Monday, October 20, 2008

Are Your Employees Security Conscious?

Many organizations compartmentalize Information and Communication Technology security by restricting its function to the IT department.

A crucial component of information security is the user or employee. Employee sensitization is important because no matter how good the procedures are, employees are usually the weakest link and provide vulnerable access points.

The use of personal memory disks and external hard drives poses a threat to an organization’s information system. Employees also download unsafe programs onto work computers and in the process disable systems designed to protect them.

Virus infections are a potent threat due to the exchange of unauthorized files through a company’s network. For instance a traveling salesman uses a company laptop that he works from when in the field. As the laptop is only infrequently connected to the company’s laptop, its anti-virus update is bound to lapse. When the salesman returns from the field and connects it to the company intranet a virus can be spread before the latest update can be applied.

Employees as a baseline should receive Information Security Staff Handbooks and should sign acceptance of corporate policies and acceptable usage conditions. However, these documents are not very effective and should be supplemented by other initiatives.

These can include the following. Compulsory information security training for new staff using mixed media such as computer based training, video and PowerPoint formats. Security awareness should also be conducted to all staff, newly joined or existing, so as to understand the importance of information security and their individual responsibilities.

Employees should also be supplied with security awareness materials such as intranet pages, brochures, posters and identity badge clips with security messages

Annual mandatory testing of Information Security awareness along the lines of training and time constrained examinations should be conducted.

Regular news bulletins should be given to staff about the importance of information security particularly when security breaches make news.

Employee action, deliberate or accidental, can potentially result in serious information security issues such as virus infections. Staff should be provided with education on the firm’s Information Security Policies and Procedures constantly.

The key to success also depends on the commitment of senior management to funding, developing and implementing security awareness among employees. Delegating this function to middle managers is not sufficient. Senior managers should also address significant deficiencies immediately and demand constant monitoring of the company’s security infrastructure.

Are Cyber Crime Laws in Kenya Adequate?

Various countries have introduced legislation that directly deals with cyber crime while others have reformed and modified their existing criminal laws to include this emerging crime.

However many countries do not have adequate legislation that addresses cyber crime and this includes Kenya. Cyber crime laws, for example, protect certain rights and assets such as privacy and identity by rendering illegal the interception and unauthorized access to digital data and resources privately owned.

They also provide legal frameworks that assist cyber crime investigators in achieving successful prosecutions. The United Kingdom for example has introduced various legislative initiatives over time, meant to specifically address cyber crime. These include the Computer Misuse Act (1990), the Criminal Justice and Police Act (2001), the Police & Criminal Evidence Act (1984) and the Regulation of Investigatory Powers Act (2000) among others.

In the USA, legislation has also been introduced to combat cyber crime for example the Patriot Act (2001), Homeland Security Act (2002), Prosecutorial Remedies and Tools Against the Exploitation of Children Today (PROTECT) Act among many others.

The absence of an integrated cyber legal framework in Kenya provides a great challenge to local cyber crime investigators and digital evidence gathering efforts.

The ICT Bill 2008, which will be tabled in Parliament once it reopens, commendably addresses cyber-crime and electronic transactions. It outlines a number of new electronic offences and prescribes the minimum/maximum punishment to be meted out on offenders. These offences include unauthorized access to computer data and access with intent to commit offences.

The ICT Bill 2008 (in the Fifth Schedule) notably mentions electronic evidence. In sum it defines electronic evidence as any information contained in an electronic record which is printed on a paper, stored, recorded or copied on optical or electro-magnetic media produced by a computer.

What the bill has, however, failed to recommend and spell out is the legal process of cyber crime investigation and digital handling in Kenya. This is absolutely necessary because it translates to the rate of successful prosecutions. This issue is especially relevant to our investors, for example call centers, which need a legislative umbrella that safeguards their operations (i.e. identity details and data handling).

The ICT Bill 2008 is long overdue and its tabling now is a damning indictment of our legislative process.

Technology is rapidly permeating our social and economic fabric. It is fundamentally altering past business and social processes that require current regulatory and legislative controls, for instance M-Banking.

Future ICT legislation and resultant amendments in existing Acts must not be reactive to the vibrancy of the industry. The relevant authorities must specify and instruct a specific body to constantly develop relevant ICT legislation for example the ICT Board or the Communications Commission of Kenya.

Are the Smart Cards we carry Secure?

Chip cards have become an indispensable part of us. You will most likely be carrying an ATM, Credit or Fuel card in your wallet or purse. These cards contain an integrated circuit or 'chip' which gives the card the ability to store and/or process data and thereby achieve its designed function.

There are three types of chip cards. The first one is the memory (or flash memory) card which contains storage but no processing or significant security capabilities. These cards are used in digital cameras, handheld computers, mobile phones and other electronic devices.

The second type of chip card is the smart card. It contains a processor and system or application software. Permanent data is engraved into non-volatile memory and some volatile memory is used as a working storage area. They are widely used. Examples include Credit or ATM cards, SIMs for mobile phones and authorization cards for pay television.

Smart cards are further divided into contact and contactless. Contact smart cards have a gold plated contact area that is inserted into a reader that reads and writes information from the chip, for example an ATM card.

Contactless smart cards, on the other hand, only require close proximity to an antenna to complete transactions and use RFID (radio frequency identification) technology. They are often used in transactions that must be hands free or processed quickly. Examples include door access cards, some supermarket discount cards or mass transit cards like the Oyster Card that is used in the London Underground.

The third type of chip is the super smart card which is a card with a small key pad and display. These cards are expensive to manufacture and therefore rare.

Security

Smart Cards do not have guaranteed security. Incidents of card ‘cracking’ have been widely reported. Cracking a contactless smart card would, for example, involve scanning a card with the intention of collecting a cryptographic key. This key is used to keep the card system secure. The scanned key is then uploaded into a laptop which technically becomes a portable card reader. This laptop is then used to wirelessly upload information from other similar smart cards. This information is then used to program new fake cards.

Cracking contact smart cards (for example your ATM card) is achieved through the use of a hacking software program and a card reader/writer. In this instance access to your card is crucial, even if for a short duration.

Card readers are widely used to scan credit cards in retail outlets and it is advisable to be present during the credit card payment process.

Organizations that use smart cards for access control are also vulnerable. To reduce the risk of card cloning it is advisable to combine the smart card process with a biometric authentication feature for example the fingerprint.

The multiple smart cards we are carrying provide motive and opportunity for a cyber criminal. Utmost care should be taken in ensuring only authorized people can access these cards. Upon loss or theft one should immediately report this occurrence to the relevant authorities.

It is time Kenyan Firms adopted Online Biometrics

Many Kenyan companies are slowly becoming more and more reliant on the Internet to transact business. In the financial sector, specialized systems allow clients of stock brokerage firms to invest and monitor their shares and asset portfolios. These systems also analyze financial data that helps Kenyans make better investment decisions.

The systems are reliant on the Internet and this medium is a source of apprehension due to its insecure nature.

Apart from securing the medium and the data that is transported on it, it is important for computer users to adopt techniques that would contain online financial fraudsters. This containment would instill confidence in our burgeoning e-commerce sector.

One technique that holds promise is biometrics. Biometrics in computer security refers to authentication techniques that rely on measurable physical characteristics that can be automatically checked and verified.

These types of biometric identification schemes include the analysis and use of facial, fingerprint, hand geometry, retina, iris, written signature, vein and voice characteristics. These schemes are digitized and stored in information systems.

Biometric identification is been adopted as a secure identification process in financial transactions over the Internet and is destined to play a more critical role in the Kenyan e-commerce sector.

Biometrics would, for example, include a fingerprint scanner on which you place your fingerprint to determine your identity. Instead of submitting your Identity Card to the teller in your bank, you would instead use the fingerprint scanner to establish your identity.

