Wednesday, September 08, 2010

Kachumbari Remembered



Four years have passed on...Kachumbari - The True Kenyan Villager...we remember.

HOW TO CONVERT KSHS INTO DOLLARS THROUGH A BANK EFT

I read an interesting article in the EAStandard of September 8, 2010. It's about an interesting fraud where money was transferred from several banks in thousands of shillings only to be received by another bank in millions.

An example was KShs 388,400 which was transferred from an account at the Co-op Bank, Kimathi Street destined for KCB, Moi Avenue. The destination account in KCB was credited with USD 388,400 (KShs 30,295,200).

Another transaction involving USD 96,800 had been transferred from another bank in KShs but credited into a KCB account at UN Gigiri branch in dollars and withdrawn immediately.

An interesting question immediately popped up in my mind – How did they do it?

We can of course glean that this is a simple, yet brilliant, play on the currency field. There is definitely a system breach involved here. What I don’t know is whether the inter-bank Electronic Funds Transfer system could have been breached (insider attack) or whether a man in the middle attack occurred.

Help me fill in the blanks. Is there any IT or banker guy out there who can outline a likely scenario on how such a fraud can take place?

ANATOMY OF A SUCCESSFUL INTRUSION – IN YOUR LANGUAGE

Have you wondered what all this fuss about hacking is about? You might have asked yourself what is hacking and how is it done. The hacking process is really quite simple. You can compare it to a burglary because the concept is basically the same. A burglar will ask himself how and when he will break in, what is he looking for and how can he cover his tracks so that he is not caught.

Hackers are abit more systematic so they break down their attacks similar but more explicit stages: Stage 1 is gathering information about the target system; Stage 2 is an analysis of this gathered information; Stage 3 entails researching of the target system’s vulnerabilities and the fourth and final stage is the implementation of the attack. This modus operandi is universal and can be successfully transplanted into any other criminal activity. Understanding and adhering to these stages means that twenty five percent of your job is done and dusted, even before you begin.

Let’s begin with the first stage, gathering the relevant information about the target company and its computer systems. At this stage any kind of data is relevant. Knowing the company’s business core activity, the Board/Management structure, the physical location, branch locations, the approximate number of employees, product range and computer system infrastructure details are obtained.

Sources of information include websites, financial statement reports, discarded documents and of course the employees (through social engineering). Gathering of information also means the hacker has to determine how many computers are publicly exposed to the internet. Among this is the web server which is usually a good starting point. Scanning is done by using various software tools akin to the burglar’s “bag of tricks”. The scan results will outline the system’s characteristics, for example, the open ports, its internet location, the IP addresses of its computers and whether the web server (that hosts the company website) is in-house or not.

The second stage is the analysis of the information obtained. At this point the hacker wants to determine where to apply his most effort. Should the emphasis be more towards social engineering? Or should it be at hacking away, in ungodly hours of the night, trying to find out the vulnerabilities of the targeted computer system. A simple example would be where the hacker learns that the senior system administrator usually visits a certain bar every evening. The next step is to find out whether he carries his laptop home. The hacker can observe the said employee leaving the premises to establish this fact. Better still is to pretend that he is colleague and he makes a call to the office security (some minutes after 5pm) asking whether they have seen the said laptop the system administrator told him to collect from the office. They will unwittingly tell you that they saw him leaving with it.

Next step will be to break-in to his car when he’s inside the bar. This will save the hacker vital time because he will obtain crucial access data like passwords from the stolen laptop. The data from such a laptop, if relevant to the attack, would negate the next stage which is researching the vulnerabilities of the company’s systems.

The sole objective of this next stage is to determine the vulnerabilities of the systems so as to exploit a discovered vulnerability to gain entry. The experienced burglar also conducts this stage by either visiting the premises to find out which window is usually left unlatched at night or uses an insider to describe the vulnerabilities of the house. The hacker does the same.

DID YOU KNOW YOU THAT YOU CARRY A LOCATIONAL DEVICE EVERYWHERE

If you have been recently keeping track of crime news reports in Kenya, you will have noted that there has been an increase in using mobile phones to apprehend criminals, for example Onyancha. Just like everyone else, criminals have woken up to the fact that we are all in a wireless grid that can work for and against them. Among all wireless technologies available the mobile phone has had a profound impact in all facets of our lives, especially the criminal underworld.

The mobile is now an integral component of the overall security component of individuals and organizations. The potential for its abuse as a tracking device makes it an information security issue. That is why locational tracking via mobiles, is a security concern we should all be aware of.

Before I outline the security implication of carrying that mobile, allow me to outline the coming locational services that might be on pipeline for implementation in the near future.

The mobile has become a platform on which various services are been bundled into. M-Pesa (money transfer), Skiza tunes/downloads and commodity price checking are among the most popular. Services based on the location of the mobile phone are the next frontier. These services are known as Location Based Services (LBS). Various applications have been developed in the context of LBS for example weather reporting. Once a mobile user enters a new area, the weather report of that area will be sent to your mobile. So if you are a truck driver you will be able to receive weather updates each time you cross a province or country.

Another very important location service is the Wireless Emergency Services (WES). When a mobile user calls the emergency 112 number, the location of the caller is determined by the service provider through the Automatic Location Identification (ALI). This location is then forwarded to the police or emergency responders. These locational services will really improve the quality of our lives especially in health and criminal emergencies like road accidents and carjacking.

It is evident that the benefits of location tracking can assist many Kenyans. Using ALI to track kidnappers, rapists and their ilk provides an immediate benefit to the society by swiftly tracking and removing criminals from our midst. There is however a flip side to this situation. Whereas ALI provides evident benefit it also poses a serious personal risk to mobile users. This facility, if abused, can be detrimental to innocent mobile users. In this age of interconnected networks (internet, GSM, CDMA etc) the security structures that are needed to protect this feature, by service providers, should be scrutinized in the interest of public good.

Various scenarios come to mind. Imagine a demented individual wants to stalk a spurned lover or a disgruntled employee wants to get back at the employer who laid him off. Accessing ALI to locate a potential victim would be possible from both the human and technological access points. Hacking into a service provider’s telecommunication system would allow a hacker to sell real-time locations of people to criminally intent people. By using social engineering techniques and outright threats, employees of service providers who maintain the ALI system, would be vulnerable to blackmail and physical harm.

There is definitely a greater good in using location mobile tracking to combat crime. We should however be cognizant to its potential abuse. As a consequence ethical and legislative frameworks should be developed to ensure that ALI is only used for the greater good of the Kenyan society.

Saturday, May 08, 2010

HATE MESSAGES – DO YOU KNOW HOW THEY CAN TRACK YOU?

The 2005 Referendum and 2007 election introduced Kenyans to a vile form of mass misinformation - the insidious power of hate messages.

It was the propagation of these hate-filled messages that inflamed Kenyans against each other in both instances.

To be able to prevent a repeat, we must understand why mobile telephony and the internet have become such powerful tools of incitement.

Group Action in Hate Messages
The telephone and television (old media) are one-way communication technologies that do not allow groups to be created and organised rapidly. This is because creating a group and mobilising it around a cause by using a television is not sustainable.

This is because a group has connections which have to be constantly maintained and the old media was not designed to nurture these interpersonal connections.

Mobile phones and the internet (new media) depart from the old media in that they enable near real-time two-way communication. Creating a group using your mobile phone has never been easier. Of more fundamental importance is the ease at which you can maintain connections to a group.

Having a group conversation with 500 like minded people is as easy as clicking a “Send” button in your mobile or selecting multiple e-mail addresses. The ability to ignite collective action by using new media will only increase in the future and this is the reason why hate messages were so effective in 2005 and 2007.

Investigating Hate SMS messages
SMS (Short Message Service) is a service for sending short messages of up to 160 characters to mobile devices. The transmission of SMS messages involves an SMS center (SMSC) which is responsible for forwarding the SMS messages to their destination(s).

The main duty of an SMSC is therefore to route SMS messages and regulate the process. For instance, if a recipient’s mobile phone is switched off, the SMSC is the one that stores the message and re-forwards it when the recipient’s phone becomes available. SMS centers are gradually being replaced by SMS routers that offer a more intelligent forwarding process apart from increased capacity.

When tracking SMS messages the main challenge is in the storage of these messages due to the high storage costs involved. Since it is not logical to retain these messages the other solution is to have rules that are triggered when certain conditions are met. These rules are located in sophisticated SMS routers and firewalls.

For instance, an SMS firewall/router can be programmed to filter messages from a particular origination to destination point. They can also have alarms that respond to specific content, for instance certain keywords such as kill, murder, gun etc. Another likely rule that can be implemented is where a spike in SMS traffic from a certain known political hot-zone can trigger an alarm that initiates SMS message monitoring and retention.

Once these rules are triggered it would then be possible to segregate these messages for onward investigations. It would then be easy to store and determine the details of the sender and recipient such as phone number and last known cell location.

