Monday, January 30, 2012

GOVERNMENT WEBSITES AND SYSTEMS SHOULD BE ‘HARDENED’

Over 100 government websites were defaced by an Indonesian hacker in January 2012. This is a harbinger of things to come. As more organizations get online hackers will test their hacking skills and the government is a target like everyone else.

This incident informs us that government websites need to be hardened. The government should ensure that its websites are well protected from any intruder who might try to hack and steal data contained therein.

Apart from defacing websites, hackers usually move on to the next stage by attempting to penetrate the database(s) that sit behind websites.

Securing the data in these websites is a basic but another fundamental is that this data should be encrypted. Most of the government sites that were defaced have a user login feature that allows authorized users to log in and for instance check their mails. This kind of sensitive data is what should be encrypted.

Government web developers should also make sure they are using the right coding methods. Web developers can unknowingly leave their websites at risk in various ways. One way is by leaving ‘open doors’.

An open door could be an administrator password that has been left as a comment in the source code. By looking for these commented codes a hacker will be able to log in and access valuable data.

Where you host your site is crucial in determining the security of a website. Websites are hosted on servers. A ‘weak’ server is a vulnerability waiting to be hacked. Evidently the server in which the government domain is hosted in was not secure.

This episode should be a wake-up call. As more and more Kenyans embrace the internet, the subsequent development and adoption of e-commerce will ensue. It will soon be possible to pay for government services online. Instead of going to a supermarket we shall be able to shop online and have the shopping delivered to our homes.

The monetary motive for sophisticated hackers to target our systems will then exist. Opportunity is already present because most of our websites and systems are note secure. This will leave many Kenyans vulnerable to online scams and fraudsters.

It is imperative that Government takes up the gauntlet and develops a fully fledged High Tech Crime Unit in the Kenya Police. This unit should be the first responder and of more importance should aim at mitigating threats to our national ICT security.

Wednesday, January 25, 2012

Amnesty Period Expired on 15th December 2011.

Screenshot from buygenuine.co.ke

Microsoft Amnesty Period
Facts dont lie, counterfeit software is costly. Using Pirated software can lead to a judgment that could close down your business for a violation of the law. This will damage the reputation of your business and cost you money.

Corporates that possess, use or deal in authorized software are liable to criminal and civil sanctions under the Copyright Act of Kenya.

To avoid criminal penalties as per the copyright Act of Kenya, management and representatives of corporates must ensure that all software used by their company is compliant during an amnesty period that ends on the 15th of December 2011.
Issued by the Kenya Copyright Board.
______________________________________________________________________

Just a reminder...incase you can't afford the licences you can always try Ubuntu.

http://icea.co.ke/ was hacked on 25 January 2012





Tuesday, January 24, 2012

DEPLOYMENT OF MOBILE PHONE JAMMERS IN PRISONS IS NOT ENOUGH

• In China the Education Department uses mobile jammers in schools during major exams. These jammers are use to prevent cheating. The objective is to prevent students from receiving calls or SMS messages from external sources outside the exam room.
• The main electronic components of a jammer are:
1)Voltage-Controlled Oscillator - this generates the radio signal that will interfere with the cell phone signal.
2)Tuning circuit - controls the frequency at which the jammer broadcasts its signal by sending a particular voltage to the oscillator.
3)Noise Generator - Produces random electronic output in a specified frequency range to jam the cell-phone network signal.

Safaricom and Kenya Prisons Services recently announced that they will install phone-jamming equipment in all the major prisons. This was termed as a response to the runaway crime involving mobile phones that is perpetuated by prisoners.
The strategy of jamming mobile phone signals in prison compounds is a logical technical response. By creating islands of non-connectivity in these jails, it is possible to mitigate the economic and social risk posed by these incarcerated criminals.

How does mobile jamming work?

Phone jamming is not a new phenomenon. In the past it was associated with spy craft and the military. Times have changed. Mobile phone jammers are now commercially available and widely used by ordinary citizens in countries that have legalized their usage.

Jamming a mobile phone basically entails the blocking of its frequency by using a device called a jammer. Your mobile (short for mobile phone) transmits a signal on a certain frequency so as to communicate with the service provider’s network. The jammer will broadcast a signal to your mobile using this very same frequency. Once these two signals collide they cancel each other out and what results is a ‘No Network’ indicator on your mobile.

The range of a jammer depends on its power output and whether it is designed to disrupt mobiles or towers. Pocket/portable jammers typically operate in a range of about 9 meters. Higher powered jammers operate in a range of up to 1.6 kilometers away from the device.

The choice of which jammer to use is dependent on the range you wish to deploy it to. To have uninterrupted meetings in an enclosed room, portable jammers are ideal. In a restaurant or church, a medium power jammer would suffice. For a prison compound, a very high powered jammer that can block multiple frequencies would be the ideal.

Mobile Jamming Concerns

It is broadly agreed that something needs to be done to curb the acquisition of mobile phones by criminals in our local prisons. However the jamming of mobiles has been tried by other countries with varied success.

Of initial concern would be the fate of prison staff and family who live and work in these compounds. To be able to effectively jam mobiles in our expansive prisons, high powered jammers will have to be used. This means that prison staff and other mobile users in the surrounding areas will also be inconvenienced.

Interference with critical public frequencies is another risk. Public safety responders like ambulances, police and fire fighters use dedicated frequencies. High powered jammers should be configured to ensure these frequencies are not interfered with.

It is also worth considering the legality of this implementation. The Kenya Information and Communications Act – Section 45 states that interference with any radio communication would result in a fine not exceeding one million shilling or a prison term not exceeding five years or both.

Other Alternatives

Combating the use of mobile phones by prisoners to propagate crime requires a multi-pronged approach. Jamming their mobiles, in itself, is not enough.

We should start by increasing the criminal penalty of smuggling mobiles into our prisons. The penalty for this kind of crime should be extremely punitive so as to discourage prison staff and visitors from abetting the smuggling of mobiles.

Other technical measures that should be explored include handset disablers, micro-cells and Faraday cages.

Unlike jammers, handset disablers do not emit jamming signals. They instead detect the presence of mobiles and prevent the making of any call. This detection and disabling is done by the software at the base station. What makes this alternative attractive is that it does not disable calls from ‘emergency users’. Pre-selected mobile users, who have pre-registered their phone numbers with the service provider, are allowed to receive and make emergency calls.

Micro cells are essentially scaled down base stations. It would be possible to build micro cells dedicated to the prisons. These cells would carry all traffic originating and terminating in the prison compound. In this implementation it is possible to segregate only prison calls and avoid jamming calls of legitimate users in the prison environs. The micro cell would be able to intercept communications specific to the prison and disable the mobiles through either SIM or IMEI blocking.

Another alternative is the Faraday cage which is a wire mesh enclosure that is grounded. It provides a shield to radio waves. A cage round the main prison compound would impede the transmission of mobile phone signals to or from any handset located in the cage.

Critical Lesson

One critical lesson that needs to be internalized from this effort is that there is a slow but sure shift from conventional to cyber crime by Kenyan criminal elements. The ingenuity and innovativeness exhibited in the execution of these mobile phone scams proves that it is only a matter of time before ICT security becomes a priority for law enforcement agencies.

SECURTY OF EMAIL CC: COMPROMISED COPIES

E-mail users in Kenya are increasing daily. In many local organizations, MS Outlook is the dominant corporate email which is used by thousands of office workers. Sending an email to one recipient requires you insert the recipient’s email address and click on send. When you want to send the same email to many recipients you click on the cc: button and insert multiple email addresses.

Cc: stands for carbon copy. In the pre-computer/photocopier days, creating multiple copies of the same letter was achieved by using carbon papers. Before typing the letter, carbon papers were interspersed with plain white paper. Copies were created below the originally typed letter and thus the term carbon copy.

Leaking sensitive and secret information has never being easier in this digital age. Any organization that tries to safeguard corporate data from being unlawfully accessed by unauthorized people must contend with the cc: loophole.