Your scanned fingerprint would have access levels that could for example include the ability to use credit card information to make electronic purchases. Modern laptops have integrated fingerprint readers that protect data against would be intruders.

Biometrics would be appropriate for small businesses that cannot risk having their financial transactions that are conducted over the Internet compromised.

Another way biometrics is useful is when an online fraudster’s identity can be established from schemes previously stored in databases. The importance of biometrics in future computing is evident.

Online financial fraudsters will attempt to circumvent these biometric identification schemes by for example using digitized sound recorders to gain illegal access to an online bank account.

Identification and apprehension will be much easier with biometric schemes in place because information systems will adopt biometric identification faster and the fraudsters will be forced to submit their identification schemes so as to gain access.

In this way local cyber crime investigators will be able to instill confidence in our local e-commerce sector because they will be using advanced investigatory techniques to apprehend online financial fraudsters.

Is M-Banking Safe?

One of the readers of this column recently stated to me that Kenyans worry more about the safety of their money than anything else. This is arguable but there is a ring of truth to it and the advent of Mobile-Banking has raised some fundamental security questions.

Various discussions on the potential risks of M-Banking have been conducted in the media due to some recent developments. M-Pesa and Sokotele are transferring huge amounts of money wirelessly.

Equity Bank and Pesapoint have joined the wireless fest.

This situation obviously raises questions on whether the technical, legal and regulatory frameworks exist to protect consumers of these services.

It is clear that technology has once again leapfrogged our lethargic legislative and policy institutions.

We have a myriad of wireless networks existing today. They include Wireless Data Networks (WDNs), GSM (Global System for Mobile Communications), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), UMTS (Universal Mobile Telecommunication System) among many others.

Wireless networks are inherently vulnerable and this includes GSM. Cyber criminals are able to monitor wireless traffic to determine, control and manipulate signal, bandwidth, leakage patterns and so forth. They also engage in mobile sniffing where a vulnerable access point/backdoor is identified.

Popular sniffer tools include Air Crack, Air Snare, Kismet, Arpspoof, Air Magnet etc. Most of these tools are open source and freely available. These sniffer tools are able to scan and detect MAC addresses, authentication tokens, Service Set IDs (SSID), names, signal strength, channel and other features. With time a wireless map of all vulnerable access points is constructed and discreetly distributed on the internet.

The potential for external and internal fraud is ever-present and our mobile service providers have obviously implemented various technical security measures for example encryption of the traffic across the air interface. This encryption is difficult to crack because these encryption keys change every time the authentication process is performed.

Knowledge and vigilance are formidable allies for M-Bank users. It is advisable to familiarize yourself with these wireless technologies and how they are categorized by function, frequencies, bandwidth, communication and security protocols.

It is also crucial to acquaint yourself with the legal and regulatory structures, however inadequate they presently are.

Mobile telephony providers are obligated to employ the most effective technical security measures so as to protect consumers of their services. It is not enough to swiftly roll-out services and make monetary windfalls.

The security challenges of M-Banking are not only technical. Agents are averse to keeping large sums of money in their premises lest they are robbed.

Despite these challenges M-Banking is a technological development that has provided substantial positive opportunities to Kenyans. It should therefore be safeguarded as rapidly develops throughout Kenya.

Safeguarding Ourselves from Mobile Telephony

Mobile phones are a relatively recent phenomenon and are used for both personal and professional purposes. These phones are highly mobile communications devices that perform an array of functions ranging from simple voice communication to running computing processes.

Advanced mobiles provide the ability to connect to the Internet and surf the Web, perform multimedia messaging, exchange e-mail or chat using instant messaging.

These capabilities have inevitably resulted in mobiles been used to commit cyber crime. Their universal access offers opportunity and motive to the cyber criminal(s).

Advanced smart phones that provide access to the internet are also used to access pornographic content by underage youth. Designed for mobility these phones grant unique exclusivity and privacy to anyone who possesses such a device. Explicit images can therefore be transmitted through multimedia messaging and thereby circumvent parental and legal controls.

As mobile technology matures we need to question the security of mobile communications and identify the associated risks. This is particularly true in the areas of access to pornographic material by minors and m-banking. There is no silver bullet that can be applied to control the access and transmission of offensive material through mobile telephony.

Parents and guardians are strongly encouraged to speak openly with their children about online explicit material that can be accessed through mobiles.

Education is the first line of defense we can provide to youngsters. Mobile service providers must be active partners in this sensitization process.

It is technically difficult to regulate mobile usage and access. It is however easy to obtain evidence of illegal activity from the specific mobile and network. The following contents of modern mobiles can have value as evidence: IMEI (International Mobile Equipment Identity), short dial numbers, text messages, stored files, programs and audio recordings, logged incoming calls and dialed numbers and GPRS, EDGE, WAP and Internet settings.

M-Security has yet to be embedded into our mainstream policy and legislative frameworks. M-security refers to the policy, technical, managerial and legislative safeguards applied to mobile systems and data to protect organizational and personal privacy. The absence of these frameworks has for instance meant that it was difficult to prosecute the senders of SMSs that were used to inflame tension and incite ethnic hatred early this year.

Inhibiting offensive materials such as pornographic material and hate messages is extremely hard to enforce. Safaricom for instance has about 5 million SMSs being sent by their subscribers on an average day. Determining the source of an explicit SMS from this number is nearly impossible. The imperative is therefore on us to educate the vulnerable members of our society on how to safeguard themselves from the dangers of mobile technology.

Education is the only key.

Understanding Computer Forensics and its Role in Kenya

Safeguarding the Kenyan cyber highway from virtual fraudsters and other malignant cyber characters is vital. Our dependence on ICT is steadily growing and is present in many different aspects of our lives e.g. public utilities, communications (mobile telephony e.g. Safaricom), financial institutions (ATM’s), medical (diagnostic equipment) and others.

Our digital networks are foundations for our future development. These networks might be corporate Local or Wide Area Networks or home based wireless networks. These digital resources need protection due to the valuable information that traverses them. They are however vulnerable to illegal intrusion and penetration.

ICT Security involves the implementation of safeguards that protect against this intrusion, mishaps and mistakes. These safeguards include: physical security, operational security, information security, disaster recovery, access control, cryptography, auditing, laws and ethics.

The motive here is to prevent a breach. A simple analogy would be the multiple security locks and alarm systems installed at homes to enhance domestic security.

Computer Forensics on the other hand involves the detection and investigation of criminal activities committed online, after the breach or intrusion has occurred. To achieve this, the process of evidence gathering is fundamental. Note that computer forensics and security differ in definition and function though they are fundamentally complementary.

Locard’s Principle of Exchange states that any person who enters a scene of crime leaves something behind and takes something from the scene with them. This applies to the physical and digital realms.

Forensic computing entails the use of sophisticated and modern technological tools and procedures that must be followed to guarantee the accuracy and preservation of digital evidence and the accuracy of results concerning computer evidence processing.

Due to the special characteristics of digital evidence it is necessary to consider it separately and with special consideration.

Evidence comes in two forms, physical and digital. Physical evidence will for example include the computer the crime was committed against or used, peripherals, mobile devices and other physical storage devices like DVDs, CDs, memory pens, paper evidence, documentation and others.

Digital evidence will on the other hand include deleted files, registry entries to the internet history cache, automatic word backup files, e-mail headers and instant messaging logs which give clues as to the intermediate servers through which information has passed through. Server logs also provide information about every computer accessing a web site.

Computer forensics is a vital component in combating white collar crime, child pornography and other malicious crimes. ICT technology has already permeated our society. It is only logical that we develop the attendant capacity to detect and investigate cyber-crime. Our limited expertise is already costing us and the rampant growth of child pornography at the coast is example enough that Kenya needs to develop computer forensic capacity.