Investigating Hate E-Mails
E-Mails (or electronic mails) are text messages sent through a computer network to a specific individual or group. These messages used to be sent from one computer to another. Nowadays the writing and transmission of these messages includes other devices for example the mobile phone and the television.

Sending hate e-mails is fraught with danger because tracing an e-mail is possible. E-mails are composed of two parts, a header and the body. An e-mail header contains information about the email’s origin for example who sent it, where it came from and the path it took. This can roughly be compared to the stamped envelope from which you can tell where a letter came from. The body of the e-mail contains the message that you read.

The header is very useful in tracking the origin and sender of an email, even if the sender might have forged various aspects of it. Since the header is a detailed log of a message’s history, investigators usually commence investigations here.

If you have a Yahoo account you can view headers of e-mails you have received by opening any e-mail in the Inbox. Scroll down to the bottom of the page. On the bottom right you will see a link titled Full Headers. Click on it once. The page will immediately rebvert to the top and you will see a list of common headers for example X-Apparently-To, Return-Path, X-Originating-IP and many others.

All these headers can assist in tracing the origin of an e-mail. X-Originating-IP, for example, indicates the IP address of the computer on which the e-mail originated. Internet Protocol (IP) address is a numerical label that is assigned to a device that is in a computer network.

Once you have an IP address, from an e-mail header, you can use various websites like LookupIP, that can indicate the service provider and location of that IP number (the sender).

Of course, much more work is needed thereafter to nail the offender but with this as a starting point it won’t be impossible to put a face behind that hate e-mail.

Conclusion
During this period of intense political activity, sending hate laced SMS messages and emails will be a very risky venture. The Government however needs to do more than threaten potential broadcasters of tribal hate. They should build capacity to investigate and prosecute these perpetrators. The legislative framework is now in place. What is lacking is the investigative capacity. A fully fledged High Tech/Cyber Crime Unit of the Kenya Police should be formulated and equipped to handle this nefarious form of crime.

HATE MESSAGES

A list of 1,700 phone contacts of various Kenyans was compiled by the government after the 2007 post election violence. These are the people who created and forwarded hate messages meant to incite people to tribal violence. Prosecuting them was not possible, then, due to the absence of a legislative framework.

The Kenya Communications (Amendment) Act, 2008 refers to an offensive message as a message or other matter that is grossly offensive or of an indecent, obscene or menacing character. Where a text is offensive, the sender becomes liable to a sentence of up to three months or a fine of up to Shs 50,000.

Cyber and conventional crime share a fundamental concept; evidence is a primary determinant of innocence or guilt. Locard’s exchange principle applies to the real and virtual worlds. This principle is applied to crime scenes and states that when the perpetrator of a crime comes into contact with the scene, he/she brings something into scene and leaves with something from the scene. Every contact leaves a trace. Every e-mail or SMS sent leaves a trace.

The Penal Code makes it criminal for anyone to use threatening, abusive or insulting words or engaging in provocative acts or breach of the peace.

DO YOU KNOW HOW TO PROTECT YOUR E-MAIL?

E-mails are no longer the novelty they used to be a few years ago. Apart from enabling social communication, e-mails have also become integral to businesses. Environmental concerns have also contributed to the commonality of e-mails. In an effort to conserve the environment computer users are exhorted to use e-mails instead of paper correspondence. All these factors have contributed to the acceptance of electronic messaging.

We have gotten so used to e-mailing that we send them across an insecure internet without a second thought. We attach private testimonials, sales figures, marketing plans and other confidential files to our e-mails, hoping that no one opens them. Sending these unprotected emails is usually convenient in the short-term. However this insecurity can be very costly in the long-term.

Ensuring that only the intended recipients are able to receive your e-mails requires secure e-mail transmission technology. The average computer user can employ various solutions and one of the most effective is S/MIME (Secure/Multipurpose Internet Mail Extensions) that is installed on individual PCs. This is a protocol that secures your emails by using digital signatures and encryption.

By digitally signing an e-mail it is possible to prove who the sender of that e-mail was. However this does not stop anyone from reading it as it transits through the internet. Encryption then comes in handy by making sure that the e-mail is unreadable during transit. The signing works in tandem with the encryption and this makes it extremely difficult to intercept and read the e-mail.

For free to use web-based emails PGP (Pretty Good Privacy) is another appropriate solution for that ordinary computer user. It is a signing and encrypting software that works well with the popular browsers like Firefox, Mozilla and Netscape and is widely used for encrypting and securing e-mails. The fundamental difference is that it embeds with your browser.

Another solution would be to implement centralized encryption protocols that shift the encryption functionalities from the individual desktop to a dedicated e-mail gateway. An e-mail gateway is a server that connects two or more electronic mail systems and transfers messages between them. Encryption technology is integrated into these servers with other security components such as virus scanners and firewalls. This solution is however highly complex and expensive and would be unsuitable for the ordinary computer user.

Whichever security solution you opt for remember that e-mails are increasingly targeted by hackers nowadays.

DO YOU KNOW WHO OWNS THAT BUNCH OF KEYS?

Sometime in the not too distant past we used to lock secret office documents in metal file cabinets. The more powerful a manager the more keys that he or she used to carry and jangle. Juniors generally had only one key, the one that opened their desk drawer. Fortunately those days are long gone and that huge bunch of keys disappeared and no longer denotes seniority. However the concept is still with us albeit with an electronic twist. Instead of those physical keys we now have electronic keys which are passwords and seniority is denoted by the privileges that are assigned to these passwords.

The most widely known password with maximum privileges in hardware and software is the administrator. In databases it is the Database Administrator (DBA) and in a Unix platform it is the root. Passwords with these privileges are our modern bunch of jangling keys because where you are on the corporate hierarchy is directly proportional to the system password privileges you have.

Knowing how many of these privileged passwords exist and who is assigned to them is an information security priority for any organization. It is therefore important to conduct an inventory of these passwords.

With the existence of a multi-layered information technology framework in most organizations, conducting an inventory of these passwords is not as easy as it sounds. The starting point would most likely be the PCs which come with administrator privileges that can access the computer without restriction. Beyond that are privileged passwords for firewalls, servers, routers, databases, anti-virus programs etc.

The dangers and risks inherent in these privileged passwords cannot be understated. Anybody with the slightest interest can Google and search about privileged identities. It would then be possible to learn how to acquire them by using pre-written software scripts freely available in the internet.

Regulations, therefore, need to be implemented. In organizations where password regulations are absent, or lax, the IT security and audit departments are wholly responsible.

The best practice is to implement regulations that tie privileged identities to personal ones, and have the paper trails as a backup.

In sum, a security conscious organization should firstly conduct an inventory of the privileged passwords. Secondly any activity performed by these passwords should be tied to real-life individuals. These two aspects can be achieved by the use of automated software solutions that are readily available in the internet.

ARE YOUR COMPUTERS PART OF A BOTNET CONSPIRACY

Cyber-criminals in Kenya are very much in tune with global criminal trends. The perpetrators of cyber-crime can generally be loosely divided into two categories. The first one consists of traditional crime organizations that have discovered that cyber-crime can be lucrative. These traditionalists have an established hierarchy and can be national or global depending on the availability of computer skill sets within the organization.

Cyber-crime to these traditionalists is another revenue stream like kidnapping, burglary, mugging amongst many others. The form of cyber-crime that these traditionalists engage in includes credit card skimming, identity theft and general fraud. Good examples, in Africa, are the Nigerian criminal organizations whose cyber-crime tentacles undoubtedly reach into Kenya.

The second group consists of skilled hackers who initially get together for other reasons apart from money. The initial motive might be to share technical knowledge but with time the collective goal translates into obtaining money illegally. This group is loosely structured and engages in technically demanding cyber-crimes for example hacking, denial-of-service attacks, coding of viruses and others.

There are a number of cyber-crimes that are perpetrated by both the traditionalists and the skilled hackers. One of them is the creation and control of botnets.

Botnets, also called bots, are malicious software programs that are loaded on a target system unbeknownst to the victim. This malicious software is installed through viruses like Trojans. Once a computer is infected with a botnet virus it is controlled through the back door. Infected computers are then controlled to distribute more malicious software such as keyloggers and forward transmissions such as 419 scams and spam.

Businesses have to be aware of botnet attacks because these attacks can spread like a pandemic across an organization. They therefore have to consider a botnet attack when evaluating risk. There are various ways businesses can protect themselves from these botnet attacks. They should participate in information sharing with law enforcement agents so as to better understand these threats. Secondly they should conduct stringent employee background checks. This will reduce exposure to criminal activity from inside.

Businesses should also implement a combination of detection, incident prevention and management. This means sensitive data should be secured with need-to-see access. Separation of duties should be enforced and strong authentication mechanisms employed.

The internet is simply a new medium to commit old crimes and botnets are a new vehicle. Botnet crime is a serious threat and local businesses should protect themselves.

HAVE YOU LEFT YOUR BACKDOOR WIDE OPEN?