Internal emails that have inadvertently gone awry are a good example of how secret information leaks out. We all dread that cc: goof. A successful salesman had a huge e-mail address book filled with his loyal customers, including prominent government contacts. With a single click, he accidentally sent a file of his favorite pornographic cartoons and jokes to everyone on his e-mail list. His subject: ‘Special deals for my best customers!’ Obviously he was looking for a different job thereafter.

Embarrassments can result after these mistakes. However when medical records or intelligence reports are inadvertently sent out the security breach causes untold damage.

Basic safeguards should be adhered to. The first rule of thumb should be to always check the To and CC fields before you click on send.

The second rule is the carpenter’s rule which states that you measure twice and cut once. This means you think twice before sending the email once. In other words, put that message aside and let your temper cool before sending that e-mail.

Another safety rule concerning carbon copy emails is the draft folder. Handle it with extreme caution. Sending an e-mail in progress by accident is very easy. When trying to change the status of that draft email or transferring it to the inbox, you can find yourself cringing after accidentally sending it.

Finally don’t make joke or comments via e-mail that you wouldn’t make in person. If you can’t say it aloud then don’t put it down. When in doubt click on the Cancel button instead of the Send.

HOW TO SECURE YOUR DIGITAL PHOTOS AND CERTIFICATES FOR POSTERITY

The digital revolution has left an indelible mark in our personal lives. Taking family photos has never been easier. We simply click away on our digital cameras and transfer the images to a computer or a portable device. Viewing them can now be through the new USB compatible TVs.

Personal record keeping has also evolved. Photocopying and sealing those important academic and achievement certificates is outdated. It is now much easier to scan and store the digital image in your computer.

This historical data has to be secured due to its vital long-term importance. How do you effectively preserve these personal records?

Digital preservation is basically the keeping of data in such a way that its significant content can still be extracted and understood for an extended period of time. One thing to note is that all storage media (including your computer or external hard disk) becomes unreadable, or more difficult to read, eventually. These devices simply deteriorate.

There are two options available. You can constantly convert the data after a few years so that it is easily processed by the software systems of the future. The other option is to convert the original digital record into a stream of bytes. This would ensure that you can retrieve it into as many formats whilst retaining its original quality. This option is definitely more secure but technically challenging.

The third option would be uploading all your personal data to a cloud provider. This would free you from the anxiety of contemplating what would happen if you lost your computer or portable storage device. However this option comes with a risk. What would happen if the cloud provider went bust or lost your data?

All these options must be considered against the backdrop that ICT was different twenty years ago. Advances in technology will inevitably make technology fundamentally different twenty years from now.

The format of your digital documents and snaps will therefore change and conversion will be necessary. My option would be to use the second option in which you use a conversion utility that will convert your records into a stream of bytes.

Use this utility to attach metadata that contains information about its properties and store these records into your portable storage device. As a redundancy upload it to a cloud provider. This way your future generations will be able to access those digital family snaps and documents with the technology of their time.

WHO IS LIABLE WHEN THE COMPANY SMARTPHONE GETS LOST

The ICT security industry has seen more changes in the past four years than the last twenty years computers have been with us. These changes have mainly been a result of the advancement in portable devices, especially smartphones. These smartphones are basically microcomputers with processing power capabilities that were resident in PCs of a decade ago. Popular smartphones have Android, Symbian, Windows Mobile, Apple and Blackberry operating systems.

Many companies issue smartphones, and other portable devices, to employees for business. It is often taken for granted that company ICT security policies also apply to these devices. This is often not the case because many companies are yet to resolve the question of who is responsible for the loss of these devices (and the data contained therein).

Best practice states that the data controller is the person liable. This is explicitly stated in most Data Protection legislation, for example the Data Protection Act in the United Kingdom. This data controller is defined as the person (either alone or with other persons) who determines the purpose for which and the manner in which any data are to be processed.

That company issued smartphone is meant for company business and the data stored in it is there by company consent. This means that it is the company that determines the purpose and method in which the data is to be processed. It is therefore clear that senior managers are data controllers and the other persons are effectively the Board.

It can be argued that the employee would be responsible for the loss of a company issued smartphone if he/she did not implement the security policies of the organization. However the employee would only be directly responsible to the employer.

One effective way this can be done is by implementing encryption in company smartphones. Employees would then be obligated in ensuring that the encryption software is on and effectively protecting company data.

If, however, the lost smartphone contained unencrypted sensitive data that would have far-reaching consequence to the general public, then the manager and Board would land in court.

The absence of a Data Protection Act in Kenya means that apportioning liability for data loss due to portable devices getting lost is difficult. The draft Data Protection Bill, that is currently undergoing review and stakeholder consultation, should conform to the generally accepted liability principle of data protection.

Protecting data with appropriate organizational and technical measures is the responsibility of managers and the Board.

BUSINESSES ARE EXPOSED TO IDENTITY PSEUDONYMS THIS SEASON

The festive season is with us. Most of us will transact in a shop, a supermarket, a school or even online. To do this we shall use our credit cards, ATMs, M-Pesa PIN numbers, certificates, badges and other identifiers. These identifiers will allow us to prove we are who we claim to be. This aspect of proving who we are is becoming increasingly tricky for businesses.

Most of us have different identifiers. You might have a credit card, two ATM cards, a debit card, an M-Pesa account, a national ID and a supermarket smart card. These are all pseudonymous which means your identifiers are different personas to different organizations.

It is assumed that the person in a credit card is the same person in the Smart Card. But the bank cannot prove that the John Mutiso who holds the credit card is the same John Mutiso who has the Uchumi Smart Card.

This is because customer data is not shared between the bank and Uchumi supermarket. This means you are the only person who can prove who you are. Businesses are therefore vulnerable due to this pseudonymity and they need to take steps to protect themselves.

Businesses therefore require identity management so as to guard against this high risk of pseudonymity. The purpose of this management would be to establish the eligibility of John Mutiso to conduct a transaction and to assign the limitation of liability in the event of a failure.

Biometrics is an identity management solution that is proposed in the absence of data sharing and data matching. Biometrics are however not 100 per cent accurate especially in real environments where reliability thresholds are marginally lower.

To effectively protect businesses a highly distributed citizen database is required. This database can be accessed by businesses to determine who John Mutiso is, whether he is in the system and whether he is unique. In other words is this person who he claims to be?

This distributed citizen database would not necessarily be wholly housed by government. Elements can exist in credit reference bureaus, NGOs, county offices and local government systems.

This pool of citizen data would create an environment where government, commerce and citizens not only trust identity services but businesses would be able to use this database to reduce identity pseudonymity.

The technological infrastructure is now in place. What we need is the political will to implement this solution.

OPEN SOURCE SECURITY IS THE BEST PROTECTION

Many people assume that securing ICT systems is an expensive undertaking. When it comes to security software, expensive does not equate to secure systems. Vendor security solutions can be very expensive and yet their Open Source (OS) software equivalents tend to be even more secure.

OS software has undergone various misconceptions. The first one is that OS costs as much as proprietary/vendor software. OS security applications are capable of providing adequate security without bursting your budget. Most are either free or dirt-cheap. Notable examples of free OS security software are SpamAssasin, Snort, Nmap, Nessus, FreeBSD and many others.

Another prevalent misconception is that OS security software is dodgy and dangerous because it is open and free. OS is more secure than proprietary software because more developers are assessing and critiquing the code.

OS software code being freely available means that many “white hackers” are constantly ensuring its integrity and security. OS security software is not invulnerable. However by using any of the OS software packages that are widely used, it is possible to use security software whose vulnerabilities have been minimized.

It is also widely believed that outsourcing of a company’s internal network security can only be done through proprietary/vendor software. This is yet another misconception. Paying for expensive vendor systems that purport to prevent your network from being compromised can be avoided.

Open source perimeter management systems are equally capable in monitoring logs/traffic from your internal network. For example Nessus is a reputable OS network vulnerability scanner that can be able to discover bugs throughout an entire organization.