Protecting our Youth against Child Pornography

The Internet has brought with it immense contributions to our society. In the educational, economic and social areas much has been gained through easier researching, faster financial transacting and near limitless communication.

However, its darker side is now evident. The CCI Wednesday Magazine recently exposed the alarming growth of child pornography at the coast. This crime has continued unabated in our midst due to the fact that as a country we are ill-prepared to combat cyber crime.

Child pornography is defined as a visual depiction of any kind, whether made or produced by electronic or other means that depicts a child or minor engaging in sexually explicit conduct.

This reprehensible crime is increasingly ensnaring more minors who are under 18 years of age. These are legally recognized children who find themselves in the clutches of online sexual predators.

It is important to realize that the lives of children featured in these illegal productions are forever altered, not only by the molestation but by the permanent record of the abuse.

It is hard to detect child pornography due to the anonymity found in the internet. The distribution of exploitative images of children is conducted through home-computer technology.

This technology has revolutionized the distribution of these images by increasing the ease and decreasing the cost of production and distribution especially across international borders.

Computer technology has transformed this once fringe activity into a booming and sophisticated global cottage industry.

People who produce, distribute and possess child porn images are usually multiple offenders who usually sexually victimize children.

Apprehending these sexual predators is difficult and needs a radical realignment from our law enforcement agencies.

Applying traditional investigation techniques to combat child pornography will not dent this nefarious crime. Online sexual predation demands skilled digital investigation where undercover investigators can pose online as minors and identify the offenders who are victimizing innocent Kenyan children.

Financial resources should be allocated to setting up a High-Tech Crime Unit within the Kenyan Police Force. This unit should be mandated with the task of ferreting out online sexual cartels that have taken root in our country.

Funds are required to finance computer forensic labs, train officers, purchase software and hardware equipment, logistics and finance legislation that curbs child pornography.

Global liaison is an area that also presents a challenge to child pornography investigations and would be an area of urgent concern for a local cyber-crime unit. Trans-national sexual predation has emerged as a mounting problem due to the global nature of the internet.

While international child sexual predation is by no means a uniquely modern phenomenon, the global nature of cyberspace significantly enhances the ability of child sexual offenders to commit crimes in Kenya which will affect individuals in a variety of other countries.

Thursday, August 21, 2008

IDENTITY THEFT – WHEN YOUR IDENTITY DISAPPEARS

By Muthoga Kioni (Published in the EAStandard 20th August 2008)

Stealing someone else’s identity is a vice that existed before the advent of computers. What has made it a nefarious crime is the ease at which loopholes in ICT systems can be exploited to steal an identity and commit other crimes.

Identity theft occurs when personal information is stolen by a cyber-criminal for unlawful purposes. The fraudster will use a false identity (yours) to commit a series of crimes, usually financially related.

Your identity is contained in various documents for example birth certificates, ID cards, bank statements, credit/debit card slips, driving licenses, passports and land registry documents. These documents are harvested by cyber crooks for identity details.

The threat of identity theft is best illustrated by the recent arrest of seventeen Kenyans in Kansas City (USA). They are charged with massive fraud in which they allegedly stole identity information (including social security numbers) from elderly nursing home patients. These details were used to prepare both federal and state tax returns using tax preparation software. They then allegedly filled false W-2 Forms (wage and tax statements) listing employers that the identity theft victims never worked for, false residence addresses, and other false information. Substantial amounts were refunded to these “ghost” employees by the Tax authorities.

On a personal level, ID theft can occur when your credit/debit card details are illegally obtained at retail outlets without your knowledge. This is called card skimming.

You are also vulnerable when conducting online financial transactions. “Man-in-the-middle” attacks can intercept your online bank passwords, e-mails and other crucial digital information.

How do you protect yourself?

Online shopping requires special precautions. Use a separate credit card just for your Internet shopping. Try and use sites that display “https” before their address when you are entering sensitive information. You can also look out for sites that display certification symbols from organizations, for example Thawte. Though usually safe, remember there are no guarantees.

Ensure that you also update your security software for example anti-virus/anti-spyware. Make sure this software is active when you are online and that it has been updated within the past week or so.

You should also avoid clicking on web links in “official” looking e-mail messages. There are some e-mails, purportedly from banks, that request for your account details. If an e-mail asks you to update your account number, or other personal information, don’t take the bait.

It is also advisable to use different passwords for your online accounts. Using a single password allows someone who obtains it to access all your accounts. You can use variations of one password. It is also possible to add a further layer of authentication by using a fingerprint reader to store passwords for sites you go to often.

WHY IS CYBER-CRIME MUSHROOMING?

By Muthoga Kioni (Published in the EAStandard 13th August 2008)

Cyber-crime has exploded in the recent past. It has attracted criminals who are motivated by the same old vices. These are namely lust, power, revenge, greed and the desire for adventure.

These criminals are usually the rebellious, the defiant or the irresistibly curious. Cyber crime also demands a degree of technical competence that provides an intellectual challenge to some characters.

Cyber-crime, by its nature is difficult to quantify because most offences are never detected. Victims of cyber-crime also conceal these offences from legal authorities because they want to avoid embarrassment. They would also want to safeguard their reputation, especially financial institutions.

Despite the difficulty in quantifying this type of crime, it is obvious that it is progressively becoming a major global problem. There are various contributing factors. They include prevalence of opportunities, weak guardianship, ineffective legislation and extra-territorial issues. Kenyans, who are regularly online, would be well advised to take note of these factors.

The first factor is the increasing number of opportunities that are to be found in cyberspace. Crime is committed when motive and opportunity are present. As the internet progressively becomes an alternative medium of commerce it will proportionally become a lucrative medium of fraud. These opportunities will only increase as our dependence on information technology develops.

There is also weak guardianship in cyberspace. Conventional crime has over time been combated by a combination of the general public, the commercial or business sectors and law enforcement agencies. An example would be the crime of motor vehicle theft. Car owners are encouraged to lock their cars at all times and install anti-theft electronic alarms.

Insurance firms offer discounts for the implementation of these crime prevention measures. As a result guardianship of this specific crime is present and possessed by the above mentioned entities. This is not the case with cyber-crime. Citizen concern is absent, the private sector is not involved and policing the cyberspace is not possible. The resultant situation means the first line of defense in cyberspace is self defense - minding your own home.

Another contributing factor to the escalation of cyber-crime is the absence of harmonious and consistent legislation across nations. Cyberspace is global and trans-jurisdictional in nature. A Kenyan company can become a victim of a perpetrator who resides in Greenland. It is therefore important to harmonize various laws for example the law on search and seizure and the law on evidence.

Legislation must be introduced that provides for unauthorized access to a computer or computer system, destruction or alteration of data within a computer system, interference with lawful use of a computer or a computer system and theft of intangible property.

Kenya needs to develop its legislation so as to effectively protect electronic commerce. The judiciary should also permit the admissibility of electronic evidence in judicial proceedings.

Finally cyber-crime will escalate due to its global reach. This enhances the ability of an offender to commit crimes which will affect individuals in a number of other countries. This presents an inter-jurisdictional and enforcement problem. The presence of law enforcement and regulatory vacuums in various countries has therefore contributed to the growth of cyber-crime.

Kenya is at the threshold of a cyber boom. It is prudent we invest and develop our legislative framework, enforcement capacity and limit cyber-crime opportunities if we are to curtail this emerging crime.

Thursday, August 07, 2008

MISSIVE FROM DR. SHEM OCHUODHO

On Wednesday I was delighted to hear from Dr. Shem Ochuodho. I have always acknowledged our local ICT gurus and Shem is right up there, at the apex. Below are his comments (sent to my email address) which I reproduce with kind permission. Asante Shem.

Rwanda: the ICT Tiger
Wednesday, 6 August, 2008

Ben and Other Patriots,

Just spotted the blog.

