Wednesday, February 01, 2012

SHADOWY VIRTUAL TERRORISTS INVADE KENYA


Article written By JOHN OYWA in East African Standard (Underworld Magazine) of 1st February, 2012


They pass for harmless, ordinary souls. Some cut the figures of suave business executives while others are shadowy introverts with insatiable love for computers.

But behind the veil of innocence lies the faces of ruthless white collar criminals whose activities across the globe has cost governments and private companies billions of shillings in stolen data and fraudulent deals.

They neither carry firearms nor use force on their victims. Yet this new breed of shadowy criminals have emptied bank tills, accessed secret government data and robbed individuals of hundreds of thousands of shillings — all from the comfort of their homes and cyber cafes.

One of them, an Indonesian, struck Kenya last week, hacking and defacing more than 100 Government websites and posting a warning that he would be back soon, to inflict more damage.

This was just a year after another hacker attacked and disabled the official police website.

The Government played down the shocking attacks, saying they posed no threat to its databases even as experts warn that the incident could just be a tip of the iceberg as cyber terrorists and criminals turn their arsenals on third world countries.

Highly exposed

Criminologists and Information Technology security experts say that Kenya remains highly exposed to cyber warfare. They say the security of public data and security secrets were under threat more than ever before.

The fact that the Indonesian hacker, who was described as an amateur, chose Kenya, spoke volumes.

"The hacker may have found Kenya very vulnerable. It is evident he spent very little time to execute the assignment, an indication of just how much we are exposed as a country," says Mr Sylvanus Sewe, an IT forensic expert. Sewe says although no vital data was lost in the hacking, it greatly embarrassed the Government and dimmed its image in the ability to fight economic crimes. "It means many people may no longer trust Government sites because one cannot be sure if what he or she is reading has been manipulated by hackers," says Sewe.

He adds: "I am imagining what will happen if such criminals could get access to the Kenya National Examination Council database containing national examination results or the Independent Electoral and Boundaries Commission data on election results."

Last year a clique of employees and students of Kenyatta University hacked into the institution’s online database and altered examination results.

Some final-year students bribed university employees to change their poor grades to enable them graduate. They manipulated passwords of former employees of the university, some of who were dead, to access the examination database.

Falling victim

Due to the alterations, the university struck off names of many students from those scheduled to graduate last December, sparking a legal tussle after the affected went to court to challenge the decision.

A private university in Nairobi also suffered a similar incident after some Internet savvy students hacked into its financial database and changed fee balances. The University lost a lot of money because students with balances altered the records to show they had cleared their fees.

Investigation indicates that cybercrimes, which vary from receiving of spam mails, hacking, espionage, viruses and using specific software to get information from individual, organisation or government was on a sharp rise in the country.

With the online and mobile banking taking root in Kenya, cyber criminals have been smiling all the way to the bank.

Industry players estimate that mobile money platform handles up to Sh7 billion per day, a chunk of which ends in the pockets of criminals.

Another ICT security expert, Mr Muthoga Kioni, says cyber crime had become a huge threat because it was easy to execute.

"Many young people are getting into cybercrime because it has minimal risks with maximum returns. They sit in their houses or cyber cafes and make millions within a few hours. They hardly get arrested," says Kioni.

Kioni says a hacker needs only about six hours of research not only to break into the website, but to access the data base.

"There are thousands of hacking tutorials in the Internet that helps hackers to learn new tricks," he says.

The Internet thieves execute their acts by stealing vital information such as Pin Numbers and passwords to gain entry into the websites and even access bank accounts.

But Communications Permanent Secretary, Dr Bitange Ndemo, downplays the issue, saying it was not as bad as was being portrayed.

"The recent hacking of Government websites was unfortunate but little damage was done because the criminals did not access the data bases," he says.

Disastrous prospects

He explains that it was not easy for the hackers to gain access to Government databases containing vital information. "A website is just like a brochure advertising the services offered by the Government ministries. It has no data."

The PS says it would be disastrous if the criminals could gain access to sensitive databases such as that containing M-Pesa details and transactions.

"There is need to improve our cyber security and we are already doing this. It is also important for companies to put tough security framework to safeguard their internet data since most of cyber crime is committed through collusion with insiders," he says.

Internal crime

He says 60 per cent of cyber crime was internal and urged organisations to foster discipline and value system to counter the problem. "If we avoid the 60 per cent then we will be very safe," he adds.

Industry players point fingers at the Government’s ill preparedness in fighting cyber security.

"The truth is that we have big loopholes. In other countries, the police have high technical crime unit that deals with cyber crime and other organised economic crimes. In Kenya, we still concentrate on physical security than technical crimes," says Kioni.

The initial Cyber Crime Unit, which was established at the CID headquarters in early 2000, is no longer operational. Officers who had been attached to the unit either resigned and were hired by financial institutions or were redeployed to other departments.

But Ndemo says adequate measures have been put in place to fight the cyber crime in the country. He cites the establishment of the National Computer Emergency response Team (KE-CERT) and the e-government secretariat as some of the interventions.