OS security software has some fundamental advantages over vendor software. Probably the most potent advantage is the so called “many eyes” theory. Security vulnerabilities are typically found by examining source code and testing the software for failures. The fact that OS source code is freely available means that it is under constant improvement by developers all over the world.

This transparency means that many people are motivated to sift through the code of OS security projects for a variety of reasons. Bugs are therefore fixed swiftly and better products released to consumers. This therefore discourages those who might try to sneak malicious code into OS security software.

In my opinion, Open Source security applications tend to be more secure than their commercial equivalents. Having in place good basic security controls and practices based on an Open Source platform can better protect your ICT systems.

SOCIAL MESSAGING SECURITY TIPS FOR YOU

The power of social media is no longer a periphery international issue, it is now with us. The doctor’s strike (“Operation Linda Afya”) was organized through Tweeter and Facebook.

Media reports indicate that the doctors used this fast, prompt and reliable mode of communication in executing their industrial action that crippled healthcare delivery in all public hospitals in the country.

Tweeter and Facebook messaging is what made it possible for doctors to quickly converge and hold peaceful demonstrations all over the country. This phenomenon is possible due to the wide coverage of telecommunication networks throughout most of the country.

Social networks are all-pervasive, however they aren’t always safe. Most malicious attacks are now emanating from social network sites. If you tweet regularly and update constantly in Facebook there are a few safety tips you should know.

The first tip is don’t click on links you don’t know. Sharing links in Twitter and Facebook is common and an effective way of directing your friends to interesting sites. However avoid clicking on subsequent blind links where you cannot discern the destination website from the link, for example www.23433.co.ke is a blind link. This link can open you up to a malicious attack and place your sensitive phone/computer data at risk.

Secondly don’t share personal information. Some personal details should never be shared online and these include your current address, date of birth, next of kin, bank details, ID number and company staff number. You would be surprised how much information about you can be gleaned from these details.

Setting up strong passwords for your Tweeter/Facebook accounts is a must. You can imagine what would have happened if the Tweeter account, that was used to mobilize doctors during “Operation Linda Afya”, had a weak password. It would be possible to hijack it and sabotage the whole effort.

Beware fake friends. A common attack that is used by online criminals is where messages are distributed from accounts whose names are vaguely familiar or resemble the names of your long lost schoolmates. Clicking on a message from such a “fake friend” will lead you to an external site that installs malicious code in your mobile phone or computer.

Social media is here to stay and as internet penetration slowly permeates in Kenya its power can only grow. Users should however use these rudimentary safeguards so as to prevent online criminals targeting your interaction with friends or colleagues on social media sites such as Tweeter.

ARE INDUSTRIES THAT USE SCADA SYSTEMS SECURE?

Supervisory Control and Data Acquisition (SCADA) systems are a suite of software used by the utility, gas, oil, water and manufacturing sectors to achieve efficient control over their complex operations. These systems control various components for example the opening and closing of valves in an oil pipeline. In the electrical utility sector they control power grids.

A major development in these systems is the introduction of a smart component in these systems. This entails the implementation of an end-to-end IP (internet protocol) network that connects critical components such as valves in a pipeline, smart meters in an electrical grid or pumping stations in a water pipeline. Smart meters are generally at a more advanced stage in the electrical grid systems of advanced western countries.

What makes the security of these smart grids important has to do with the deployment of these networked and IT and IP enabled critical components. These IP enabled components have to interface with old legacy components such as Programmable Logic Controllers (PLC). This presents a threat because most of the old components are not designed to support the complete IP communication stack.

Besides the system integration risk the implementation of IT and IP enabled components introduces the same security threats attendant with such technology. Cybercriminals can for example bring down communication links between these components and the control stations by using denial of service, routing, flooding and buffer overflow attacks.

Another factor to consider is the lack of skills to identify and manage risk in SCADA systems. Professionals in the industries that use SCADA (e.g. electrical) are not aware of the proper security controls necessary and suitable for their industries.

For example the electrical utility sector in most countries is only at an initial stage of developing the required skills to conduct risk assessment. This risk assessment would allow ICT security professional to design security architectures tailored to SCADA systems.

What then is the way forward? Industries that use SCADA, risk, ICT and ICT security operations must find a way of working together. The security management of IP endpoints and devices is the forte of ICT professionals. They are however ill-equipped to manage foreign endpoints like valves, smart meters, breakers, PLCs etc.

A complex network with hundreds of thousands of endpoints and network interconnections is extremely difficult. For a SCADA network to be truly, reliable, scalable, and secure, both ICT professionals and utility operators have to work together.

BUSINESS DATA TRANSFER CAN BE VERY RISKY

The volume of data that is shared between business entities is growing every year. Companies are constantly sharing information with each other. I.T. systems are linked to each other at various business contexts for example supplying, selling, regulation and management. A manufacturing firm, for example, is likely to have its procurement system linked to its suppliers and its sales component linked to distributors on a real time basis.

Whether it’s a document sent over email or sales figures transmitted through a file transfer protocol, the risk of a data breach during the transfer or sharing process is high.

Many business people are yet to appreciate the value of the data in their possession. USBs and CDs are lost at a very high rate. These same devices are couriered in unsecured envelopes. Loss of company data can have an irreversible impact on and company’s finances and reputation.

In most cases the loss of mobile devices such as USBs and CDs results in loss of valuable company data. These devices are by their nature easy to lose, especially USB drives. People usually overlook the real value that is contained in a USB drive itself and instead value the physical device more. USBs might be small but the data in them is vitally important.

Other means of data transfer that pose considerable risk are websites that allow users to upload large files. These files can then be accessed by other people with a link that was sent to them. Photo sharing websites use this concept.

Companies should not use these sites because it is nearly impossible to ascertain where you files are hosted and who has access to them.

Implementing more secure and reliable data transfer technologies is imperative. Relying on USBs, CDs and file hosting websites to transfer your business data is unsafe.

File transfer technology has advanced considerably in the recent past. It offers enhanced features like audit trails and are better alternatives to the old transfer methods.

An example is Managed File Transfer (MFT) which is a data transfer service provided by vendors. MFT keeps an audit trail of the transferred file(s) by keeping receipts. MFT also encrypts the files thereby securing them against man-in-the-middle attacks.

This technology is vital for sectors that have huge volumes of data transfer for example healthcare, pharmaceuticals, banking and government.

Data transfer is a grey area that needs immediate attention by all companies that exchange information with another business entity.

SECURITY RISKS OF CLOUD COMPUTING II

This article is a continuation of last week’s article in which we concluded that due diligence should be conducted before subscribing to cloud computing provider.

Cloud computing is basically the use of computing resources, like applications and servers, as a service (Software as a Service). This means that a cloud computing provider provides access to computing resources when needed and the client is charged for this usage.

Any business that subscribes to cloud computing has to consider a few security risks. Any cloud computing firm that you use should, at the minimum, have appropriate certifications like ISO27001. These certifications ensure that their internal controls are in place and maintained against insider attacks.

Any firm that outsources should also ensure that their data is backed up. Backing up should not be taken for granted and it is the responsibility of the client to ensure that the provider makes redundant copies and restoration can be successfully done.

Businesses that outsource should not put all their digital eggs in one basket. Outsourcing to one cloud provider effectively means that should anything untoward happen, applications and information will be at risk. This risk can be mitigated by disintegrating your dependencies. Using a redundant storage provider will enable crucial data to be stored by different vendors and in different locations.

Data commingling is another risk that businesses which outsource to the cloud should be aware of. Cloud providers run many applications and handle data for many client organizations. Data therefore commingles in the same databases and servers separated only by the software itself. This is a security risk in that a flaw in the code could be exploited to allow access to other data. It is therefore advisable to ensure that segregation is done and maintained by the cloud provider.

Data migration procedures are also very important. As a business that outsources to the cloud it is important to ensure that procedures are in place that allow and ease the migration of data. Data migration is the extraction of data so as to re-use it. The procedures for this should be clearly established and the cost should not be prohibitive.

