Kenya-Byte

GOVERNMENT WEBSITES AND SYSTEMS SHOULD BE ‘HARDENED’

2012-01-30T16:05:00.001+03:00

Over 100 government websites were defaced by an Indonesian hacker in January 2012. This is a harbinger of things to come. As more organizations get online hackers will test their hacking skills and the government is a target like everyone else.

This incident informs us that government websites need to be hardened. The government should ensure that its websites are well protected from any intruder who might try to hack and steal data contained therein.

Apart from defacing websites, hackers usually move on to the next stage by attempting to penetrate the database(s) that sit behind websites.

Securing the data in these websites is a basic but another fundamental is that this data should be encrypted. Most of the government sites that were defaced have a user login feature that allows authorized users to log in and for instance check their mails. This kind of sensitive data is what should be encrypted.

Government web developers should also make sure they are using the right coding methods. Web developers can unknowingly leave their websites at risk in various ways. One way is by leaving ‘open doors’.

An open door could be an administrator password that has been left as a comment in the source code. By looking for these commented codes a hacker will be able to log in and access valuable data.

Where you host your site is crucial in determining the security of a website. Websites are hosted on servers. A ‘weak’ server is a vulnerability waiting to be hacked. Evidently the server in which the government domain is hosted in was not secure.

This episode should be a wake-up call. As more and more Kenyans embrace the internet, the subsequent development and adoption of e-commerce will ensue. It will soon be possible to pay for government services online. Instead of going to a supermarket we shall be able to shop online and have the shopping delivered to our homes.

The monetary motive for sophisticated hackers to target our systems will then exist. Opportunity is already present because most of our websites and systems are note secure. This will leave many Kenyans vulnerable to online scams and fraudsters.

It is imperative that Government takes up the gauntlet and develops a fully fledged High Tech Crime Unit in the Kenya Police. This unit should be the first responder and of more importance should aim at mitigating threats to our national ICT security.

Amnesty Period Expired on 15th December 2011.

2012-01-25T16:07:00.000+03:00

Screenshot from buygenuine.co.ke

Microsoft Amnesty Period
Facts dont lie, counterfeit software is costly. Using Pirated software can lead to a judgment that could close down your business for a violation of the law. This will damage the reputation of your business and cost you money.

Corporates that possess, use or deal in authorized software are liable to criminal and civil sanctions under the Copyright Act of Kenya.

To avoid criminal penalties as per the copyright Act of Kenya, management and representatives of corporates must ensure that all software used by their company is compliant during an amnesty period that ends on the 15th of December 2011.
Issued by the Kenya Copyright Board.
______________________________________________________________________

Just a reminder...incase you can't afford the licences you can always try Ubuntu.

http://icea.co.ke/ was hacked on 25 January 2012

2012-01-25T12:20:00.000+03:00

DEPLOYMENT OF MOBILE PHONE JAMMERS IN PRISONS IS NOT ENOUGH

2012-01-24T16:35:00.000+03:00

• In China the Education Department uses mobile jammers in schools during major exams. These jammers are use to prevent cheating. The objective is to prevent students from receiving calls or SMS messages from external sources outside the exam room.
• The main electronic components of a jammer are:
1)Voltage-Controlled Oscillator - this generates the radio signal that will interfere with the cell phone signal.
2)Tuning circuit - controls the frequency at which the jammer broadcasts its signal by sending a particular voltage to the oscillator.
3)Noise Generator - Produces random electronic output in a specified frequency range to jam the cell-phone network signal.

Safaricom and Kenya Prisons Services recently announced that they will install phone-jamming equipment in all the major prisons. This was termed as a response to the runaway crime involving mobile phones that is perpetuated by prisoners.
The strategy of jamming mobile phone signals in prison compounds is a logical technical response. By creating islands of non-connectivity in these jails, it is possible to mitigate the economic and social risk posed by these incarcerated criminals.

How does mobile jamming work?

Phone jamming is not a new phenomenon. In the past it was associated with spy craft and the military. Times have changed. Mobile phone jammers are now commercially available and widely used by ordinary citizens in countries that have legalized their usage.

Jamming a mobile phone basically entails the blocking of its frequency by using a device called a jammer. Your mobile (short for mobile phone) transmits a signal on a certain frequency so as to communicate with the service provider’s network. The jammer will broadcast a signal to your mobile using this very same frequency. Once these two signals collide they cancel each other out and what results is a ‘No Network’ indicator on your mobile.

The range of a jammer depends on its power output and whether it is designed to disrupt mobiles or towers. Pocket/portable jammers typically operate in a range of about 9 meters. Higher powered jammers operate in a range of up to 1.6 kilometers away from the device.