You've said it right. Kenya is a sleeping giant. Strong private sector, and excellent human capital. Only leadership is doing Kenya in. Let's hope Rwanda will serve as an inspiration, and the leadership dilemma in Kenya gets sorted out one day.

And thanks for the kind words.
Shem

INTELLECTUAL PROPERTY THEFT - AN “INVISIBLE” CRIME

By Muthoga Kioni (Published in the EAStandard 7th August 2008)

Last week I delved into the shadowy world of cyber crime. We shall continue this theme by examining in detail one of the most overlooked digital crimes in Kenya - Intellectual Property Theft.

The most prevalent and pervasive cyber crime is economic fraud. This crime has various appendages, for example identity theft, credit card account theft and con frauds like the infamous Nigerian 411/419 email scam.

Intellectual property theft, within the ICT context, can be arguably classified as an economic crime that is committed with the computer as the object of the crime. This is because the motives of the perpetuators and resultant benefits are usually economic in nature.

Intellectual property refers to creations of the mind such as musical, literary, and artistic works; inventions; and symbols, names, images, and designs used in commerce, including copyrights, trademarks, patents, and related rights. Intellectual property rights are a bundle of exclusive rights over creative works such as software, books, moves, music, paintings and photographs.

These rights stipulate that the holder of one of these intellectual properties is entitled to exclusive rights and can therefore control reproduction or adaptation of such works for a certain period of time.

We shall restrict ourselves to the ICT intellectual property and none is more obvious that the software program.

The computer program is a set of instruction (code) that is used in the computer to achieve a function. It also causes the computer to behave in a predetermined manner. Microsoft products, like MS Word and Excel, are examples of programs that took considerable effort and cost to produce. These programs are the intellectual property of Microsoft.

It is therefore apparent that the programs we use in our computers are intellectual properties and are owned by the companies or individuals who created or developed them. That is until we legally purchase them.

When we install software programs that have not been legally sourced and duly paid for, we are committing intellectual property theft. We are denying the creators of these programs their right to gain or profit from their work.

This is akin to embarking on a shopping spree in a supermarket and nonchalantly walking out with a fully laden trolley - without paying. We find it easier to perceive this instance as outright theft.

We have conversely found it hard to distinguish the fact that we are stealing by using pirated software and that we are cyber criminals.

Our propensity for “swapping” or “borrowing” installation CD’s from our friends knows no limits. We have as a result earned notoriety as a software piracy haven.

Apart from denting our reputation, this high rate of software piracy has resulted in immense financial losses in terms of lost government revenues. It has also hampered the development of locally developed software products.

This state of affairs has necessitated an aggressive anti software piracy campaign that is aimed at protecting the interests of consumers, business partners and the local software industry as a whole. This recent effort, initiated by Microsoft Kenya, is laudable.

On the legal front we have The Kenya Copyright Board. It is the statutory body mandated to administer and enforce copyright and related rights in Kenya. These include intellectual property rights. It has within it seven members representing software, publishers, performers, broadcasting stations and the audio visual industry.

It is therefore important that we appreciate the creative effort of others that results in the production of computer software. We should desist from intellectual thievery and instead purchase software from legal outlets.

CYBER CRIME - A NEW VICE ON THE HORIZON

By Muthoga Kioni (Published in the EAStandard 30th July 2008)

We are slowly & inexplicably getting more dependent on technology. It is difficult to imagine spending a day without the mobile phone, the computer, the PDA or any other gadgets that keeps you ‘online’.

The benefits we accrue from using and applying technology in our lives are substantial. They include enhanced career productivity, seamless and cheaper communication and ubiquitous financial transactions among many others. The flip side of this technological progress is that cyber crime has followed in its wake. Cyber crime is slowly pervading our lives. We witnessed a prelude of things to come when the Kamiti mobile phone racket was recently exposed.

What is cyber crime? It generally encompasses any criminal act dealing with computers, networks and related devices. This is where a computer, or mobile phone, is either an object of a crime, an instrument used to commit a crime, or a repository of evidence related to a crime. Examples of cyber crimes include identity theft, credit card account theft, hate crimes, internet fraud, child pornography, software piracy, intellectual property theft and others. Cyber crime also includes traditional crimes that are conducted through the internet.

It is a common practice for law enforcement agencies to concentrate and specialize on a certain crime genre, such as homicide, sex offences, fraud, kidnapping and bank robberies. Whereas some crimes warrant this specialization others do not, for example burglary. This specialization and classification is usually reserved for the ‘serious’ crimes and cyber crime has gained such notoriety that it currently falls under the category of serious crimes.

One would naturally ask, “What has forced this focus on the cyber world by criminals and law authorities?” Beyond the commonly reported computer criminal activities like hacking, spamming and phishing, is the burgeoning rate of economic fraud on the internet. Electronic commerce has emerged as a viable alternative to ‘physical’ trading, though fraught with security threats. The global cost of cyber crime has therefore become quite significant. This development is best illustrated by Canada which has one of the largest e-commerce economies in the world. The volume of sales generated by e-commerce in the whole of Canada during 2005 was in the order of $39.2 billion worth of goods. Cyber crime’s threat and impact should therefore be appreciated in both economic and social contexts.

To counter this threat police forces around the world have established specialized computer crime units. High Tech Crime Units or Cyber Crime Divisions are now considered essential elements of any national police force and Kenya is not exempt. These units however need guidelines and regulations to direct them in their investigations, just as there are guidelines and legislative frameworks for investigating and prosecuting other serious crimes.

Various countries have also introduced legislation that directly deals with cyber crime while others have reformed and modified their existing criminal laws to include this emerging crime. However many countries, Kenya included, do not have adequate legislation that addresses this vice. Cyber crime laws are necessary because they protect certain rights and assets such as privacy by rendering illegal the interception and unauthorized access to digital data and resources privately owned.

Evidence indicates that business, their customers and the public at large need to better appreciate the high cost of cyber crime and adopt the necessary precautionary measures into their online activities. It is also clear that the prevalent context indicates that our local law enforcement agents need to redouble their efforts in countering this ‘new’ crime.

Wednesday, July 23, 2008

OUR CHILDREN ARE HOME ALONE - UNSUPERVISED AS THEY EXPLORE THE DIGITAL JUNGLE

By Muthoga Kioni (Published in the EAStandard 23rd July 2008)

Some time back parents were content to leave their kids in the hands of domestic workers. They would be fed, educated and entertained with dubious songs and games initiated by our child minders. A few years later the television (with even more dubious content) substituted one key activity, entertainment. No longer would our domestic workers have the entertainment monopoly.

Today we are witnessing a move away from the television to the internet, especially in urban centres. Parents are increasingly leaving their children with the internet as a source of education and entertainment. This is a security issue.

One might argue that internet penetration, in Kenya, is negligible and subsequently the risk to our children is minimal. This is a false assumption. According to the Internet World Stats, Kenya is currently among the top ten countries in Africa in internet usage.

Latest data on the number of internet users in our country indicates that approximately 3,000,000 Kenyans use the internet frequently (as at March, 2008). Most of these users are the youth. Proof of this can be found in the ubiquitous cyber cafes where a vast majority of internet users are aged below 23 years. It is not uncommon to even find ten year olds ‘surfing’ in these cybers.

In a few decades they will become parents and will invariably have internet access at home. Their children will be exposed to technology from a very early age. Currently, a significant proportion of the 30-40 year old middle class segment in Nairobi has internet access at home. Their children are internet-savvy and are able to exchange ring-tones, download movies and play online games with alacrity. They are sometimes home alone, unsupervised and unmonitored as they explore the digital jungle.

This digital jungle is as equally dangerous to unsuspecting youngsters as the more familiar forests in Kenya. This is because parents considerably underestimate the risks their children are experiencing online. These risks range from exposure to pornographic and adult material and giving out of personal information. Children are also exposed to receiving unwanted sexual or nasty comments, meeting unsavoury online characters and unwittingly exposing their home computers to hackers.