Finally any business that outsources its applications and data should have clear Service Level Agreements (SLAs) with the cloud provider. Just like any other third party service provider. the SLA with the cloud provider should have clear parameters for performance, change management, liability, access and provisioning.

SECURITY RISKS OF CLOUD COMPUTING

Cloud computing is finally with us. Recently a leading telecommunication service provider launched a cloud computing service for individuals and businesses. Cloud computing is basically the use of computing resources, like applications and servers, as a service (Software as a Service).

An example would be a small construction and road repair company somewhere in Kericho. At the end of every month the company runs its payroll and pays its casual and permanent employees. Before the advent of cloud computing this company would be forced to invest in a computer, a payroll system and stationery so as to automate its payroll process.

The cost of purchasing a dedicated payroll computer and its system would be prohibitive to a small enterprise. The concept of cloud computing means that instead of dedicating resources to a process that is run only once a month the company can subscribe to a cloud computing provider to do it. The company is then billed only for the time it uses the payroll system.

So instead of worrying about the costs of the payroll system, and security of the data, the cloud computing provider provides access to these computing when needed and charge for specific usage only.

Examples of global cloud computing providers include Hewlett Packard, Fujitsu, Red Hat, Amazon and many others.

Cloud computing, just like any other technology process, has some security risks. These risks will be discussed in this article and the next.

There are many security concerns in cloud computing. One of the most common queries concerns access to data. Who has access to your data?

An example is the United States of America. In October, 2001 the USA Patriot Act was signed into law as a response to the September 11 terrorist attack. This Act allows the American government to access data in any American owned data center, no matter what country that data center is in. If you outsource any of your ICT functions to a cloud infrastructure owned by an American company, then your data can be accessed by the American government.

Who can potentially access your data becomes a priority concern when choosing a cloud computing provider.

Keeping data private and secure is an ongoing concern for everyone in this interdependent and connected world. Due diligence should be conducted. The only truly safe approach in cloud computing is to subscribe to a cloud computing provider that is locally owned and locally located.

USING AN AUTOMATED APPROACH TO MONITOR CHAIN MAILS

Exchanging of chain e-mails is a common practice in many organizations. These are basically unsolicited e-mails that we receive and pass on to our colleagues and friends. Topics vary and their content may include jokes, inspirational messages or current affairs. Others however contain pornographic images and videos.

System administrators manage the corporate network and they are able to see the kind of e-mails workers send to each other and what images/videos they download. No company can impose an outright ban on the content of these chain mails.

The risk associated with chain e-mails and especially pornographic e-mails cannot be ignored anymore. It is common knowledge that the most virulent computer viruses are embedded into pornographic material. This pornographic material is a perfect vehicle due to the high distribution rate of this kind of content. Virus infection is therefore guaranteed to be swift.

Another factor to consider is duty of care. Legislation will soon be enacted to ensure that organizations have a legal obligation to prove they have taken all reasonable practical measures to protect their staff from pornographic material. The onus will therefore fall on the company, and not the worker, to ensure that this material is not circulating in the corporate network.

Sifting through the high volume of e-mails generated by employees is a daunting task and this job is best left to an automated tool.

Before this can be done the organization must develop and sensitize all employees on an acceptable usage policy. This policy must outline the do’s and don’ts of corporate e-mail usage.

Trying to manually monitor and apprehend users who breach the usage policy is impossible. That is why an automated e-mail monitoring tool is appropriate. This approach is non-invasive and can drastically reduce the volume of pornographic images/videos that circulate in the workplace.

This tool will screen all e-mails in the corporate network and respond in a number of ways. It can simply block the e-mail or send a warning to the sender and recipient informing them that they are infringing the company usage policy.

This approach will not embarrass anyone because the affected e-mail users will know what was contained in the chain e-mail.

The organization is now able to demonstrate duty of care and has all the information it needs if the situation requires disciplinary action. This approach will also safeguard the company’s reputation and bring down the volume of unofficial activity on the corporate network.

PRIVILEGED PASSWORDS MUST BE SECURED

Every piece of hardware and software that we use has privileged identities built in. These are basically secret keys which are added to the system by the manufacturer. These keys (or passwords) are found in all systems that organizations use. They are for example Administrator passwords in a Windows workstation, Root on Unix and DBAdmins in Oracle databases.

Manufacturers make products with these passwords so that they can effectively support these products. These same passwords are used by customers of these products for administration purposes.

These passwords are like master keys. They can open all modules and files of the system. This is why they are coming under increased scrutiny by various regulations. In U.S.A the Sarbanes-Oxley 404 law requires that companies prove that they have control over their financial systems. If an organization has key financial information whose administrative access is not secured or managed, then that organization is in violation.

Of more relevance to us are the Payment Card Industry (PCI) standards. These standards are one of the most explicit. PCI requires organizations to restrict access to the fewest number of custodians necessary. Companies are also required to store keys securely in the fewest possible locations and forms.

Another area that countries are requiring secure administrative passwords is in the health sector. The American Health Insurance Portability and Accountability Act (HIPPA) has a component on administrative standards that requires medical records be absolutely confidential and secure. It states that if an organization allows unsecured administrative access to medical records it will be in violation of this Act.

The global trend is that countries around the world are enacting tighter local regulations in the control of privileged passwords. Kenya, however, is yet to develop legislation and regulations that require organizations ensure control over secret keys/passwords of their systems.

Hackers look for these secret passwords because most of them are never changed. Most successful hack attacks are insider in nature and these secret passwords are used to obtain access to systems.

The primary motive of demanding organizations protect privileged passwords is to ensure that these secret keys are secure and their use (or misuse) can be tied to a specific member of staff.

Kenya therefore needs to develop a framework that encompasses all the critical sectors of the economy for example financial, health and utility systems. This framework should require entities in these sectors to conform to the fundamental requirement of securing secret keys or privileged identities.

HOW DO YOU PROTECT YOUR INTERNET ROUTER?

Internet penetration in Kenya is currently at 3.9 million users and rising fast. This roughly translates to 10% of the total population. The widespread availability of broadband internet, Government support and relatively low cost of hardware means that more Kenyans are accessing the internet. Internet connectivity will eventually become common, at least in the urban areas.

However in the rush to setup networks at home or work, many Kenyans are leaving themselves open to attack. The biggest risk is coming from routers, a network device that handles message transfers between computers.

Attacks against the routers we use are different from the common hack. A common attack is where your computer is compromised after downloading something you shouldn’t have downloaded for example pornographic material.

In the router attack malicious code infects your computer through a download. Immediately you do this the malicious code seeks and attacks your router, not your computer. This code changes the router settings which govern the way your router connects you to the internet and to other computers.

So every time you go online, instead of your traffic going directly to your desired website it is diverted. Just like a diversion on the highway, your data traffic is sidetracked through a hacker’s computer.

This means that the hacker can see all your data traffic. For instance, when you type your e-mail username and password, the hacker can not only view but can also store this vital information. Your data is then re-routed back to its designated destination. This makes it very hard for you to detect the diversion.

The best way to protect your router is by simply changing the default password. When you buy a router it comes with a default password that locks access to the configuration settings. This factory password is however generic and is usually as simple as the word password.

This default password must be changed and if you are also using a wireless network you should also change the name of your network. Harden your router by also using WPA or WEP encryption which most routers support.

Malicious codes that attack routers are akin to burglars patrolling for houses that have weak door locks or open windows. By not changing the factory password of your router and not using encryption you are leaving a spare key under the door mat hoping no one will ever look there.

DO BOARDROOMS UNDERSTAND CYBER SECURITY?

Corporate Boards are composed of accomplished professionals and their main purpose is to govern a commercial entity by establishing broad policies and objectives. The Board also accounts to stakeholders on the overall performance of a company.

Board members are undisputedly busy people who have to grapple with varied and difficult aspects of directing a company, especially so in the current harsh economic climate. It is however clear that most Boards under-appreciate the importance of ICT security to their companies.