We all know what a backdoor is. If you live in a house with a backdoor you will understand the concept of locking it before leaving the house. Going back to make sure it is locked is normal. This is because an open backdoor ranks very high as a serious security vulnerability in the home. This same concept applies to the computer.

In computing, a backdoor (or trapdoor) is an undocumented way of gaining access to a program, online service or computer. This access is achieved by the use of hidden software tools to bypass security controls thereby allowing unauthorized access. Common software tools used in backdoor attacks are spyware and Trojans.

A frequent method of the backdoor attack can be found in emails where spyware is attached to innocuous looking attachments. Once you open the attachment, spyware is immediately downloaded. It then proceeds to sniff out installed firewalls in your computer or network. Once it recognizes a firewall, it attacks and disables parts of it. This allows an unauthorized remote attempt to access that particular computer or network.

Backdoors should be a special security concern for Kenyan companies. It is common knowledge that many IT employees usually have backdoor access to their former employer’s data and systems.

The IT sector in Kenya is as volatile as any other and employee turnover is quite high. This is bad news for employers because protecting sensitive company data becomes harder where former IT employees are concerned. Procedures and policies have to be constantly developed and refined to safeguard the company against backdoor attacks by former employees.

The responsibility for protecting a company’s digital jewels ultimately lies with the top management. However the first people who should come under serious scrutiny where backdoors are concerned are the IT security staff. It is their job to ensure that any employee who had privileged access to company data does not leave the company with a backdoor open.

In the past when everything was committed to paper you would find strong metal cabinets or safes in the office in which files were locked. Nowadays everything is digital but it still needs to be locked away in a digital vault. Forgetting to lock the backdoor to this vault is bound to happen and someone should constantly be going back to check whether it is locked.

IS IT TIME TO ACCEPT IDENTITY MANAGEMENT?

This week we shall continue describing what identity management is. Last week we noted that Kenyans who use plastic cards (ATM, credit/debit cards etc) are currently enjoying pseudonymity. This is where privacy has been guaranteed because local companies do not share identity information between themselves. Another important aspect we discussed was the fact that local companies should adopt Identity Management as a conscious response to the increasing risks associated with identity theft.

The main objective of Identity Management is to establish trust by ensuring that eligibility between two transacting parties is accurately determined before transaction commences. This means that a company should be able to verify that you are who you claim to be and that the credentials (username, PIN or password) you are presenting are actually yours.

A major fundamental in Identity Management is biometrics. In information technology, biometrics refers to the technologies that measure and analyzes human body characteristics, such as fingerprints, eye retinas/irises, voice or facial patterns and hand measurements. These characteristics are measured to aid in identification and authentication. Biometrics has always been part of identity assurance. It, however, has limited usage in Kenya.

Using biometric characteristics in ATM transactions would, for instance, go a long way in mitigating the risk of fraudulent withdrawals. The use of biometrics has however been controversial. Civil liberty campaigners protest that invasion of privacy occurs when these characteristics are widely adopted.

While this claim cannot be dismissed, the benefit of using biometrics in identity management far outweighs the risk of non-use. In this regard a distinction between biometric images and biometric templates must be understood.

A biometric image is a copy of the biometric. A fingerprint image which has been scanned and stored in a database is a copy of the original. A biometric template, on the other hand, is a one-way mathematical function that describes key characteristics of a biometric image. A fingerprint template will, for instance, describe the key attributes of the fingerprint and these key attributes are the ones used to determine a match.

Therefore, the main difference between a biometric copy and the template is that an image cannot be reconstructed from a template. This means that if you have the template you do not have a copy of biometric and cannot reproduce the same.

It is therefore not possible to breach privacy because reconstruction from a template is impossible. This therefore deflects the main argument that privacy is at risk when biometric features are resident in company databases.

Companies should therefore embrace biometrics aggressively as an active component of their Identify Management policy.

HOW CAN COMPANIES DEFEAT IDENTIY THEFT?

When was the last time you counted the number of cards you carry around with you? You would be shocked at the identity, bonus, credit, debit, ATM and other plastic identifiers that line up our wallets/purses. These cards identify and authenticate us at various transactions be they an ATM withdrawal or a purchase in your local supermarket. The common thread in all these transactions is that every time you transact you give away some more of your personal data.

The interesting fact is that these companies you transact with cannot prove that you are who you claim to be. The supermarket you bought your groceries from in Kisumu, when using your credit card, does not have a mechanism to verify that you are the same person who used a debit card to purchase an airline ticket from a travel agent in Nairobi.

This means you are enjoying pseudonymity. This is where you are guaranteed a degree of privacy because your identity information is not shared between the companies you transact with. Whereas this might be good news for you, this situation presents a security risk to companies.

This absence of data sharing or matching, between companies, means that they are prone to identity theft and abuse. A response to this risk is the establishment of credit reference bureaus who attempt to establish a relationship between these disparate commercial entities. This process, as an end in itself, is however not error free and is expensive. It is at this point identity management gains relevance.

Identity management seeks to establish the eligibility of each individual to conduct a transaction, and to assign the limitations of liability in the event of a failure. Eligibility is assured when databases are interconnected so as to determine a few fundamentals.

The first is establishing who you are. Whether you can be found in various databases as the same person you claim to be. The second fundamental is determining whether you are a unique person within a database. If you use your credit card to pay your hospital bill for the first time the Hospital Management System should be able to pick this up and use further eligibility criteria to ensure accurate identification.

Lastly eligibility is assured when it can reliably be proven that you are the legitimate holder of the credentials you have presented for a transaction. This can, for example, be achieved by using biometrics in tandem with a credit card.

HOW CAN YOU DEFEND YOURSELF FROM A CYBERWAR?

Recent reports in mainstream western media have indicated that Europe and USA are bracing themselves from a surge of cyber-war attacks originating from China.

Information security has now become a national security concern. Understanding how a complex national IT system can be protected and defended is crucial because some of these lessons can be applied at both the individual and corporate level. There are however three fundamentals that should be grasped first.

The first fundamental is the fact that a complex IT, or cyber system, is any network with more than two interconnected computers which are accessible to any number of human users. Most of these networks (in schools or companies) are invariably connected to other computers in Kenya and the world. This means that your information security headache becomes a cyber security migraine once your computers are connected to the internet.

The second fundamental that must be comprehended is that no system can be made invulnerable to attack. Total security can never be guaranteed in both the physical and digital contexts. This is because the attack space is infinitely larger than the possible defense space. Sophisticated firewalls, biometric access features and standard operating procedures can be implemented and religiously maintained. These measures can be shattered by a social engineering phone call targeting users who carelessly release sensitive information (e.g. passwords). Nobody can wholly defend the digital space they occupy.

This brings us to the third, and last, fundamental. A complex IT/cyber system can only be defended by a dynamically stable and robust defense. This means that your overall defense strategy must be based on agility and flexibility. A good example of dynamic defending is applying profiling and matching as part of your security posture.

Profiling is observing and recording the behavior/modus operandi of an attacker with the aim of identifying and rectifying vulnerable system points. Computer matching involves the computerized comparison or two or more automated systems of records or files. An example of matching is where the national ID number of a person is used to search various databases for information and data elements linked to this unique ID number.

The application of a dynamic security framework will of course include more technological security measures but the outlined three are the most critical. Securing an IT system is not an event. It is a continuous process that requires fleet-footed defense frameworks.

WHO EXACTLY IS THE INFORMATION TECHNOLOGY SECURITY MANAGER???

By this time many regular readers of this column will have learnt that information technology security is increasingly becoming a serious concern for many Kenyan companies. This is because information has become a valuable currency that sustains businesses.

Access to timely information of a high quality can mean the difference between survival and bankruptcy of a business entity. Ensuring information is secure cannot therefore be overemphasized.

A company’s information technology infrastructure consists of people, processes and technology. These three elements have to be managed concurrently if data security is to be achieved. This task is usually left to the IT Security Officer/Manager. This is a mistaken notion because the IT Security Manager is ultimately you.

Every employee with access to data in a company is often considered one of the greatest risks. The presence of policies, frameworks, risk management solutions and other security features is usually defeated by the lack of personal responsibility on the part of employees. Information security tasks should therefore be carried out by each individual.

Companies have in the recent past increasingly become more dependent on Information Technology. The potential damage that can be caused by a security breach is severe at the very least. This means that if employees play their parts then the whole becomes more secure.

We should therefore have management and staff adopting a more active role in the adoption and implementation of security measures. To be able to achieve this, the roles and responsibilities of each employee, in relation to information security, should be clearly outlined and communicated across the whole company.

Apart from this, management should keep security policies and documents updated and current. This would assist employees adopt best practices that are at tandem with the ever changing tactics of hackers.

To effectively empower the employee the company should develop a programme for training on security awareness for all staff. This programme should target all irrespective of whether they are computer users or not. To ensure this sensitization effort succeeds it should be continuously adapted and improved on the basis of the feedback received from the employees.

