly gaining global traction. It is something Kenyan firms who have a digital presence need to take seriously. I am initiating various projects in this regard however I shall discuss the relevance of computer forensics to the IT industry in Kenya in a future post. Due to its sensitivity I can only generalise but we need to start preparing for the cracker onslaught, it will surely come. Bongeni Jo was only a harbinger of things to come.