Our youngsters have impressionable minds and just as you would restrict television content, one should also restrict which websites your children access. It is however important to appreciate that the internet is a treasure trove for our children. They use it for various activities for example, as a research library for their homework, playing games that develop cognitive skills and for communication through e-mail and chat rooms. It is therefore not reasonable to fully restrict access to the internet. Our children’s future is intertwined with ICT and availing them the opportunity to access this technology early equips them with a long-term competitive edge.

As a parent you are obliged to securing the internet for your children. There are a few measures, social and technical, that you have at your disposal. The first is the need to raise awareness among the children and your fellow parents on the risks that can be encountered online. These discussions should respect children’s online privacy and should be aimed at raising awareness and educating all concerned.

You have a number of technical options available to you as a parent. One of them is requesting your Internet Service Provider to filter adult content to your home computer(s). A more specific measure would be setting up permissions in your browser (a browser is a computer application program that is used to view and navigate the World Wide Web and other internet resources. Popular browsers are for example Internet Explorer and Mozilla Firefox). Internet Explorer has a feature called Content Advisor that can assist parents control the type of content a home computer can gain access to in the internet.

With Content Advisor you can view and adjust rating settings to reflect what you think is permissible content in each of these four areas: language, nudity, sex and violence. You can adjust a slider to specify what users are allowed to see for example, in language, Level 0 ensures access is allowed for web sites with no profanity. Level 4, on the other hand, means that the internet user can access sites that contain extreme hate speech or crude language.

Apart from Ratings you can also specify which web sites are always viewable or never viewable, regardless of how they are rated. This means that you can prohibit unpleasant websites and prevent your children from getting exposed to offensive material.

Ensuring that your children safely navigate through the digital jungle is a security concern and a fundamental responsibility of every techno-savvy parent.

Thursday, July 17, 2008

ONLINE SHOPPING – ARE WE AWARE OF THE PITFALLS THAT AWAIT US?

By Muthoga Kioni (Published in the EAStandard 16th July 2008)

Shopping is supposed to be a pleasant experience. Hardcore shoppers maintain that it is therapeutic and contributes to their emotional and physical well-being. This is debatable.

There is however no denying that the thought of going to buy something you have been craving for (or need), has a thrill to it. This also includes the mundane household shopping.

Research claims that we get a ‘high’ when we see new and thrilling products. How many times have you walked through Nakumatt’s floors admiring items that you cannot afford?

Millions of shillings have been invested by our supermarket chains to enhance our ‘highs’ and thereby ensure we spend more time on the shop floor. The dynamics of physical shopping means that it will be with us for a long time to come.

Our shopping experience is, however, primed to be digitized when our local ICT infrastructure finally attains decent penetration in 2009. We will discover convenient shopping. Instead of pushing, shoving and waiting in supermarket queues at the end of an office day, we shall realize that the online Uchumi or Nakumatt can serve us faster and minus the sweaty stress.

It will be easier to tick off the items we need from the comfort of our offices and have them delivered home. We shall also be able to compare prices with comparative ease. How much is my favourite bar of soap in Uchumi, Nakumatt or Tuskys? It’s just a click away.

We already have accomplished Kenyan virtual online stores. Mama Mike’s is a famous and reputable online shop that caters for Kenyans and Ugandans who are located abroad. It allows them to purchase gifts, vouchers, and services for their family and friends based at home. This proves that online shopping will thrive once the infrastructure is in place.

Although shopping by computer (or mobile phone) will become a habit, it will unfortunately be particularly unsafe for the unwary Kenyan shopper. Avoiding the numerous online shopping minefields will require considerable technological dexterity.

To ensure we can shop unscathed, we need to adopt several measures. The first one is shopping from online stores that you know or are recommended by a friend.

The first time shopping experience in a new shop is usually filled with apprehension. Various doubts swamp your mind, namely on the quality of the products and pricing. In a virtual shop the products are not tangible. So apart from not been able to ascertain whether what you are buying is of dubious quality, you are also not sure whether the goods will be sent to you. So buy from sites that you know.

Another fundamental of online shopping is to be extra vigilant when you give out your credit card information. It is sometimes tempting to go for that bargain from an unknown web site. Apart from making sure it is a trustworthy site, you should ensure that the site and payment process are certified by a known web authority for example the BBB (Better Business Bureau). There is need for a Kenyan version of this organization that will act as a mutually trusted entity between online shoppers and businesses. Its main function would be to act as a stamp of approval for Kenyan online shops. Virtual stores that you can safely transact with.

The prudent online shopper also needs to watch out for phishing. This scam involves the sending of an email that falsely claims to be from an established legitimate company. The objective is to scam the recipient into surrendering private information that will be used for identity theft. You could for instance receive a “marketing” email from a well known “brick and mortar” supermarket that invites you to update your personal information in your discount card. The web site you are directed to looks like the legitimate one but is actually bogus. If, for instance, the bogus email directed you to Uchumi, and your address bar reads www.uchuami.biz/uchumi, you can be sure that you are in the wrong website. So it makes sense to counter check that address bar.

On a whole good old fashioned sensible buying will save you considerable heart-ache. It is also advisable to keep both anti-virus and anti-spyware current on you computer. Back-up your data regularly and if possible use a dedicated debit/credit card, with a modest balance, for online shopping.

Monday, July 14, 2008

THE ICT STABLE DOOR IS DANGEROUSLY AJAR

By Muthoga Kioni (Published in the EAStandard 9th July 2008)

It is an acknowledged fact that Kenya has a propensity for locking the stable well after the horse has bolted. Prior planning and preparation has never been our bane. This scenario can be witnessed in our ICT sector.

ICT is a burgeoning sector that has the capacity of propelling our economy to greater heights. Indicators testify to its potential. Safaricom, an ICT firm, has become the most profitable company in East Africa.

The government has also appreciated the strategic national value of ICT. Various initiatives have been introduced, for example the E-Government Strategy. Universal access to broadband is been promoted by the government sponsored National Optic Fibre Project. All these initiatives are a prelude to the coming of The East African Marine System (TEAMS). This is a submarine cable that will link Mombasa with the UAE and by extension, with the rest of the world. Kenya is clearly in the dawn of a technological revolution.

The existence of this infrastructure will invariably herald a new chapter for our beleaguered our economy. E-Commerce will open up new opportunities to small and large firms alike. We shall witness a fundamental transformation in the way local firms use ICT. Currently businesses are supported by ICT. Kenyan companies will adopt models where ICT will become integral and inseparable from the business and they will subsequently accrue competitive advantages.

It will become possible for consumers to order groceries from Uchumi or Nakumatt online and have them delivered to your doorstep. Long suffering Nairobians will be able to plan departures from their offices or homes by monitoring traffic jams in the city using live footage from internet enabled CCTVs. Our farmers will be able to access global buyers and markets through Digital villages.

Right now these benefits are shining like lighthouses in certain areas of our economy. The runaway success of MPesa was unexpected. National examination results can now be accessed via the internet and mobile phone. E-government has had an impact on the efficiency of central government. There are many more areas where the darkness of corporate and government bureaucracy have been vanquished by the beacon of technology.

These gains are, however, been enjoyed by a minority of Kenyans. This will change when the TEAMS cable facilitates greater access to Kenyans. This enhanced access will precipitate an E-commerce boom and enable us build a knowledge economy. This however hinges on whether we can prevent the horse from bolting before we organise the stable and secure the doors.

Putts Law states that technology is dominated by two types of people - those who understand what they do not manage and those who manage what they do not understand. We are obviously managing something we do not fully understand. This is because we are busy building the technological infrastructure without paying attention to the E-security measures that will determine the viability and future of this technology in Kenya.