The importance of implementing ICT security measures in a company is usually misunderstood. This is due to one primary reason. Most Boards struggle to see the value of ICT security because it does not provide a measurable Return on Investment (ROI). This is understandable because an average computer user would find it hard to quantify the ROI on that antivirus program that he/she purchased one year ago.

The question can thus be framed - what positive impact does ICT security have on a company’s bottom-line? We can even go further and ask ourselves whether it would be possible to calculate the ROI on the high perimeter wall and strong window grills we have built in our homes.

Corporate Boards should understand that ICT security is not an investment that provides a return. It is not like a new shamba or a new boda boda motorcycle who’s ROI can be measured.

ICT security is an expense that pays for itself in the cost savings. In other words ICT security is about the loss prevention, not about the earnings. This loss prevention also affects a company’s bottom-line.

For example a company with a weak access control system would most likely suffer from frequent hacking attacks. Their credit card database would be attacked and this stolen data used to commit fraud. The business would suffer because customers would no longer trust this company and would move to the competition.

If, however, this same company implements robust access control measures it can reduce the chances of being hacked to zero. This loss prevention would positively impact on the company’s revenue and reputation.

IT professionals therefore need to present a compelling narrative to corporate Boards that will result in behavioral change.

Corporate Boardrooms in Kenya should conceptualize ICT security as a loss prevention process and not a measurable ROI exercise. They need to ensure that management implements an ICT security framework and that all employees know about it and more crucially understand it.

WHY SHOULD YOU CLASSIFY YOUR INFORMATION

Businesses and individuals need to protect their information now more than ever before. There are many reasons that justify this observation but the most important reason is the increasing reliance we have on information systems. Critical business transactions are now done through the internet. On a more personal level we are shifting to the digital platform for our banking, communication and education.

An information security plan has many components and one of the most important pillars is Information Classification. This is the categorization of data so as to facilitate the implementation of information confidentiality, integrity and availability.

There are six steps that must be undertaken so as to achieve information classification in your organization. The first one is identifying all the information sources that need to be protected. Determining which information is possessed, where it resides, who the owners and custodians are, the infrastructure used and if there are existing protection measures are the sources that should be documented.

The second step in classifying information is identifying the information classes that will be used for example Secret, Confidential, Restricted and Unclassified.

Once the information classes are outlined, the next step is to identify the information protection measures that will be used to map onto the information classes. These could be authentication, role based access, assurance, encryption and others. These are mainly technical IT controls.

The fourth step is mapping the information protection measures to the classes. For example authentication helps to verify that a system user is who he/she claims to be by requiring this user to be identified. Authentication can be mapped onto any information that is classified Secret. This would ensure that Secret information is accessed by users who are duly identified. Note that any information classified Secret can have multiple protection measures apart from authentication.

In the fifth step, the classification labels and protection measures that were mapped must now be applied to the sources we identified in the first step. For example authentication is a measure we mapped to information that is classified Secret. We now need to determine which information is Secret. Staff medical records, for example, is a source than can be classified as Secret and requires authentication to access.

The final step is a loop back. This is where the process should be repeated at planned intervals.

Information classification helps to ensure that security decisions are made that conform to business objectives instead of IT departmental information protection goals.

BACK TO THE BASICS WITH ICT SECURITY

Information and communication technology has transformed our lives as had been prophesized. The computer, the mobile phone, the internet and databases have had a considerable impact on the Kenyan society.

Many business opportunities have been created by the introduction of technology for example M-Pesa. M-banking, electronic payment systems and E-learning are technological processes that will radically impact our society in the short-term.

In the midst of all these positives it is important to remember the dark side of technology. Cyber-crime has increasingly become a serious concern. Online criminals/fraudsters, disgruntled employees, saboteurs, spies and foreign hackers are wracking havoc on personal lives, businesses and governments.

One would then ask – how can we secure ourselves? Before answering this question it is important to answer another question – who or what are we protecting ourselves and our ICT systems against? In other words we must understand the fundamental risks we want to protect ourselves against before we secure ourselves.

There are four damaging risks that warrant protection against. The first one is data theft. Most company losses and lack of competitive advantage are due to employee data theft. A sales person is more likely to steal a customer database so as to take a new job or simply sell it for money to the competition.

The second risk is internet crime. The likelihood of a technology user falling victim to this kind of crime has never been greater. Internet scams, fraud and identity theft are all over the internet. Unarguably the most famous is the Nigerian 411 scam which has caused suffering to many people all over the world.

The third most damaging risk is industrial espionage. This crime targets the big multinationals and the small businesses. Losses incurred by Kenyan companies when their strategies, patents, finances and marketing plans are stolen run into millions of shillings.

The fourth risk we face is malware infection. Cyber criminals target computers without protection so as to infect them with malware. Home users are especially vulnerable to this kind of crime. Malware is malicious software that is designed to gain unauthorized access to a computer’s (or device like a mobile phone) system resources so as to commit data theft or invade someone’s privacy.

All these risks if not mitigated by way of ICT security can cause severe financial loss for businesses and individuals. These are the reasons as to why we have to secure our personal and business ICT systems.

WHY I.T. SECURITY IS A MAJOR BUSINESS ISSUE

Not many Kenyan business owners are convinced that ICT security is a severe threat to their firms. Business people are more likely to appreciate and react to the current inflationary fluctuations, the weakening shilling, high labour costs and increased energy costs. Little will however be heard about ICT and its security. This is despite that ICT is the modern day ‘nervous system’ that coordinates the business processes of most companies.

ICT systems support business processes and the dependency ranges from Enterprise Management Systems (ERP) for performing integrated business processes, emails for communication and document workflows.

All these systems have users who perform various tasks for the business. These employees must be able to access these systems at the appropriate level. The restrictions imposed on the employees are important. For example communication systems like Outlook e-mail should only be used for business.

An ERP system like SAP usually contains financially and personal data that is sensitive. Who accesses what is of utmost importance to the business. Restrictions will for instance ensure that a user who raises an invoice cannot also approve and pay this invoice. This example illustrates the business issue of ICT security.

Most businesses unfortunately treat the granting of permission and authorizations as the sole responsibility of the IT department. Business management only become involved when a user discovers they can’t perform a business function, for example re-ordering stock.

Treating ICT security as the sole responsibility of the IT department is counter-productive to the business. The marketing, finance, production and human resource representatives should be involved in the authorization design process.

This is because it is the business that will ultimately bear the consequences of a poorly secured system. Incidences of internal fraud are increasingly carried out in the ICT systems businesses use. This is because of the high level of dependency they have on these systems.

However these fraudulent attacks are aimed at the business processes which are reliant on the ICT systems. It is therefore logical that the internal fraudster uses the systems to achieve the end result of defrauding the company. This means that mitigating the risk of fraud and financial misstatements is not a purely ICT issue.

There is no excuse for ICT security not to be well-understood by the business side. It is for both business and IT departments to take the responsibility for ensuring that security of their systems are aligned and prioritized as a business issue.

HOW TO PREVENT INSIDER SABOTAGE IN YOUR COMPANY

All companies face risks to their businesses. Others succumb to them while others mitigate against these risks and prosper. There is however a soft underbelly for most companies. Their information and communication systems have emerged as critical vulnerabilities.

Preventing attacks to these systems is hard enough when faced with external attacks. Protecting an ICT system from an insider attack requires exceptional in-house ICT security capacity.

Stories abound of employees who have crippled companies through various activities. Sometime this year a disgruntled former employee of a pharmaceutical company in the US was charged with sabotaging the company’s IT infrastructure.

He had remotely logged into a hidden virtual server that he had created before he was dismissed. He used this server to take out all the company’s other servers for email, billing, stock control and others.

This is a nightmare scenario any Manager would want to avoid at all costs. How then can we protect ourselves against insider sabotage?

The first defense is separation of duties. This means having more than one person performing critical ICT tasks. It would therefore be difficult to commit fraud or sabotage the systems without collusion among the IT staff. It is advisable to augment separation of duties by implementing robust logging or monitoring systems that would record activity of critical systems.