Security managers are therefore everywhere and more personal responsibility on the part of company staff should be encouraged by management in companies that rely on information technology for operations.

DO YOU KNOW THE TOP FOUR DATA SECURITY RISKS IN YOUR COMPANY?

Ensuring information is secure in a company is challenging at the best of times. The risks are numerous and fluid. The impact of an information security breach to a company is subsequently high. Today we shall identify and outline the main information security challenges a company faces and how to deal with them.

The first common challenge is, not knowing who in the company uses what sensitive data. Not many organizations perform audits/inventories of sensitive data. An inventory should be initiated to develop a data flow map that charts sensitive data and employees who use the same. This data map will help in identifying the vulnerable points in your information infrastructure.

Another regular challenge is not protecting sensitive data appropriate to its value. Data generated and stored by any organization (or individual) has an intrinsic value. It is important for management to have a sense of the worth of sensitive data to the company. For example the recipes of a confectionary company can be considered very sensitive. It is therefore prudent to conduct a data asset valuation that evaluates and determines sensitive corporate data. It is then possible to apply justifiable information protection resources to these data.

The third challenge is the propensity of companies to embark on redundant information security compliance projects. Data security regulations are developed and implemented by various regulatory bodies for example the Communications Commission of Kenya (CCK). To reduce redundant compliance efforts it is crucial to develop a regulatory compliance grid. This grid indicates which specific data elements/databases are covered by information security regulations. The grid will facilitate the focusing of resources on protecting the really important data for example credit card data.

The final difficulty is the implementation of simple annual security awareness programs. Most companies conduct these programs to show their employees/contractors that they are serious about information security. Questionnaires are distributed; sensitization talks conducted and expansive warnings are dispensed. This is not enough. An information protection testing program should substitute these awareness programs. The main objective of protection testing programs is to test the data handling procedures and policies in the organization. Samples of employees/contractors who handle sensitive information should be targeted.

Identifying these common challenges is necessary for any information security conscious company.

DOES THIS EQUATION HOLD TRUE: POSSESSION = CONTROL = SECURITY

There is an interesting equation that bedrocks most security frameworks. It states that possession = control = security. The fact that you possess something means you control it and is therefore secure.

If you own a commodity controlling it is possible. This control automatically allows you to develop and implement measures that will secure it from theft. This premise is valid when you apply it to tangible possessions for example cars or jewelry. It however becomes a slippery principle to hold onto where information is concerned because determining the possessor of information is not as clear cut. When distance exists between the info-owner and the custodian then the fundamentals change. This is because when your credit card and other personal details reside in some far away corporate server, ownership of the same is translated differently.

If a company outsources its data functions and uses a remote data centre then some ownership concerns arise. The main fear is that the company’s information is being processed somewhere else and so the aspect of owning, controlling and securing their own data is no longer in their hands. There is also the question of the blurred boundary between absolute information ownership and custodianship. For instance does your bank (through their database) own your personal details by virtue of storing them or do you have a right to claim ownership.

This question is best answered by the element of custody. Information is usually kept by third parties and they are the custodians. This does not mean that they are the owners of the information because transfer of custody does not equate to transfer of ownership in the info-context. Even if your personal details are located in distant servers owned by Mashada or Yahoo, that information is still yours.

These data providers are merely custodians of your info-property. It is also important to understand that the responsibility for ensuring your information is secure is shared equally between you, the owner, and the custodian for example Yahoo. The final essential is that the responsibility for ensuring that the custodian secures your information lies with you - the owner. This essential is applicable irrespective of the geographical distances involved.

In sum the equation applies to information with a small tweak. Custodianship/Possession = Control = Security.

YOUR BLOG IS AS VULNERABLE TO ATTACK AS OTHER WEBSITES

A blog is an online journal on any subject maintained by a blogger. The word blog is actually a contraction of the term weblog and the writer is called a blogger. We have many local bloggers who write on subjects as varied as farming to tribal architecture. The popularity of these blogs has increased in the recent past and they have become the de facto sources of social, political and economic information that would never be published by mainstream media organizations.

Popular Kenyan blogs include bankelele, a blog that provides valuable insights on our economy. Kumekucha is another popular blog that presents a no holds barred political analysis of Kenyan politics.

Blogs are however not immune to hacking attacks due to their power to shape and sway public opinion. Various Kenyan blogs have been attacked and local bloggers need to secure and protect their blogs. You might be a budding blogger yourself and you will need to implement a few security features before you blog away.

You should first protect your blog username and password. This is like stating the obvious but blog passwords are valuable to identity thieves out to impersonate a blogger so as to damage his/her reputation. You should ideally have a unique login credential for your blog that is different from your email account and other websites you visit.

Backing up your blog is another good way of securing your content. Most blog hacking attacks are usually out to deface the blog with offensive content. A hacker who can penetrate the blog server can also delete the contents of all blogs that are hosted in it. Periodically backing up your blog makes it possible for you to re-post your articles immediately thereby retaining your readership.

Sometimes we get too busy to update our blogs and they slowly die after a few months of neglect. The danger of not regularly updating your blog means that you can have old vulnerable blogging software that can be used to penetrate the blog and your computer. At the very least you should frequently update the version of the blogging software so that security patches can be up-to-date.

Finally choose your blogging host carefully. Use a responsive and helpful host company so as to save you considerable ache when things go wrong.

IT IS TIME YOUR BUSINESS HARNESSED THE POWER OF SOCIAL NETWORKING

Online social networking is widely defined as people having conversations through a range of digital communication tools such as Facebook, Linkedin, Twitter and others. Facebook, for example, has become the rage in Kenyan secondary schools and colleges. It is estimated that 417 million people use a social networking site globally. The reach of social network sites is therefore undisputable and businesses (especially small firms) need to wake up to their potential.

Googling for the best deal is a common practice among online shoppers. Maximizing visibility in these search engines is the best way a business can stay ahead of the competition. A local online business needs to get noticed by the increasingly growing number of online Kenyan shoppers. By using social networks it can build an online reputation that can ensure prosperity in the digital marketplace.

A small business can build an online reputation by using social business networking tools like blogs, wikis, bookmarks and discussions boards in these social network sites. These tools would enhance the relationship between a business and its customers by, for example, offering dedicated customer support. Customers can seek clarifications, report problems and suggest solutions through a blog located in Facebook. This online interaction is distinctly lacking in Kenya because businesses use their sites as static adverts that don’t offer any facility for interaction with customers. However some are catching up and a good example is Mama Mikes blog (http://www.mamamikes.com/blog/?cat=10).

Another way social networking can be used by businesses is through Search Engine Optimization (SEO). Getting noticed is the first fundamental step in been able to compete online. Customers use search engines to identify companies and websites that offer the services/products they are looking for. The high traffic of social networks ensures content is constantly refreshed and links to other sites are built. This activity subsequently improves the search engine ranking. This ranking is simply the order in which sites are listed after a search. A high ranking is achieved by a good SEO which can be driven by the high number of in-bound links found in social business networks.

There are many more ways of harnessing the power of social networking sites for your business which we cannot exhaustively list. However my attempt at getting examples of Kenyan companies who have a presence on Facebook was difficult. If you know of any local firm in Facebook please send me its web address so that we can examine the potential and risks of local firms using social network sites, with examples, next week.

THE CHAIN OF CUSTODY SHOULD NEVER BE BROKEN

Last week we looked at the hash Function. This is a set of instructions that turns a variable-sized amount of text into a fixed-sized output number or single integer (hash function). We saw that hash functions are used to ensure the integrity of digital evidence. The use of hash functions is an integral concept in computer forensic investigation. Without its use digital evidence can easily be contested in a court of law and determined as contaminated.

Today we look at another pillar of computer forensic investigation. This is the chain of custody.

Evidence is at the centre of any computer investigation because it is used to support legal proceedings. This digital evidence is however inherently volatile and susceptible to damage or corruption. A simple act of switching on a seized computer can trigger software code that erases all the contents of a hard disk. It is not uncommon to hear that crucial digital evidence was contaminated because an over-zealous investigator briefly switched on the computer just to “check” what was in it.

The fundamental point in the handling and investigation of digital evidence is documenting the activity relating to its seizure, examination, storage, or transfer. These activities should be scrupulously documented and the documentation should be available for review at all times.

This chain of custody ensures integrity of the evidence through a paper trail that details the whereabouts of all evidential sources during custody. It, for example, documents the circumstances, place and state of a laptop that was seized for investigation. The chain of custody goes further and details all individuals who have had access to the seized laptop (or evidence), what they did with it, how they did it and their findings. This documentation ensures that a seized media has not been corrupted or compromised following seizure.

Adhering to the chain of custody requirement combined with the application of the hash function guarantees the integrity of evidence. This ensures that crucial digital evidence is not tossed out of court because it was contaminated by the presence of a gap in the chain of custody timeline.