E-security has yet to be embedded into our mainstream legislative and policy frameworks. E-security refers to the technical, policy, managerial and legislative safeguards applied to systems and data to protect organisational and personal privacy. These basic safeguards, that should secure the proposed virtual Kenyan economy, are absent. Kenyans are currently vulnerable to various online threats for example fraud, access penetration, data and password theft and others.

The valuable financial tokens that underlie e-commerce - credit card numbers and bank account information - have to be secured against fraudsters who use various methods like internet sniffing to obtain these details. With increased access, unscrupulous merchants will emerge with the sole motive of defrauding unsuspecting Kenyans for a quick profit. E-security therefore underpins our future virtual economy.

We cannot afford to ignore this danger. We have only one chance to guarantee confidence and trust in our local E-commerce environment. That means we must draft and publish a Data Protection Act that regulates the processing of individual data. We must also review and update the 2006 ICT policy that is obviously outdated. Kenya must divorce ICT from media and publish a comprehensive ICT Bill that fully outlines an electronic security framework.

Securing our technological infrastructure has to be in tandem with its development. Our failure in fully appreciating this concept will result in a still-born electronic economy and will dilute the considerable investment Kenya has made to ICT.

Tuesday, July 08, 2008

Friday, May 16, 2008

Kenyan Forensic Science Association

A most commendable effort by two dynamic ladies is bearing fruit. Lynne T. Farrah and Sophie Mukwana (both Directors of Biotech Forensics Ltd) came up with the idea of establishing a national forensic science association. We had a successful inaugural meeting on the 7th of May, 2008 in Nairobi Club. This meeting was attended by Kenyan professionals from various forensic science branches.

Forensic science, by the way, is the application of scientific methods and processes to matters that involve crime or the public. These branches include criminalistics, pathology, entomology, dentistry/odontology, psychology, chemistry, computing, geology and anthropology. Forensic scientists are for example invaluable to their nation in the areas of forensic chemistry (drugs, toxicology, trace evidence, explosives, fires, etc.), forensic biology (mainly DNA and body fluids and tissues) and criminalistics (fingerprints, documents, firearms, information and communication technology and tool marks) among others.

Most of these branches were represented and it was widely agreed that formation of this body was long overdue. I would wish to thank Lynne and Sophie for igniting this process that will professionalise the application of forensics in Kenya.

If you are a forensic scientist resident in Kenya please come along to the second meeting. It will be held at Nairobi Club on Wednesday 21st May, 2008 at 6.00p.m. Organisers encourage punctuality and remember drinks and snacks will be on sale.

Wednesday, May 14, 2008

What to do...what to do!!!!!

It's been difficult relying on cybers for access to the internet. The hassle was too much so this week I finally hooked up with Celtel's dial-up connection. You know how it is when you have multiple chats going on, a bit torrent download happening, streaming radio in the background and a virtual game all running simultaneously thanks to broadband. Well, all that is now impossible but hey, what to do...what to do!!!

So more posts are in the offing and hopefully that TEAMS submarine cable checks in before cobwebs engulf me as I await the "loading" gremlin to gift me a web page...damn!!!!

Saturday, March 22, 2008

OSS

The other day I was pleasantly surprised to walk into my favourite cyber café and discover they had converted to open source software (OSS), mainly Ubuntu and Mozilla Firefox. OSS is often referred to as free and open software e.g. Apache, Linux, Perl etc. Why the sudden conversion, one may ask. I heard that the local anti-piracy crusaders have been resurrected by a huge injection of dollars from Uncle Sam. This re-invigoration has seen many firms on the wrong side of Tom Mboya Street raided. Up market firms have not been spared either.

Alas the incentive is suddenly present and now is the time we encouraged ICT users to unshackle themselves from the Microsoft monopoly. As the biggest user of ICT, the Kenyan government has to take a leadership role on this issue. The South African government, for instance, has joined other countries such as Brazil, India and Uganda in implementing OSS in most government departments. The Chinese government has been a strong advocate of OSS platforms for years and has adopted Linux as a standard. Obtaining low-cost computing capacity for a billion-plus people cannot be attained by using locked programs that come with expensive licences.

Open source politics has at times been touchy. In 2004, the head of the Brazilian National Institute of Technology compared Microsoft to a drug pusher. Microsoft duly sued. The Chinese government believes that Microsoft is an agent of the American government in its quest for world domination. Despite the politics of OSS it is worth appreciating one crucial point. The primary purpose of any program (open source or otherwise) should be about meeting or solving an ICT need in the most effective way. OSS has acquitted itself quite well. The Internet could not exist were it not for OSS. Apache runs in more than 58 % web servers thereby making it the most popular web server. Microsoft’s Internet Information Server is second with less than 21% of the web servers running it. We must therefore objectively state the pervading objective(s) of adopting this software.

As a developing country we must seize the strategic advantage of open source. The digital divide is a reality and OSS provides us with an opportunity of not only surmounting this chasm but also leap-frogging the developed countries. By using and deploying software at a lower cost, right from the start, we would avoid a costly experience with proprietary software. Internet applications, basic operating/telecommunications systems and Linux based server platforms are good starting points. Windows is held in a vise-like grip by Microsoft. To develop for Windows you need access to Windows’ application program interfaces (APIs) which are rarely granted by Microsoft and only under strict (and expensive) conditions. Secondly, the endless Microsoft lock-in of costly upgrades has stifled the development of our ICT sector. This has resulted in access to ICT been enjoyed by an urban (corporate and home) elite that can “afford” the highly priced software. Even as we tout ICT as one of the engines of development in the 2030 Vision, we must comprehend that this objective is unattainable if ICT is accessed by an exclusive group. It is therefore imperative to note a fundamental fact. If Kenya is to transform itself into a knowledge economy we must use OSS strategically to reduce the digital divide.

Another point I would like to stress is the moral argument. We have a right to the source code that we can use to build a digital infrastructure that underpins our national civilization. OSS is free from two perspectives, cost and freedom. If we are to sustain and protect our ICT sector it is imperative that we don’t outsource our digital sovereignty to other nations. The open source movement propagates the concept that the user should have the freedom to read, redistribute, modify, and use the source code without the limitations of cost, access or ownership. As a developing nation we should look beyond the present demands of building our technological infrastructure and contemplate the digital future. Any nation that will achieve (and retain) dominance in the coming global knowledge economy will need to have in place digital systems and mechanisms that protect its intellectual capital/resource. How competitive will Kenya be if we use non-indigenous software sourced from other countries? It is therefore imperative we use the right to the source code of OSS and propagate it as a base to develop our own Kenyan digital civilization.

Thursday, February 21, 2008

UNWIRED NAIROBI

I was watching the Nation TV morning show today (20 Feb 2008). Michael Joseph (Safaricom CEO) was one of the guests. Some of his remarks were quite interesting. When asked about Safaricom’s perennial congestion he reverted to his controversial argument that Kenyans have “peculiar” calling habits. Of course he used more polite terms this time round. He elaborated by stating that on Friday afternoons everyone in downtown Nairobi is calling each other within this same time window. This has resulted in Nairobi having the highest mobile telephony traffic per square mile in the whole world - on Friday afternoons! Now one wonders what drives us to verbal overdrive on Friday afternoons. There is a whiff of mischief here if you ask me.

Anyway that is fodder for another day. Of more interest was his proclamation that Safaricom will roll out the third generation (3G) network next month (March, 2008). He stated that 3G will encourage us to diversify our mobile diet to include data transmission instead of dwelling on our staple telephony activities of voice and short message sending.