Knowing who you are hiring to take care of your ICT systems is the second defense against internal sabotage. Doing background checks on potential employees is sensible.

If you hire a skilled database administrator who has a history of hacking, then you should be ready for the consequences when the inevitable hack happens. Employee vetting is a practice local firms should embrace as part of their hiring process.

Another line of defense is limiting the use of administrator accounts that are shared between IT staff. Administrator accounts are privileged user accounts that let the administrator make changes that affect other users. They can change security settings, install software, create email accounts and access all the files and systems in the company. A smart IT Manager will try and convince administrators that they don’t need keys to all the ‘digital gates’ in the company. This is because when a cyber crime happens it is usually the gatekeeper (administrator) who will be the early suspect.

Most incidences of ICT fraud and attacks are insider motivated. This threat should be addressed by all organizations that depend on ICT systems for their operations.

DON’T FORGET THESE FIVE IT SECURITY FUNDAMENTALS

Whether you are thinking of protecting your personal data or safeguarding business data, there are five ICT security fundamentals that you should never forget.

The first one is never forgetting who uses what sensitive data. Data is not sensitive for all people across the board. A company’s strategic five year plan may be invaluable to investors and management but is quite useless to the messenger. Developing an inventory of sensitive data and who consumes the same is critical. This inventory will allow you to segregate data accordingly.

The second fundamental relates to the previous one and is the application of resources to its value. Once you have an inventory of our sensitive data you will have to apply various resources to protect it. A return on investment valuation on the security measures you will apply to various data categories needs to be conducted. For example what types of encryption will be purchased and applied for the various levels of sensitive data you possess.

The third fundamental concerns customer data. Never forget that retaining customer data is more of a risk than a reward. Service companies that retain huge databases of their customers should be aware of the high risk they expose themselves to especially if the data is widely accessible. An example would be that unprotected server that stores all the credit card numbers that your business has ever accepted.

The fourth fundamental that should never be forgotten is that the absence of a comprehensive regulatory compliance framework exposes all of us to undue risk. Various sensitive data elements exist in any organizations database for example medical records and credit card numbers.

We are yet to locally develop an all encompassing compliance framework that caters for data elements, for example medical records, in a particular sector and data as a whole in the marketplace. The Kenya Communications (Amendment) Bill, 2008 is not s sufficient framework.

Finally, don’t forget that risk assessments tend to understate the inherent risk of sensitive data. It is not sufficient to determine whether access controls, for example, are in place. The crucial point of focus should be measuring how effective any access controls that are in place can be used against a hacking attack.

A good example is password circumvention. This is done by employees so as to get around certain controls. A risk assessment will point this out. However taking it further by implementing data protection effectiveness metric will provide greater security.

HOW DO SMALL COMPANIES PROTECT THEIR ASSETS

There has been a significant surge of small and medium enterprises that conduct their business online. They are to be found in varied sectors from delivery, call centers, software programming, insurance brokerage, money transfer and many others.

These SMEs (Small and Medium Enterprises) are primarily a product of the rapid development of the digital infrastructure in Kenya. Wider coverage, faster internet access and cheaper bandwidth, compared to satellite, have spurred their growth.

SMEs use technology as a business leverage that enables them to reduce operating costs, enlarge their market footprint in East Africa and ultimately achieve sustainable competitive advantage over their direct competitors.

SMEs have therefore invested heavily in ICT but this reliance on technology creates a number of problems for them. One of their biggest headaches is ICT security.

SMEs that do not employ ICT security measures usually find themselves the victims of online threats. Valuable strategic plans are stolen, denial of service attacks can be aimed at their services and many other online threats could befall them. This is due to the cut-throat competition in this size sector.

SMEs could mitigate against the ICT security risks by doing the following. Getting a secure hosting provider would be a sensible place to start.

SMEs depend on their websites as the front facing their customers. These websites usually contain their email addresses, e-commerce engines and other valuable data. These websites can be hacked into if a web provider is dodgy.

Another must-do is blocking of all unwanted traffic – completely. SMEs operate on tight budgets and online downtime is usually very expensive to the company. It is therefore crucial to keep out unwanted ‘online visitors’. This can be done through a firewall. A firewall is software that filters incoming (and outgoing) traffic and is able to shut down traffic that it deems suspicious. It protects your resident server from attack.

The last must-do concerns Secure Sockets Layer (SSL) certification. SSL is a protocol for transmitting documents via the internet. It uses a strong scrambling technique that ensures information (for example credit card numbers) remain confidential during transmission.

SMEs can engage the services of reputable international firms like VeriSign or Thawte to certify their sites as secure.

SMEs are the backbone of our economy and as e-commerce gains a foothold in Kenya the onus is on them to reassure potential customers that it is safe to click and buy from their websites. This can only be achieved if they internalize ICT security as part of their business fundamentals.

HOW TO PROTECT YOURSELF FROM VOICE-MAIL HACKING

Mobile phone hacking is now a reality. Your SMS messages and contacts were considered the most important data in your phone. Voice-mail (or voice messaging) had previously been ignored as a potential risk until revelations in the recent U.K. phone hacking scandal proved otherwise.

Voice-mail is a computerized system for answering and routing telephone calls. It also records, saves and relays voice messages and can also be used to page a phone number.

Voice-mail uses Personal Identification Numbers (PINs) to authenticate and access the messages. These PINs are usually four digits in length. PINs are used in phone networks where caller-ID is not available. Caller-ID is a feature in the phone network that provides subscribers the name and telephone numbers of a caller that appears on a phone display.

When caller-ID is available in a network then this caller-ID is used to allow someone access their voice-mail boxes. Accessing someone’s voice-mail is possible by pretending to be the genuine caller. This impersonation is called caller-ID spoofing. By using special software that hijacks a caller-ID, you can surreptiously listen to someone’s voice messages.

It is imperative that mobile phone networks implement measures that mitigate the risk of voice-mail hacking through caller-ID spoofing. Various conventional measures can be applied for example notifying users of repeated/failed login attempts to their voice-mail accounts.

Our mobile network providers should use mobile phone network-IDs instead of caller-IDs for authentication because the former are harder to spoof (impersonate).
Another very effective feature mobile providers can employ is by not allowing the masquerading of a calling ID when it is the same as the called number. This will prevent an impersonator being automatically admitted by the mobile provider’s filtering process.

As a voicemail user there are a few things you could do to secure your voicemail. If you use a PIN for your voice-mail, change it regularly. Just like your computer passwords that have to be constantly changed, so should you do the same for your voice-mail box.

You should also disable voice-mail if you do not regularly use it. This ensures that messages are not left on your voicemail account without your knowledge.
You should also look out for voice-mail alerts that don’t exist. Ever received a voice-mail alert and when you listen to the messages it’s the old ones that are playing?

Voice-mail hacking is a present day reality. You should report suspected breaches to your mobile provider and the relevant authorities.

CALLER-ID SPOOFING IS ABLE TO DECEIVE YOU

Most of our mobile phones have a feature that allows you to identify the caller. If it is the landlord you want to avoid, just add his number to your contacts and switch on the Caller-Identification (C-ID) feature.

Caller-ID (C-ID) transmits a caller’s name and number to the called party’s network provider which then forwards this information to your phone. You can then decide to either pick or reject the call. Caller-ID is based on the informed consent principle.

C-ID is a powerful feature if linked to a database. The recent attempt to register SIM cards owners was a step in the right direction. A database of SIM owners would have eliminated anonymous calling that is currently rampant.

By using a database of SIM card owners the network providers can be able to ensure that mandatory C-ID is enforced. All calls would have a name and number indicated. This is a simple solution that could have been implemented to stop the threatening calls mobile phone subscribers receive.