LET THE EVIDENCE SPEAK FOR ITSELF

Crime involving technology is increasing globally every year. In Kenya, corporate organizations are the most impacted due to their early automation. Tech savvy crooked employees are now able to use new methods, through technology, to commit traditional fraud.

This fraud is part and parcel of an organization’s risk profile and for it to be resolved a forensic investigation has to be conducted. This investigation attempts to reconstruct the crime scene and analyze the audit trail of the suspects. The motive is to ensure that any evidence can be identified and used to support any legal proceedings.

What is interesting is that digital evidence is increasingly becoming more prevalent and critical within a wider range of criminal and civil cases. These include rape, murder, assault, divorce, employment disputes and child abuse cases.

This means that lawyers in modern Kenya will have to acquaint themselves with the core components of digital evidence. One of the most important ones is the verification hash function. A hash function is a set of instructions that turns a variable-sized amount of text into a fixed-sized output number or single integer (hash function).

Hash functions are used in creating digital signatures or hash tables that are used for analysis and verification purposes. In simple terms, text or pictures which have been classified as evidence are assigned a hash function (or number) so as to prevent evidence contamination.

This hash function is important when a forensic ‘image’ of the hard drive or storage device is taken. This ‘image’ consists of an exact byte-by-byte copy of all data.

As a rule forensic investigators do not analyze the original device and its data. Investigators use copied ‘images’ of the storage device. At the start of forensic copying a hard disk or any other storage device is assigned an acquisition hash function. Once the evidence has been forensically copied (or imaged) the evidence is assigned a verification hash function.

The purpose of assigning these hash functions (acquisition and verification) is to apply a mechanism to confirm that the copied evidence is a complete and accurate copy of the data contained in the original device. It also confirms that if the acquisition and verification hash values match then no alteration of the evidence could have taken place. Integrity of evidence is therefore maintained.

It is this ‘image’ that forms the basis of any cyber criminal investigation and should be verified by any lawyer who presents or examines digital evidence.

HOW DO YOU SECURE AN EXAM

Early every year national exam results are released. We have become familiar with the joy and disappointment that attend these releases. The seriousness of exams is best symbolized by the media saturation at this time and when cheating is unearthed. Exam fraud has become the uglier flip side that reminds us how critical exams have become in modern Kenyan society. All manner of tricks are conjured up and applied to obtain exam content.

An exam’s credibility is proportional to the security applied at every stage. An exam that does not ensure that candidates are who they say they are and that their performance is based solely on their own efforts is worthless and derided by all.

It is now evident that the lifecycle process of examinations from formulation to exam results has become reliant on technology. Computers, servers, networks, sms messages and mobile phones are used at each stage. Technology therefore provides a risk that can contaminate the whole process. To compound this problem is the fact that many people are involved in each phase.

Content theft is the most popular method of exam fraud. This is where attacks on computers or exam setting centres are conducted so as to steal as much of the test content as possible. Due to the number of people involved in the process, exam content can be, and is usually, stolen by internal and external fraudsters. It is therefore prudent to create test items in a secure environment.

By using appropriate workflow management controls it is possible to track exam content through the development process. These controls can also be used to implement role-based access rights where exam setters have limited access to the content. These workflow controls can also be designed to allow as few individuals as possible to have access to the final examination that resides in a server/computer.

Another popular method of exam fraud is proxy testing where the exam taker gains an unfair advantage by using someone else to take their exam for them. This can be prevented by using biometrics to identify and authenticate exam takers.

Apart from implementing workflow controls to prevent content theft, forensic analysis software can be used to detect pass rates, unusual patterns in scores and other aspects. Analysis of exam results is vital in identifying anomalies and reducing the likelihood of examination fraud.

HOW SAFE ARE THOSE SOCIAL NETWORK SITES FOR YOUR BUSINESS

Social networking has recently become the in-thing. If you are not on Facebook, Twitter, Linkedin or MySpace then you are not connected (pun intended). Social networks have become all-pervasive and have become starting points for many a friendship.

These sites have however become a test for companies. Apart from contending with lost productivity, companies are also challenged by the security threat these sites pose to corporate data. This is because web-based attacks are increasingly coming from social network sites.

Spammers and hackers have discovered that they can distribute more viruses and malicious code through social network sites. If company employees are accessing these sites on their business PCs and laptops, then company data can be at risk. It is therefore crucial to sensitize employees on the do’s and don’ts of social networking.

Clicking on unknown/shortened links in a social network site can open you up to malicious attacks and breach company data security. These links are also called blind links where the destination website cannot be seen in the URL due to shortening. Bit.ly is an example of a web service which shrinks long URLs.

Another way to stay safe is to beware of fake friends. I am sure you heard this advice when you were a child, it is still relevant today. Cyber criminals are hijacking accounts and distributing messages to all the contacts in a hijacked contact book. By clicking on such a message from a fake friend you are led to an external site that downloads a Trojan in your computer. If you receive an unusual message from a friend confirm who the sender is before opening.

Setting strong passwords for a Facebook or Twitter account is recommended. These passwords should be changed at least every 30 days. Employees should also be encouraged to improve IT security by not leaving passwords on default settings when using these sites.

Any social network user should be careful not to share personal information when communicating online. Information such as postal address, date of birth, bank details and others can be pieced from different sites in order to steal an individual identity. This is possible if personal details are liberally revealed.
Investing in anti-virus software is a must. Simply downloading free anti-virus software only saves you in the short term but once your computer is infected it can cost a fortune to fix.

BEWARE VIRUSES THAT CAN DESTROY YOUR LIFE AND REPUTATION

A computer virus is a malicious software program that infects computers. Some viruses are harmless invaders that introduce themselves with a nuisance message on the screen. Others damage computer programs, delete files or reformat the hard drive and crash the computer.

The impact of computer viruses is usually not fatally personal and we find it hard to fully appreciate their harmful effects. They are perceived as nuisances that cause work disruption at most and cause minor inconveniences at the least. Most times it is the corporate, not the individual, that is left to grapple with the attendant losses of a computer virus infection.

This however is about to change. Computer viruses are mutating and becoming more personal. Viruses today are now capable of putting illegal content on your computer leading to the risk of being arrested for serious crimes you never committed.

It was recently reported that there is a virus that plants child pornography, or any other type of file, on an innocent user’s computer. These viruses are used by pedophiles who remotely infect and use your computer to store child porn. This is so as to make it possible to access the illegal images without running the risk of being caught with them in their computers.

This scenario can however apply to any other kind of digital contraband material for example stolen credit card details, pornographic images, terrorism training videos or manuals on how to detonate improvised explosive devices.

These viruses are also able to redirect your web browser to sites you did not intend to visit. This will leave a digital trail between your computer and the web site(s) you inadvertently visited.

Computer forensic investigators are however able to determine how images got onto your computer and who was responsible for putting them there. It is also possible to tell the difference between someone who deliberately downloaded contraband images/material and someone who unintentionally downloaded the same because of a virus.

These viruses are not yet common but they exist and will propagate themselves once we enter the era of cloud computing. You can avoid infection by making sure that your operating system and anti-virus software are up-to-date.

MOBILE SPYING – IS IT PRACTICED IN KENYA?

It is relatively hard to tap and spy on mobile phone calls using traditional cracking and hacking techniques on the wire, but since cell and mobile phones contain more computer power than earlier, some software vendors have introduced applications to overcome the fairly hard problems related to wiretapping directly on the wire data transmissions.

BlackBerry spy software works by secretly recording BlackBerry cell phone events such as text messages sent and received, emails sent from the BlackBerry, and the phone's call history logs.

Have you ever wondered where your second half is going when they say they are going for a safari, or perhaps when you try to call someone, and they are not answering their phone, do you wonder where they are? If you do then you should get a cell phone tracker.

There are a group of researchers who have initiated The GSM Software Project. They aim to develop to share information and get others to collaborate on developing a scanner that can eavesdrop on GSM phone calls. The goal is to make an under $1,000 (USD) device and share information on how to build it. This project bears watching, simply because if relatively low-cost GSM scanners become available, it would definitely create a new threat model for GSM phone users.

MOBILE SPYING – IS IT PRACTICED IN KENYA?

Mobile phones are used for a variety of purposes, including communication, entertainment and conducting business.

The acceptance and permeation of this technology in Kenya has been unprecedented with over 10 million mobile phone subscribers been registered in the past few years.
No other device in recent history has become more ubiquitous and pervasive as the mobile phone.

The year 2009 proved to be a technological watershed for mobile telephony in Kenya. Various unique developments occurred in the Information Communication Technology (ICT) sector that had a direct bearing on the mobile sub sector.

2009 also saw mobile telephony further embed itself in our social fabric. M-Pesa has entered our everyday lexicon and its run-away success has come to symbolize our increasing dependence on mobile telephony.

The mobile phone has inexorably intertwined itself to our lives as can be attested by Mobile Banking. You can never leave home without a mobile and anyone who doesn’t possess it is disparaged as a simpleton.

Mobile Security
Data security in mobile devices has therefore come into sharp focus due to the rich data hunting ground provided by the increasingly powerful mobile phones we carry around.