Wireless technologies have finally come home to roost in Kenya. Right now we have multiple providers offering various wireless systems for example Telkom, Safaricom, Celtel, Popote, KDN and Flashcom etc. Technical jargon abounds, sample these: Wireless Data Networks (WDNs), Wireless Application Protocol (WAP), Personal Area Networks (PANs), Wireless Local Area Networks (WLANs), Wireless Wide Area Networks (WWANs), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA) and many others. It’s advisable to familiarize yourself with these wireless technologies and how they are categorized by their function, frequencies, bandwidth, communication protocols and level of sophistication. Blackberry, for example, integrates telephony, web browsing, email and messaging services with personal digital applications (PDA). It therefore has one foot on PAN and another on WLAN.

It’s a wireless bonanza in Nairobi or what I might call a mighty unwired mahewa fest. Who is celebrating? War drivers or sniffers are the ones in frenzy. War driving is the art of monitoring wireless traffic to determine, control and manipulate signal, bandwidth, leakage patterns and so forth. War drivers engage in mobile sniffing of wireless networks. War driving has evolved to include signage known as war chalking. This is where once a war driver has sniffed a vulnerable access point he/she reveals this insecurity on the most convenient visible surface. I saw this in London where chalk signs indicate the location of ‘free’ wireless networks. War drivers use self-contained laptops or PDAs in cars. They cruise around looking (sniffing) for ‘open’ access points. Popular sniffer tools include Air Crack, Air Snare, Kismet, Arpspoof, Air Magnet etc. Most of these tools are open source and freely available. These sniffer tools are able to scan and detect MAC addresses, Service Set IDs (SSID), names, signal strength, channel and other features. With time a WAP map of all vulnerable access points is constructed for all and sundry to use. I am sure this kind of map has already been developed in Nairobi. As it is war driving has become a popular weekend pastime in the mtaa for a number of savvy Nairobians. This wireless network security hole needs to be plugged before costly breaches occur. Knowledge and vigilance are formidable adversaries of war driving. Ensuring security requires some basic measures. One of them is ensuring that you don’t broadcast the SSID to the world. Another is using Wired Equivalent Privacy (WEP) which is an encryption technique. Other measures abound.

The lessons to be learned here are that war driving is fast gaining currency in Nairobi. The tools that a war driver/sniffer might use to intercept wireless traffic are the same tools that are used to harden an organization’s wireless infrastructure. It is imperative that we promote awareness of this problem. It is only a matter of time before our sniffers emulate others by conducting an annual mahewa war drive in Nairobi. Sounds interesting though!!!

Monday, January 28, 2008

The Kenyan ICT Bigwigs (Corporate) - Part 4

Mr. Robert Kariuki Mugo joined Flashcom in 2006 as the CEO. Flashcom is a locally owned CDMA (Code Division Multiple Access) wireless connection provider (local loop operator). He has over 12 years experience in the ICT industry. The University of Nairobi Electrical and Electronic Engineering graduate has been a pioneer in companies like Africa Online Kenya, Africa Online Holdings, UUNET Africa, UUNET Kenya and UUNET Communications.

Flashcom is growing in leaps and bounds under the stewardship of Mugo. It has managed to double its subscriber base in the wireless services and offers advanced voice services as well as data services on a single line.

Flashcom has bet on CDMA as the future wireless standard in Kenya. Its main competitors are Popote and Telkom Wireless who also offer services on CDMA.

Mugo contends that CDMA is the way to go due to its high quality voice, high speed data, efficient use of frequency and its low infrastructure framework.

Mugo has an ambitious plan of going regional by offering converged services offering voice, data and video as they plan on taking advantage of the fibre optic cable technology.

Flashcom has managed to maintain its stronghold in Nairobi due to the greater number of base-stations the company has in the area.

Kenya-Byte wishes Mugo future success.

Thursday, January 24, 2008

FORENSIC COMPUTING IN KENYA - PART 2

CHALLENGES


In the first part of the series we were able to establish the difference between ICT security and forensics. We outlined that computer forensics is the acquisition, examination, and reporting of information found on computers and networks that pertain to a criminal or civil investigation, although the same processes and methods are applied to corporate and other "private" investigations. Forensic computing will in the immediate future increase in importance for Kenyan companies, legal practitioners and law enforcers. There are a number of underlying reasons that demand we pay more attention to cyber crime and our attendant capacity to investigate and prosecute cyber offenders.

The first is that cyber-crimes are particularly lucrative because they are generally non-violent crimes. Secondly these crimes yield high profits despite low investment and risk. Compare this with a bank robbery which requires considerable organization, financing and risk. Cyber crime has a relatively low risk of capture and if caught and convicted the result is usually a relatively short prison sentence. Computer forensics and digital investigations have become an integral part of police work in the new millennium. Computers are now as much a part of the modern law enforcement officer's daily routine as the fimbo, sidearm, two-way radio, or handcuffs.

At the heart of a computer forensic investigation is digital evidence. Everything that someone does on a computer or a network leaves traces. Locard’s Principle of Exchange states that any person who enters a scene of crime leaves something behind and takes something from the scene with them. This applies to the physical and digital realms. In this instance deleted files, registry entries to the internet history cache, automatic word backup files, e-mail headers and instant messaging logs give clues as to the intermediate servers through which information has traversed. Server logs also provide information about every computer host accessing a web site.

Obtaining digital evidence and maintaining its integrity and admissibility is achievable. The problem is in conducting a successful prosecution. At this point in time - 2008 - various challenges confront the cyber forensic investigator in Kenya. They are mainly legal, financial, scope of jurisdiction, training, the ubiquitous and dynamic access to the internet, ignorance and the absence of a supervisory authority. I want to briefly discuss these challenges.

Various countries have introduced legislation that directly deals with cyber crime while others have reformed and modified their existing criminal laws to include this emerging crime. However many countries do not have adequate legislation that addresses cyber crime and this includes Kenya. Cyber crime laws, for example, protect certain rights and assets such as privacy and identity by rendering illegal the interception and unauthorized access to digital data and resources privately owned. They also provide legal frameworks that assist forensic investigators in achieving successful prosecutions. The United Kingdom for example has introduced various legislative initiatives over time, meant to specifically address cyber crime. These include the Computer Misuse Act (1990), the Criminal Justice and Police Act (2001), the Police & Criminal Evidence Act (1984) and the Regulation of Investigatory Powers Act (2000) among others. In the United States of America, legislation has also been introduced to combat cyber crime for example the Patriot Act (2001), Homeland Security Act (2002), Prosecutorial Remedies and Tools Against the Exploitation of Children Today (PROTECT) Act among many others. The absence of an integrated cyber legal framework in Kenya provides a great challenge to successful local cyber crime investigations and digital evidence gathering efforts. The Kenya Communications Bill 2007 proposes to create a number of new offences and to prescribe the maximum punishments to be meted out on offenders. It mentions various offences. They include tampering with a computer’s programme source code, availing an electronic signature certificate for a fraudulent purpose, interfering with the operation of mobile telephone equipment, hacking into a computer system, unauthorized access and publishing obscene information in electronic form. It is well and good for the bill to list punishable offences and prescribe penalties. What the bill has failed to recommend and spell out is the legal process of cyber crime investigation and digital handling in Kenya. This is absolutely necessary because it translates to the rate of successful prosecutions. This issue is especially relevant to our investors, for example call centers, which need a legislative umbrella that safeguards their operations (i.e. identity details and data handling).

Another challenge that confronts forensic investigators in Kenya is jurisdiction. The internet is borderless. Serious crimes are now facilitated by the internet where cyber criminals are in one country while the victims are located in another. Trans-national computer crime has emerged as a mounting problem due to the global nature of the internet. Developing countries are especially vulnerable due to the presence of inadequate cyber crime legislation. While international offending is by no means a uniquely modern phenomenon, the global nature of cyberspace significantly enhances the ability of offenders to commit crimes in one country which will affect individuals in a variety of other countries. Examples such as identity theft, Nigerian 409, scams and phishing are crimes perpetrated through the use of multiple servers in various countries. Cyberstalking and other child sexual exploitation activities have been dramatically enabled because of the global reach of the internet. We need to introduce relevant laws in Kenya that address this amorphous context of the internet. This is a global effort and we need to join other countries in this concerted effort of combating global cyber crime.