C-ID however can be circumvented by new technologies that allow criminals to masquerade as other people and present a false identity. This is called Caller-ID spoofing. C-ID spoofing is where a criminal makes the call appear to have come from any name and phone number the criminal chooses. Caller-ID spoofing software easily allows criminals to lie about their identity and present false names and numbers which can be used to blackmail, threaten and defraud unsuspecting victims.

Imagine how useful this technology would be to the Kamiti fraudsters out there. A criminal would, for example, be able to impersonate one or our banks and convince an unsuspecting account holder to part with their ATM PIN.

This insidious crime is already with us and Caller-ID spoofing software is readily available in the internet.

C-ID spoofing is especially rampant with Voice over Internet Protocol (VoIP) or IP telephony systems that are in use by many multinationals in Kenya. VoIP basically allows you to use an Internet Protocol (IP) network such as the Internet to communicate via phones. The threat posed by spoofing is considerably higher in these systems due to the distributed geographic nature of the internet. Legal jurisdiction challenges therefore ensue.

SIM Card registration and implementing Caller-ID across all our networks is our first line of defense against the anonymous callers. Combating Call-ID spoofing is the next step in ensuring that we can identify all the callers in our phone networks.

DID YOU KNOW THAT KEYLESS MOBILE PHONE SYSTEMS CAN BE HACKED

Keyless or smart keys, for cars, have been around for some time now. Smart keys allows the driver to keep the keys in their pockets (or handbags) when unlocking, locking and starting the vehicle.

Keyless keys use proximity. As you approach the car your key is identified via one of the antennas in the car. A radio pulse generator in the key ‘greets’ your car and a ‘handshake’ ensues. The vehicle’s alarm is immobilized and the doors are automatically unlocked. Simply walking away from the car will initiate the lockdown process – door lock, alarm activation and complete engine shutdown.

The convergence of technology is best illustrated by the latest smart key – your smart mobile phone. The mobile phone as a smart key is currently confined to up-market cars but expect to see your Japanese model using it in the very near future. Your mobile phone will, very soon, evolve into the ubiquitous universal remote control device.

GSM mobile phones are using applications (apps) that provide the same functionality as the smart key. Mobile phones with the smart key are able to disengage the immobilizer and activate the ignition without inserting a physical key in the ignition. Communication between the mobile phone and with the vehicle’s receiver is software driven. This software is vulnerable to hacking.

A hacker can exploit vulnerability in the latest and most secure mobile phone standard today, the 3G/UMTS/WCDMA standard.

By reverse engineering the network and then closely monitoring it by using “sniffers”, it is possible to figure out the codes needed to send rogue commands to cars that use mobile phones as smart keys. This technique is popularly known as “war texting”.

By using a “souped-up” mobile phone it is possible to analyze a GSM network more extensively. Data received from the network can then be sent to a laptop in real-time. It would then be possible to send a random SMS to a mobile phone and obtain its network ID number. You can then use this information to attack the mobile phone that acts as a keyless key.

This exploit would then allow a hacker to send rogue commands from a safe distance.
As GSM and UMTS standards become more and more well known, security flaws and shortcuts of this network standard become more widely known among hackers.

As the mobile phone becomes a universal remote control device it is important to appreciate that technological advancement is usually accompanied by vulnerabilities.

DO YOU KNOW THE VALUE OF THE DATA IN YOUR PHONE

You have most likely received those fraudulent SMS messages that try to con you out of your M-Pesa money. Social engineering is the primary technique used to ensnare the unsuspecting into sending money to these criminals popularly known as Kamiti conmen.

These ‘soft’ techniques will eventually become well known and the conmen will naturally innovate other methods of getting those PINs that reside in your mobile phone. They can do this in two ways – logically or physically.

You data can be pried out of your phone’s temporary memory (logically) or from your phone’s hard drive/flash card (physically).

Your temporary (or cache) memory is simply the information that disappears when you switch off your phone and is similar to the computer’s volatile memory. Examples would include your PINS, passwords or email messages.

Permanent data in your phone is usually stored in the internal drive or the flash card in most phones. This data remains there until physically changed, or deleted. The data is not lost when the power is turned off.

Temporary data (for example online banking or money transfer details) can be obtained from your phone by conducting a logical dump. This technique basically dumps all your temporary data into a destination within a few minutes. Obtaining a physical dump on the other hand is much easier because it simply entails the copying of your data that is stored in the internal drive or the flash card.

Another concern that you should be aware of is that data stored on some smartphones can be forensically restored or retrieved. Data stored on physical media such as the phone’s internal drive, or its flash card, can be restored even after deletion. This data can, for example, be deleted voicemail messages, emails, SMS messages, calendar events, deleted photos and typing cache (where an SMS can be retrieved even if the SMS was deleted before sending).

The main point to note is that the data in your phone is worth more than your phone many times over. This data can be obtained overtly and covertly. Deleting it does not mean it can’t be retrieved.

The sheer amount of your personal data that is in your mobile phone is enormous and how you protect it should be of paramount concern to you.

HOW A ROBOT ATTACK IS CONDUCTED ON YOUR MOBILE PHONE

It is exciting to be back after that brief hiatus. Welcome back readers and kudos to the Editor and the Management for giving us back our bullhorn.
Within the brief period we were away much has happened in the ICT security world.
One major development that you could not have missed is how important our phones have become.

Criminals have realized that the data in your phone is intrinsically more valuable than the phone itself. This is because your mobile phone has become ‘smart’ and has morphed into a portable computer among other devices. This is called convergence.
This has spawned an increasing number of attacks targeted at our phones. Your contacts, M-Pesa and banking details are increasingly sought after.

Basically your phone is now your computer, television, diary, photo album, bank, ATM and many other functions. If your phone can do all these things, and more, it is only sensible that you protect it. The problem is that we all know we need security software for our personal computers, but how many of us have protection for our phones.

So as to appreciate why you need this protection we shall examine the mobile phone threats that exist out there in this article and the near future.
At the start of 2010 the first real and genuine threat to the mobile phone was reported. This was the Zeus virus that was designed to steal banking details of mobile phone banking users.

Since then attacks on mobile phones have increased in complexity and frequency. One of the most potent threats to your mobile phone today is the Bot attack. A Bot is a program that allows an attacker to gain complete control of your phone and renders it a zombie or robot (hence the term Bot).

Apart from stealing your banking or M-Pesa details, Bots can do other insidious things like listening to your calls or sending SMS messages to those numerous SMS based competitions. They can also make surreptitious calls without your knowledge. Ever wondered why your phone intermittently gets hot or your credit balance has unusually gone down?

Your phone gets infected through chain sms messages, downloaded songs/videos and by visiting pornographic websites with your phone.

The mobile phone Bot business model is surprisingly quite solid. There exist Bot herders who co-ordinate infections and then hire out these zombies (infected phones) to cyber criminals to use as a route to fleece unsuspecting victims.

It makes logical sense that the so called Kamiti phone criminals who are currently engaged in rudimentary M-Pesa fraud and sending out of phishing sms messages will want to expand their businesses by graduating to Bot attacks.

KE–CIRT (Kenya Computer Incident Response Team)

The Kenya Information and Communications Act CAP411A mandates the Communications Commission of Kenya (CCK) to develop a national cyber security management framework through the establishment of a national Computer Incident Response Team (CIRT). In this regard, the Commission has setup the Kenya Computer Incident Response Team (KE-CIRT) whose mandate is to coordinate response to cyber security incidents nationally and to collaborate with relevant actors locally, regionally and internationally in the management of cyber incidents. The KE-CIRT is also the national cyber security management point of contact for Kenya and is under the authority of the CCK.

Vision
To make the Internet secure, to develop a world-class security and information base and to become a publicly accessible forum for Internet and computer security.

Mission
To assist in the development of the Kenya information Society by making the use of computers and the Internet safer.

Stakeholders
In executing its mandate, the KE-CIRT works with various local stakeholders including various government agencies, the private sector, academia and civil society. The current KE-CIRT stakeholders are as follows:
The various law enforcement agencies;
The Directorate of E-Government;
The Kenya ICT Board;
The Kenya Network Information Centre;
The Telecommunication Service Providers Association of Kenya;
The Kenya Education Network;
The Central Bank of Kenya.