Mobiles have evolved into miniature computers with all the attendant functionalities and weaknesses that exist in the computing environment. This is the most important point to grasp if you are to understand how a mobile can be bugged.
Various vulnerabilities exist in the Short Message Service (SMS), Voice and Bluetooth mechanisms of our mobile phones.

SMS
Apart from voice, the most commonly used data application on mobile applications is SMS text messaging. It is reported that over 74% of global mobile phone owners are active users. It is also very lucrative considering that such a high percentage of global mobile phone owners are active SMS users. This makes it a logical starting point for any spy.

Programs exist that can turn your mobile into a bugging device. Short messages are sent using a protocol (rules determining the format and transmission of data) supported by an SMS center (SMSC) which forwards messages sent from a mobile to the destination.

These protocols have flaws which can be exploited to introduce a Trojan horse into your mobile. One such weakness is found in the service SMS.

A spy only requires your mobile phone number and sends off a service SMS. A service SMS is used by phone operators to update software on phones. These updates can vary from routine tweaks to an overhaul of the phone’s internal systems. These service SMS messages are, however, never challenged by the phone to verify whether they are legitimate.

It is therefore easy to pose as a phone operator and send a Trojan virus which never registers in your inbox. You will never hear a sound or see any indication that a Trojan has been installed. The Trojan is then used by the spy to listen to all your mobile phone conversations and read all your SMS text messages. You can Google Rexspy for more details.

Voice
Voice tapping used to be very simple in the days of analog cellular/mobile phones. With a simple radio scanner it was possible to eavesdrop on wireless phone conversations. The switch over to digital technology greatly reduced this vulnerability because digital protocols like GSM were able to use encryption to secure conversations.

It is therefore considerably difficult, but possible, to intercept and eavesdrop on digital cell phone conversations The equipment to do so is quite costly and telecom providers, government intelligence, law enforcement agencies, and some unethical corporations engaged in industrial espionage, tend to be the only ones who have access to such sophisticated equipment.

However there are software products out there that enable call interception which is the ability to secretly listen into a live phone call on the target’s cell phone.

To do this, you simply specify the numbers you are interested in and when any calls to or from these numbers occur on the target's cell phone, the software will send a secret text message to your cell phone. Once you get notified that a call is being made, you then call the target's cell phone, and you will be added to the live call.

The main shortcoming in these products is that there is no way you can install this kind of spy software without getting access to the target phone. So think twice next time you leave your phone at the gate of some embassy, company or government installation. Check out flexispy blogspot for further information.

BlueJacking
Bluetooth wireless communication systems are basic features on mobile phones, computers and other modern electronic gadgets. Bluetooth means that Bluetooth enabled devices can send things like phonebook/address book contacts, pictures & notes to other Bluetooth enabled devices wirelessly over a range of about 10 meters.

The Snarf attack, also called bluesnarfing, is a Bluetooth-enabled hacking technique that allows hackers to access another Bluetooth device without the victim's knowledge. This attack is similar to bluejacking and raises obvious concerns similar to where the spy gains access to the victim’s phone book, missed, received or dialed contacts. It is also possible for the attacker to use the phone’s commands through their own phone.

Conclusion
Our mounting dependence on mobile telephony will in the near future expose us to the risk of mobile spying. It is important to educate yourself on the inherent vulnerabilities that are found in this technology. This is the only way you can mitigate against the mobile telephony risks that we are getting exposed to.

CLOUD COMPUTING AND ITS SECURITY IMPLICATIONS

There has lately been a lot of hype in the ICT sector about Cloud Computing (for brevity’s sake let’s call it CC). CC is a computing service from which an end user can subscribe to any of the offered ICT services. The term Cloud is used a metaphor for the internet because the computing services are accessed via the internet.

CC uses a pay-per-use model. It can be compared to as a utility service you constantly use, say for example electricity. You get the meter read every end month and you subsequently receive a bill for energy consumed. This concept also applies to CC.

CC is offered by providers (e.g. Amazon) and delivers common business applications online which are accessed from a web browser, while the software and data are stored on servers in huge data centers.

This brings huge economies of scale where the customers get software, infrastructure or applications (for example enterprise software) as an on-demand service cheap whilst the provider is able to capacity plan globally, taking advantage of time zones and other regional differences. Small enterprises would significantly benefit from the cost savings provided by CC.

However there exists an elephant in the Cloud room - security. Various concerns have been raised because many infrastructure-based clouds do not even have contracts between the vendor and the client stipulating security and continuity. Only Service Level Agreements and a monthly bill exist and if you do ever have a problem, the only recourse would be to re-locate to another provider.

Issues of security concerns that should be initially addressed include the following:

What levels of protection are in place to protect one customer from accessing another customer's data or application within a shared cloud space? Who will be liable for security breaches and how will the law regarding this in any one jurisdiction ensure compliance? How well will a CC provider integrate with a client’s security systems?

A client should also ask about the methods the CC provider is employing to protect data such as high physical security as well as what types of monitoring, intrusion detection and firewall equipment is installed in their data center.

It is expected that CC will be the wave of the future but this massive availability of resources and data within a Cloud will present a very attractive target for attackers.

HOW DO YOU DEFEAT A WEBSITE ATTACK

Last week we briefly outlined the way websites are targeted by cyber criminals. They are deliberately infected with malware that takes up control of your computer or mobile phone. Malware is a general term for software programs that have been designed with or can be used for malicious intent. These include viruses, worms and Trojans.

Legitimate websites can be infected with links to other web pages where malware is embedded. In a more sophisticated technique, scripts (programming languages) are embedded in websites that automatically download malware from other sources.

Another interesting technique is clickjacking. This is where a button or link is altered so that instead of the proper function executing when you click on it, malware is instead downloaded into your computer.

All these attacks can be countered. Firstly, it is advisable to use a browser that deliberately protects you from malware. Modern browsers will warn you if you accidentally access an attack. The browser will also tell you why it isn’t safe to click that link. Firefox is an example of such a browser that checks every part of a web page before loading it.

Using instant web site ID is also another safeguard. This is an option in browsers that allows you to check a site’s legitimacy before you make a purchase. By clicking on the favorites icon in Firefox you can get an instant identity overview. You will be able to determine how many times you have visited the website and whether your password is saved in it.

Using updated anti-virus software is a must. A competent anti-virus application will automatically check any file that attempts to conduct a stealth download. This will protect you against viruses and other malware which you could have picked up during a surfing session.

Finally, anytime a website asks for your personal information, for example credit card PIN, you need to identify whether the web page is secure or not. You should look out for a URL (web page address) with https. Normally, when browsing the web, the URLs begin with the letters http. However, over a secure connection the address displayed should begin with https - note the s at the end. Check also for the padlock icon somewhere in the window of the browser.

BEWARE THAT WEBSITE YOU FREQUENT

If there was any doubt on when we would finally embrace digitization then it was dispelled by the rapid TV digital switchover. Accessing the internet via the conventional computer monitor will soon be old hat. You will soon be able to access the internet through various ubiquitous devices such as your television, mobile phone, car, refrigerator and other common interfaces.

Local content will be widely available and we shall be surfing popular websites regularly. A good example will be the advent of programming on demand. This is where digitization will allow you to access Citizen TV, through your television, and download that episode of Papa Shirandula that you missed due to the recent matatu strike.

Websites will therefore become focal points for entertainment, communication and education. They will consequently be a battleground and will provide various opportunities for cybercrime such as fraud and identity theft to name but a few.

Websites are deliberately infected with malware (Trojans or spyware) that downloads itself into visitors’ computers. The malware then takes up control of your computer or device. The scope to exploit both the infected computer and its owner is almost limitless. It is therefore important to know how websites are attacked.

A web attack has three phases which every web surfer should know. The first stage of a web site attack is the decision. The attacker decides exactly why they would want to gain access to your computer or a business system. Acquisition of bank account or credit card passwords/PINs is a common motive.

The second stage is the hit. The attacker entices or compels potential victims to download the malware, after visiting the infected site. Malware has however become more sophisticated. This means that no action is required on the part of the web visitor to become infected. Instead a concealed malware program automatically installs itself on your computer simply as a result of visiting the infected website.

The third and final stage is the aftermath. After the malware has infected your computer or device it proceeds to execute the programmed instructions. It collects personal information, opens ports that allow the cyber crook to further access your computer, modifies settings and records your actions. The aftermath will expose you to fraud, blackmail or having your computer become a botnet that can be used to send spam or forward stolen data.

WATCH THOSE ONLINE DEFAMATORY COMMENTS

Cyberworld is an interesting place. You will find virtual libraries, gaming, blogging, photo exchange sites and social network sites among many others. One of the most popular sites in the internet are the virtual discussion forums and blogs.