Global liaison is an area that also presents a challenge to computer forensic investigation. No area of criminal activity is more on the cutting edge or has greater global implications than crime involving technology and computers. It is evident that as the globalization of distributed computing continues, and as computer criminals become more sophisticated, law enforcement will increasingly need timely access to computer or telecommunication information from multiple countries. These efforts will require a global agency that coordinates them. Mechanisms would have to be introduced that cater for digital evidence interchange between countries, standardization of procedures, personnel training and investigation co-operation. Currently the International Police (Interpol), Virtual Global Taskforce and the Cyber Law Enforcement Organization are bodies attempting to provide the focus for global effort in fighting cyber crime. There is however a greater requirement to have a more concerted effort to strengthen these organizations and others so as to pre-empt fragmented national and regional efforts. Kenya needs to assign responsibility of regional and international digital co-operation efforts to a specific entity for example the yet to be established Kenya Police High Tech Crime Unit.

We are faced with a further challenge of training which has resulted in a shortage of adequately trained cyber forensic investigators. Training a computer forensic expert would result in an efficient and high job performance. A failure to provide sufficient training would leave investigators and their agencies vulnerable to court dismissals (either civil or criminal) and failure to effectively process digital evidence may exculpate an individual, or may result in failure to protect an organization in the event of a dispute. Competence is paramount. As has been stated before, the intricate process of gathering digital evidence and its presentation in court requires an investigator to have highly developed technical computer and legal skills. This training should ideally be found at the undergraduate and postgraduate levels in our local universities (e.g. Jomo Kenyatta University, Juja). This training is currently provided by Karman Security Services Limited which is located in Kitisuru and was founded in 2007 by former CID director, Mr. Joseph Kamau. This initiative is commendable and will go a long way in enhancing the computer forensic capacity in Kenya.

Directly related to the shortage of adequately trained computer forensic investigators is the limitation imposed by budgets or financial resources. Kenya is adversely affected by this problem. Law enforcement agencies are allocated budgets to fight crime. The budget is often inadequate considering the needs. Financial budgets are therefore allocated to various competing areas. Cyber-crime units compete for scarce resources with other criminal departments for example homicide (flying squad), tribal clashes, terrorism, rape, kidnappings, financial fraud, drugs, murder among others. Funds are required to finance computer forensic labs, train officers, purchase software and hardware equipment, logistics and finance computer crime legislation. This problem is global and is evident in the fact that only a small proportion of computer crime ever gets to be investigated and prosecuted by forensic investigators. A 10,000 dollar threshold is placed by most computer crime units in America. This means that if complaints are lower than this threshold then they are not investigated and instead manpower and financial resources are concentrated on computer crimes targeting banks, critical infrastructure, government facilities and high-impact sites. This situation puts the computer crime victim(s) at risk because they are forced to do most of the investigations and leg-work themselves. This is evident in most victims of online identity theft who are forced to launch investigations using their own resources. Financial institutions are also adversely affected by this state of affairs. Considerable resources are used to hire private forensic investigators to unearth fraud and criminal activities in these organizations. It is imperative that the Kenyan Police force establish a fully funded High-Tech Crime Unit. In as much as basic security provision is a problem that we are perennially grappling with in Kenya; I contend that cyber crime should be accorded its due attention and funding by our law enforcement agencies and the central government.

Another related challenge is the dynamic nature of information technology where software and hardware advances demand constant re-training and re-acquaintance. This can put a strain on a cyber crime unit that would want its officers to spend more time investigating cases than been in continuous training sessions.

In the next part of this series I will discuss the various benefits that Kenya would accrue from having an efficient and effective cyber forensic capacity.

Monday, January 21, 2008

Happy New Year Friends,

My most sincere best wishes to you for 2008. My last article was way back in August 2007. It was a difficult late last year for me due to the transition I was making. I am now back in Kenya for good and despite the post-election matata I am glad to be back home.

I studiously avoid delving into politics in this blog. However its pervasive and destructive onslaught threatens to smash our country into smithereens. As ICT professionals we have an obligation and responsibility to our motherland. The time has come to stand forward and be counted. I would appeal to all brothers and sisters to promote peace, love and unity. We have the power to build or destroy our nation. Let’s opt for the right thing.

Mimi bado najivunia kuwa Mkenya!!!

FORENSIC COMPUTING IN KENYA - PART 1

Sometime back I promised to introduce forensic computing and discuss its relevance to our nascent ICT sector. I will outline these aspects as a series.

In a previous article I mentioned that we cannot ignore the security of our ICT infrastructure. Just as we protect other resources, we need to appreciate the importance of safeguarding the Kenyan cyber highway from virtual fraudsters, muggers and other malignant characters. Note that computer forensics and security differ in definition though they are fundamentally complementary. ICT security involves the implementation of safeguards that protect against intrusion, mishaps and mistakes. Our dependence on ICT is steadily growing and is present in many different aspects of our lives e.g. public utilities (KPLC), communications (mobile telephony e.g. Safaricom), financial institutions (ATM’s), medical (diagnostic equipment) and others. ICT security will therefore involve the implementation of a security fabric that covers and protects the ICT resources of an organization.

This security fabric has various components woven into it and they include: physical security, operational security, information security, disaster recovery, access control, cryptography, auditing, laws and ethics. It is the responsibility of organizational management in Kenya to set the tone for what role security will play in their companies. Management must decide what data is valuable and needs to protected, who is responsible for protecting it and to what extent, to what extent employees may access and use the data, and what the consequences are for noncompliance.

Forensic computing on the other hand is about the detection and investigation of criminal activities committed online. To achieve this, the process of evidence gathering is fundamental. Forensic computing like any other forensic science involves the use of sophisticated and modern technology tools and procedures that must be followed to guarantee the accuracy of the preservation of evidence and the accuracy of results concerning computer evidence processing. Due to the special characteristics of digital evidence it is necessary to consider it separately and with special consideration.

Digital evidence comes in many forms and will include all physical evidence for example the computer the crime was committed against or used, peripherals, mobile devices and other physical storage devices like DVDs, CDs, memory pens, paper evidence, documentation and others. Evidence will also involve the examination of non-physical evidence e.g. registers, memory cache, virtual and physical memory, network status, all running processes and logical file systems.

Good practice must be adhered to in the evidence gathering process otherwise a case or prosecution would be easily jeopardized by sloppy handling. Evidence must comply with the rules for the same. One must account for any changes and the original evidence must be handled as little as possible. Evidence must be of high enough standard to withstand the test of a court process. This involves its admissibility, authenticity, completeness, reliability and believability. When handling digital evidence good practice principles must be adhered to. They are;

Principle 1 No action should be taken by a law enforcement agency or investigator to change data held on a computer, device or storage medium which may be relied upon in court.
Principle 2 In rare circumstances where original data must be accessed, that person accessing it must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3 An audit trail or other record or all processes applied to digital evidence should be created and preserved. An independent third party should be able to scrutinize these processes and arrive at the same result.
Principle 4 The person in charge of the investigation, the case officer, has overall responsibility for ensuring that the law and these principles are adhered to.

Due to the high quality demanded from gathering digital evidence, the computing forensic investigator must have substantial expertise in the methods and technology used. It is also necessary for the forensic expert to be well versed in legal procedures. We can therefore observe that substantial demands are made to the training and capacity of the computing forensic expert. He/she also requires a physical and legal environment that facilitates professional digital evidence gathering.

In the next part of this series I will discuss the various challenges (e.g. legislative/legal, financial, training etc) computer forensic experts face in Kenya and suggest various approaches we should adopt in surmounting these challenges.