Constituency
Among other services, the KE-CIRT is responsible for responding to incidents targeting government entities and the general public.

Functions
The KE-CIRT is the national focal point for coordinating information flow, response to cyber attacks and remediation of cyber security incidents for Kenya and its role includes the following:
Coordinating response to cyber security incidents nationally;
Liaising with local sector CIRTs, regional & international cybersecurity management entities through forging partnerships;
Facilitating the development of a national Public Key Infrastructure (PKI);
Gathering and disseminating technical information on computer security incidents, vulnerabilities, security fixes and other security information, as well as issuing alerts and warnings;
Building capacity and creating awareness on cyber security best practice;
Facilitating the deployment of a national PKI framework ;
Research & Development on information (cyber) security.

Contact Information
Please report any cyber security incidents by sending an email to: cirt@cck.go.ke

You can also reach us on the following numbers: +254 20 42 42 000 or +254 703 042 000 (ext. 446).

Wednesday, January 18, 2012

EXPERTS INVESTIGATE CYBER ATTACK ON GOVERNMENT SITES

EAStandard - Wednesday, 18th January 2012

By Cyrus Ombati

Cyber crime experts are investigating a hacker who took down 103 Government of Kenya websites in an attack on Monday night.

A Kenyan expert aware of the incident said an Indonesian hacker known as direxer was responsible for the hacking.

Among the ministries affected include the Ministries of Local Government, Livestock, Environment, Fisheries, Housing, and Industrialisation.

Others are ministries of Finance, Education, Public Health, Youth Affairs, National Heritage and Roads; as well as sensitive departments such as Administration Police, Immigration, Prisons and various city, municipal and county councils.

According to the local CIO, a technology magazine, the government normally hosts several websites in one server at The Treasury, Ministry of Finance.

Reports said the hacker is part of an online Indonesian security forum known as Forum Code Security and says he took down the websites following tutorials from the forum.

Such tutorials usually exploit programming errors in code, known as bugs, which have not been fixed.

A Cyber Incidence Response Team (CIRT) based at the Communications Commission of Kenya (CCK) has moved into action and was making efforts to restore the affected websites.

The CIRT was formed to handle such situations and ensures Kenya's security in cyber space. Officials at the commission said the experts had located the hacker who appears to have a website at http://www.direxer.com/,

A message he left on the Forum Code Security site said: "show off by me… thanks for tutorial in www.code-security.com all… i have exploit from cs web, and i attacking to server Government Kenya,,,, and then,,, success full… this is deface in this night…"

According to the local CIO, a technology magazine, the government normally hosts several websites in one server at The Treasury thus compromising the server may expose several websites to a hacker.

On his site the hacker said, "and I will carry out attacks on other servers if the Government is still neglecting security. My Security Code on behalf of Indonesia, Security is a necessity."

It is not the first time that some of the affected websites were hacked in the Monday night incident. Some of them were yet to start running while others are now functioning. The affected sites were:

http://www.administrationpolice.go.ke/index.html
http://www.aideffectiveness.go.ke/index.html
http://www.bungomacounty.go.ke/index.html
http://www.businesslicense.go.ke/index.html
http://www.cak.go.ke/index.html
http://www.commstaskforce.go.ke/index.html
http://www.cooperative.go.ke/index.html
http://www.crd.go.ke/index.html
http://www.crisisrcentre.go.ke/index.html
http://www.ditkenya.go.ke/index.html
http://www.doshs.go.ke/index.html
http://www.economicstimulus.go.ke/index.html
http://www.eldoretmunicipal.go.ke/index.html
http://www.emu.go.ke/index.html
http://www.education.go.ke/index.html
http://www.environment.go.ke/index.html
http://www.filmservices.go.ke/index.html
http://www.fisheries.go.ke/index.html
http://www.forestryandwildlife.go.ke/index.html
http://www.gender.go.ke/index.html
http://www.governmentpress.go.ke/index.html
http://www.greenenergy.go.ke/index.html
http://www.housing.go.ke/index.html
http://www.ifmis.go.ke/index.html
http://www.immigration.go.ke/index.html
http://www.industrialization.go.ke/index.html
http://www.isc.go.ke/index.html
http://www.iprs.go.ke/index.html
http://www.itentambachtowncouncil.go.ke/index.html
http://www.itmis.go.ke/index.html
http://www.kenao.go.ke/index.html
http://www.kapsabetmunicipal.go.ke/index.html
http://www.kenyayearbook.go.ke/index.html
http://www.kerugoyakutusmunicipal.go.ke/index.html
http://www.kesi.go.ke/index.html
http://www.kipi.go.ke/index.html
http://www.kisumucountycouncil.go.ke/index.html
http://www.kirinyagacountycouncil.go.ke/index.html
http://www.kitalemunicipal.go.ke/index.html
http://www.kituimunicipal.go.ke/index.html
http://www.kkv.go.ke/index.html
http://www.knfparms.go.ke/index.html
http://www.knsdi.go.ke/index.html
http://www.kntc.go.ke/index.html
http://www.laikipiacountycouncil.go.ke/index.html
http://www.lands.go.ke/index.html
http://www.leatherdevelopmentcouncil.go.ke/index.html
http://www.limurumunicipal.go.ke/index.html
http://www.livestock.go.ke/index.html
http://www.lodwarmunicipal.go.ke/index.html
http://www.maraguacountycouncil.go.ke/index.html
http://www.mariakanitown.go.ke/index.html
http://www.maurestoration.go.ke/index.html
http://www.migoricountycouncil.go.ke/index.html
http://www.minesgeology.go.ke/index.html
http://www.mirp.go.ke/index.html
http://www.monitoring.go.ke/index.html
http://www.moyalecountycouncil.go.ke/index.html
http://www.murangacounty.go.ke/index.html
http://www.murangamunicipal.go.ke/index.html
http://www.nairobicity.go.ke/index.html
http://www.naivashamunicipal.go.ke/index.html
http://www.nakurucounty.go.ke/index.html
http://www.nationaldisaster.go.ke/index.html
http://www.nationalheritage.go.ke/index.html
http://www.nccs.go.ke/index.html
http://www.nec.go.ke/index.html
http://www.northernkenya.go.ke/index.html
http://www.nyandaruacountycouncil.go.ke/index.html
http://www.othayatowncouncil.go.ke/index.html
http://www.pec.go.ke/index.html
http://www.pfmr.go.ke/index.html
http://www.pghnyeri.go.ke/index.html
http://www.pharmacy.go.ke/index.html
http://www.prisons.go.ke/index.html
http://www.psrpc.go.ke/index.html
http://www.publichealth.go.ke/index.html
http://www.publicservice.go. ke/index.html
http://www.publicworks.go.ke/index.html
http://www.reformskenya.go.ke/index.html
http://www.refugees.go.ke/index.html
http://www.regional-dev.go.ke/index.html
http://www.roads.go.ke/index.html
http://www.rprlgsp.go.ke/index.html
http://www.scat.go.ke/index.html
http://www.scienceandtechnology.go.ke/index.html
http://www.singlewindow.go.ke/index.html
http://www.sprogrammes.go.ke/index.html
http://www.tabakatown.go.ke/index.html
http://www.tanathi.go.ke/index.html
http://www.tfdg.go.ke/index.html
http://www.technologycentre.ac.ke/index.html
http://www.theenergytribunal.go.ke/index.html
http://www.thekenyawewant.go.ke/index.html
http://www.thikamunicipal.go.ke/index.html
http://www.transformingkenya.go.ke/index.html
http://www.treasury.go.ke/index.html
http://www.ugunjatown.go.ke/index.html
http://www.ukwalatown.go.ke/index.html
http://www.westernkenya.go.ke/index.html
http://www.vihigamunicipal.go.ke/index.html
http://www.works.go.ke/index.html
http://www.youthaffairs.go.ke/index.html