They typically allow you to post your rebuttal or comments, anonymously or otherwise, on a myriad of social, political or economic topics. Some of these interactive sites are invaluable. Medical discussion forums allow someone to exchange vital experiences on ailments with others. Mechanical or electronic discussion forums assist in locating elusive spare parts and fixing problems that appear complicated. Political and social discussion forums like Mashada, YahooGroups, KenyaTalk and Jukwaa allow you to comment on any topic under the sun. Popular Kenyan blogs like Kumekucha generate a high number of comments and some are invariably defamatory and offensive. Therein lies the big risk of defamation.

Heated comments sometimes border on the defamatory which is defined as a false accusation of an offense or a malicious misrepresentation of someone's words or actions. We are well acquainted with our politician’s propensity to utter defamatory and derogatory remarks in public. How they get away with it is a topic for another day. What you should be aware of is that those defamatory comments you “anonymously” post on a forum or blog can be traced back to you. The Internet Service Provider (ISPs) have a role in this process.

With an application to the courts an ISP can be made to reveal someone’s IP (Internet Protocol) address. The ISPs usually absolve themselves from any blame by asserting that they provide a means of transmitting communications without in any way participating in them. This means they are mere conduits like the old postal company that delivers letters and packages. ISPs are therefore not liable for transmitting or temporarily storing defamatory comments.

They are however liable to some extent. When informed of the existence of these defamatory remarks an ISP is obligated to remove the content. If the ISP refuses to remove these comments then it can be regarded as a publisher and can subsequently be sued for knowingly storing and transmitting defamatory remarks.

As an online discussion forum participant you need to know two simple essentials. Your “anonymous” diatribes can be traced back to you through your IP. Many inflammatory comments are however made in public cyber cafes. This however does not fully protect the author of the same from been identified.

The second essential is that if you become an online victim of insults or defamatory remarks you can request an ISP to remove them. If the ISP refuses it becomes a publisher and legal action can be initiated against it.

ARE YOU A DATA CONTROLLER?

The time has come when we need to develop comprehensive legislation that protects our personal data. One of the major cornerstones of information security is the Freedom of Information Act (F.I.A) that should be enacted in Kenya as soon as possible.

Personal information is these days collected by various organizations. The loyalty cards in supermarkets gather our purchasing data and hospitals are crammed with electronic medical records. Educational institutions, banks, companies and the government have become massive repositories of personal information. These entities are called data controllers and under the F.I.A they have to comply with certain legal obligations. Personal information, in this context, is data about where you purchase goods or services, how these purchases are paid for, the delivery address for the same, your home address and names.

Before we outline those obligations let us expound further on who a data controller is because it could include you. A data controller is a title given to a person or entity (individual, company or organization) that decides why personal data is held and the way in which such data is dealt with. Any local company that holds personal data and uses it to do business is a data controller. That kiosk owner who keeps a record of customers who purchase on credit is also a data controller. If you hold a list of your friends’ addresses so that you can send them a Christmas card then you are, strictly speaking a data controller.

Data controllers in Kenya should be subjected to two main legal obligations once the F.I. A is enacted. They should first comply with the eight principles of good information handling. The data controller is obligated to: process personal data fairly and lawfully, obtain and process personal data only for one or more specified and lawful purposes, ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held, ensure that personal data is accurate and, where necessary, kept up to date, ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained, process personal data in accordance with the rights of the individuals to whom the information relates, ensure that personal data is kept secure and finally ensure that personal data is not transferred to a country that does not provide an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates. These obligations if entrenched as a law would go a long way in protecting your personal information.

We shall outline the second legal obligation in next week’s article and examine the risks we individually and collectively face when our personal information is not protected by legislation.

ICT SECURITY IS A HUMAN RESOURCE ISSUE ALSO

A security consultant was conducting an audit in a local company one day. It was discovered that employees used to exchange numerous dirty images and they were clogging up the server’s hard disk. The company’s ICT policy forbade the exchange of unofficial e-mails that contain attachments.

It stated that this offence was dismissible. The Chief Information Officer (CIO) was informed and with the consultant they agreed to circulate an e-mail alerting everyone that personal e-mail boxes would be checked for unofficial e-mails/attachments. The advance warning was meant to see an immediate deletion of these emails. The response was typical. Employees immediately deleted the illegal material and a 50% increase in available disk space was obtained.

The security audit, nevertheless, continued and only one employee was caught with dirty e-mail attachments in his inbox – it was the CIO. At his dismissal hearing he was asked why he didn’t delete the images like all his colleagues. His response was that he did not imagine that his e-mails would be checked. This was a strange, but not unusual response.

A similar response was witnessed from a busy CEO of a medium-sized company. His job entailed constant travelling to branches in the country. Due to this he found it convenient to share his access credentials to the company’s systems with his Secretary, despite it being a dismissible offence. This fact was discovered during a security audit and he was promptly fired. His defense was similar to the CIO’s: he never thought the ICT policy applied to him.

These two cases illustrate that computer security is also a function of the Human Resource (HR) department of any organization. Controlling the technology absolutely is possible. Managing the employees absolutely is, on the other hand, not possible. Managing people is done by implementing procedures, standards and policies. Ensuring employees adhere to these structures is extremely difficult and this is where HR comes in.

People management has to be done in tandem with computer security. Its criticality cannot be overemphasized. HR has to be fully involved in the implementation of a firm’s ICT security policy. This is because information security has become so critical it has become a corporate and not an ICT departmental responsibility. The roles of HR are indispensable to ICT security in that it is HR that conducts the initial background checks, implements the umbrella employment policies and staff review processes. It is also HR that drives the termination process.

In a nutshell information security is usually a soft people problem rather than a technological one especially when you consider the impact of insider threats. People are the soft underbelly of any ICT infrastructure and the role of a HR department is to ensure that processes are in place to effectively manage them.

DO YOU TRUST THOSE PEOPLE WHO WORK FOR YOU

In any information security setting there is the elephant in the room that no one likes talking about. This is the threat posed by employees which is more commonly known as the insider threat. This threat is not new but it has recently gained more prominence in this recessionary period.

When companies are cost-cutting employees are thrown into uncertainty by impending down-sizing. This makes a company vulnerable to insider attacks. When the eventual layoffs begin normal controls are dispensed with due to work pressure, necessity and self preservation. Departing employees take away sensitive company information, especially ICT staff that are privy to critical information systems.

The insider threat has two participants: current and ex-employees. They both have intimate working knowledge of a company’s processes and operations. Current employees have legitimate and up to date access to the information systems. They can potentially leak corporate secrets, plant viruses and generally commit covert cyber-crime.

Ex-employees, on the other hand, do not have access to the company’s systems. They cause damage by changing passwords on departure or leaving logic bombs in the system. A logic bomb is malicious software that is left by a programmer that activates once certain conditions are met. For example an ex ICT staff can leave software that immediately deletes company sales files if his/her name or staff number is deleted from the payroll.

Controls are therefore crucial and need to be in place to reduce this threat. The first control is having a current and robust security policy that outlines the does and don’ts when using corporate information systems. This policy must be understood by all new employees. Consequences of ignoring these security policies should be internalized and constantly reviewed. This security policy should be signed by all employees so as to obligate them to good practice and usage of the systems.

Another control against insider threat is carrying out background checks before hiring employees. Stringent checks should be carried out to detect reasons for previous resignation or termination. Testimonials and academic certificates should be scrutinized for authenticity.

Separation of duties is another effective control. It eliminates the likelihood of employees colluding and circumventing controls. In this regard monitoring systems should be installed to flag any unauthorized activities. Finally all network access should always be revoked immediately an employee is terminated. Any company issued IT equipments should be returned and screened to prevent insertion of logic bombs into the corporate system.

This elephant is best dealt with immediately and professionally because it has fatally damaged many companies in the past.

WHAT DO YOU DO WHEN YOU BECOME A VICTIM OF IDENTITY THEFT

This is the third and final part of a three part series on Medical Identity Theft (MIT). Over the past two weeks we have defined MIT and outlined its various categories. We have also grasped that MIT is a cyber-crime that can kill you. Victims of MIT may receive the wrong medical treatment, discover their health insurance is exhausted or could become medically uninsurable. These are all serious consequences.

MIT is committed by various people. Just like other cyber-crimes, MIT is committed by Organized Crime. There are also the usual solo hackers. Other perpetrators can, surprisingly, be your own relatives and even medical staff for example doctors. “Bad apple” doctors have been known to rent their patients records to scammers.

Most people find out they are MIT victims through a myriad of ways. The most common one is receiving someone else’s bills. These bills are sent to you by your insurance provider. Another way is through demand notices from debt collectors or lawyers. If you receive demand notices from a hospital lawyer and you are sure you haven’t received the claimed medical services, then you are a victim of MIT. Indicators of MIT can also be found in your medical credit card reports and through notification by your insurance provider or law enforcement agency. You can also know you are a victim of MIT at the worst moment, when you are in a medical emergency and obvious discrepancies are discovered in your medical file.

How then can you protect yourself against MIT? You should review all medical bills, notices and statements very carefully. The statements we get from hospitals and health insurance providers usually run into many pages. Despite this you should go through them stringently.

It is obvious that Kenyans face serious challenges in grappling with MIT. There is no government agency dedicated to help victims of MIT. There are also no enforceable rights that demand medical institutions disclose to you your own records. Our nascent police cyber-crime unit has yet to come to grips with with this problem.
The obligation therefore rests with custodians of medical records in Kenya. Hospitals, clinics, medical insurance providers, employers and any other entity that generates, maintains or retains medical records should disclose data breaches immediately.

Individuals must be informed directly anytime their protected health information is inappropriately accessed. If individuals are not notified of a breach, then they may not know that their medical files may be altered by criminals in ways that may threaten their health, impact their insurability, or cause other harm.

Data breach notification is the only option currently available before the legislative framework on disclosure and freedom of information is developed and implemented.

THIS IDENTITY THEFT CAN KILL YOU

This is the second part of a three part series on Medical Identity Theft (MIT). Last week we defined this lethal form of identity theft and outlined its various categories. For the sake of readers who missed the previous article we summed that medical identity theft occurs when someone uses a patient’s name and sometimes other parts of their identity – such as medical insurance information – without the patient’s knowledge or consent.

There are various motives behind MIT. The first one involves the use of a patient’s details to steal their insurance cover. The second one involves the creation of fictitious medical records to circumvent statutory requirements like immigration or employment regulations. The third one involves false and erroneous entries in victim medical files that result in the use of wrong prescriptions and where operations are erroneously conducted.

MIT is not just a crime against a health care system. It is a crime involving theft or abuse of identity information that has financial and other life-consequences for patients. Victims of medical identity theft may receive the wrong medical treatment, find their health insurance exhausted, and could become uninsurable for both life and health insurance coverage. They may also fail physical exams for employment due to the presence of diseases in their health record that do not belong to them.

Among the three categories of MIT, the switching of records or insertion of false entries is the most hazardous one. The possibility of your records being switched and thereby receiving medication or procedures that are totally unrelated to your ailment is a possibility which we should understand.

Hospitals should implement stringent security procedures in their Electronic Medical Records (EMR) systems. This is unfortunately not the case in most health institutions. You would be astonished how many people have access to your medical records.

Another common form of MIT involves impersonation. One case involved a patient who impersonated a cousin and gained hospital admittance. He ran up bills running into hundreds of thousands of shillings. This forced hospital administrators to require current picture IDs before admission. In other instances the thief can be your own doctor. There are doctors who defraud patients by billing their health insurance providers for fictitious consultations or treatment.

MIT is a form of cyber crime that has hidden itself very well in Kenya. Victims are often defenseless and at the mercy of bureaucratic red tape from health insurance providers and the pathetic Freedom of Information and Disclosure legislation in Kenya.

Friday, May 07, 2010

ARE YOU AWARE OF MEDICAL IDENTITY THEFT?

This week we shall begin a three part series on a serious form of cyber crime that can affect you and your family. It is medical identity theft.

We have previously discussed identity theft which occurs when personal information is stolen for unlawful purposes. The fraudster will use a false identity (yours) to commit a series of crimes, usually cyber based and financially related. ID theft has in most instances had financial gain as its motive. This has however evolved into a more sinister and damaging aspect where your electronic medical records are either stolen or switched.

Medical records have always being problematic in storage and retrieval due to their voluminous quantity. The advent of ICT has solved this problem in a radical way. Electronic Medical Record (EMR) systems have been developed and they simplified the whole process of updating, preserving and retrieving these records. The unfortunate flip side to this development was that our medical records were now more vulnerable
to theft and manipulation.

Medical identity theft has therefore become a major problem globally and in Kenya. It can cause great physical, psychological and financial harm to its victims. Yet despite its serious risks it is the least known and most poorly documented of all other identity thefts in Kenya.

It occurs when someone uses a patient’s name and sometimes other parts of their identity – such as medical insurance information – without the person’s knowledge or consent. The motive is to obtain or make false claims for medical services or goods.

There are various categories of medical identity theft that are underlined by their motives. The first one involves the use of a patient’s details to steal their insurance cover. The second one involves the creation of fictitious medical records to circumvent statutory requirements like immigration or employment regulations. The third one involves false and erroneous entries in victim medical files that results in the use of wrong prescriptions and where operations are erroneously conducted.

In relation to this we shall discuss the rights that we should demand concerning medical records. These involve the right to access your medical records, the right to ask for amendment of your medical records and the right to have a history of disclosures involving your records.

We shall also outline various ways you can protect your medical records. This involves being aware of medical identity theft, proactively requesting a full copy of your health care files from all providers, guarding your insurance and medical card numbers carefully and educating others about this crime and its various variations. Next week I shall describe the various forms of medical identity theft.

THE FIVE ‘W’s OF ANY INVESTIGATOR

Computer security invariably demands investigative skills from its practitioners. The basic premise, in both the digital and physical worlds, is that intrusions demand a reaction and this is in form of an investigation. There are obviously differences between investigating a house burglary and an online theft of credit card numbers. However there are five similar basic concepts that a cyber-crime investigator and a police detective have to abide by.

Before examining these fundamentals it is prudent to remind ourselves what is meant by the word investigation. It is a systematic, minute, and thorough attempt to ascertain the facts about something complex or hidden. Another definition states that an investigation is a detailed systematic search to uncover facts and determine the truth of the factors (who, what, when, where, why and how) of accidents. This definition outlines the fundamentals any computer investigator should adhere to if they are to investigate cyber crime.

The first fundamental is asking Who was involved. Knowing who might have been involved or contributed to an online breach creates the opportunity to gather more information and stitch a suspect profile. Knowing the types of people involved is also valuable when determining whether the breach originated internally or externally.

The second fundamental is asking What happened. All details that are relevant should be gathered, such as details that provide links to other information and/or that indicate necessary corrective action and/or that provide tracking evidence.

The third fundamental is asking When did it happen. The time at which a hacking attempt happened can reveal important elements in the evolution of the event. A hacker who consistently probes for network access points at certain times provides clues about his location.

The fourth fundamental is asking Where did it happen. The place of the actual event often reveals important facts. Which server was targeted, which data was copied and such facts often point to the motive of the attack.

The fifth fundamental is asking Why did it happened. Asking why should reveal new information on a level closer to the root causes. Asking why repeatedly often reveals new information that would otherwise not be uncovered.

The sixth and final fundamental is asking How did it happen. This is the core of the cyber investigation because how a cyber-crime is committed provides vital clues about the offender. For example an intruder that hacks your network behind multiple proxies (computers) and retrieves password protected logs reveals the technical expertise of the intruder.

For any aspiring cyber crime investigator these fundamentals should be guiding principles. They apply across sectors and professions that are the subject of any investigation.

IS MANAGEMENT SAFE WITH THOSE SMART PHONES???

In the not too distant past the only way you could distinct top management from the corporate troops was the laptop bag. This was a status and power differentiator. Management was issued with laptops which they lugged around with barely concealed pride. With time, laptops became affordable and accessible to most employees. Today management has a new differentiation tool – the smart-phone. If you are perched up there in the corporate ladder then you are issued with a company smart-phone.

These smart-phones are powered by Windows Mobile, Symbian, Apple and Blackberry operating systems. They are microcomputers in their own right and apart from being status symbols, they are useful business tools. These phones, for example, have data capacities of 2 gigabytes, meaning they can store over 2,500 emails and/or 3,500 medium-sized documents.

Their ubiquitous multi-functionality means top managers and business-people use these devices for commerce. They access company e-mails and applications on the go.

This raises serious issues of data protection. A stolen or lost smart-phone would be a treasure trove for any hacker even if it only contained company e-mails. These devices are not only being targeted by your run-of-the-mill criminal but more worryingly by cyber criminals.

Implementing security measures like encryption is a popular security measure but has limited success. Encrypting data on most smart-phones takes a lot of processing power with the result that most users get frustrated with seeing busy hour-glass icons and eventually just switch off the encryption or ignore it altogether.

Despite these shortcomings organizations are advised to implement encryption in their company issued phones. This will not stop eavesdroppers (something that is becoming prevalent in Nairobi) but will impede the cyber criminal from obtaining useful data from your stolen device.

Another pertinent aspect of company phones, apart from security, is liability. Who is responsible for their loss, data and hardware? It is arguable that since it is company issued and the data on it is there by company assent, then it is the company that is liable. This includes the Board and the immediate ICT managers.

The company should put in place appropriate technical and organizational measures to protect corporate data in these smart-phones. One of these measures is to make it mandatory for all employees with these phones to encrypt the data and ensure encryption is always implemented.

Company issued smart-phones will increase in the near future especially due to privacy concerns and work separation needs. Encrypted data will therefore be commonplace in mobile devices because it is safe data and is hidden from industrial spies and hackers. This is the immediate available course of action organizations should adopt if they are to secure their systems from remote break-ins.