The choice of which jammer to use is dependent on the range you wish to deploy it to. To have uninterrupted meetings in an enclosed room, portable jammers are ideal. In a restaurant or church, a medium power jammer would suffice. For a prison compound, a very high powered jammer that can block multiple frequencies would be the ideal.

Mobile Jamming Concerns

It is broadly agreed that something needs to be done to curb the acquisition of mobile phones by criminals in our local prisons. However the jamming of mobiles has been tried by other countries with varied success.

Of initial concern would be the fate of prison staff and family who live and work in these compounds. To be able to effectively jam mobiles in our expansive prisons, high powered jammers will have to be used. This means that prison staff and other mobile users in the surrounding areas will also be inconvenienced.

Interference with critical public frequencies is another risk. Public safety responders like ambulances, police and fire fighters use dedicated frequencies. High powered jammers should be configured to ensure these frequencies are not interfered with.

It is also worth considering the legality of this implementation. The Kenya Information and Communications Act – Section 45 states that interference with any radio communication would result in a fine not exceeding one million shilling or a prison term not exceeding five years or both.

Other Alternatives

Combating the use of mobile phones by prisoners to propagate crime requires a multi-pronged approach. Jamming their mobiles, in itself, is not enough.

We should start by increasing the criminal penalty of smuggling mobiles into our prisons. The penalty for this kind of crime should be extremely punitive so as to discourage prison staff and visitors from abetting the smuggling of mobiles.

Other technical measures that should be explored include handset disablers, micro-cells and Faraday cages.

Unlike jammers, handset disablers do not emit jamming signals. They instead detect the presence of mobiles and prevent the making of any call. This detection and disabling is done by the software at the base station. What makes this alternative attractive is that it does not disable calls from ‘emergency users’. Pre-selected mobile users, who have pre-registered their phone numbers with the service provider, are allowed to receive and make emergency calls.

Micro cells are essentially scaled down base stations. It would be possible to build micro cells dedicated to the prisons. These cells would carry all traffic originating and terminating in the prison compound. In this implementation it is possible to segregate only prison calls and avoid jamming calls of legitimate users in the prison environs. The micro cell would be able to intercept communications specific to the prison and disable the mobiles through either SIM or IMEI blocking.

Another alternative is the Faraday cage which is a wire mesh enclosure that is grounded. It provides a shield to radio waves. A cage round the main prison compound would impede the transmission of mobile phone signals to or from any handset located in the cage.

Critical Lesson

One critical lesson that needs to be internalized from this effort is that there is a slow but sure shift from conventional to cyber crime by Kenyan criminal elements. The ingenuity and innovativeness exhibited in the execution of these mobile phone scams proves that it is only a matter of time before ICT security becomes a priority for law enforcement agencies.

SECURTY OF EMAIL CC: COMPROMISED COPIES

2012-01-24T16:32:00.001+03:00

E-mail users in Kenya are increasing daily. In many local organizations, MS Outlook is the dominant corporate email which is used by thousands of office workers. Sending an email to one recipient requires you insert the recipient’s email address and click on send. When you want to send the same email to many recipients you click on the cc: button and insert multiple email addresses.

Cc: stands for carbon copy. In the pre-computer/photocopier days, creating multiple copies of the same letter was achieved by using carbon papers. Before typing the letter, carbon papers were interspersed with plain white paper. Copies were created below the originally typed letter and thus the term carbon copy.

Leaking sensitive and secret information has never being easier in this digital age. Any organization that tries to safeguard corporate data from being unlawfully accessed by unauthorized people must contend with the cc: loophole.

Internal emails that have inadvertently gone awry are a good example of how secret information leaks out. We all dread that cc: goof. A successful salesman had a huge e-mail address book filled with his loyal customers, including prominent government contacts. With a single click, he accidentally sent a file of his favorite pornographic cartoons and jokes to everyone on his e-mail list. His subject: ‘Special deals for my best customers!’ Obviously he was looking for a different job thereafter.

Embarrassments can result after these mistakes. However when medical records or intelligence reports are inadvertently sent out the security breach causes untold damage.

Basic safeguards should be adhered to. The first rule of thumb should be to always check the To and CC fields before you click on send.

The second rule is the carpenter’s rule which states that you measure twice and cut once. This means you think twice before sending the email once. In other words, put that message aside and let your temper cool before sending that e-mail.

Another safety rule concerning carbon copy emails is the draft folder. Handle it with extreme caution. Sending an e-mail in progress by accident is very easy. When trying to change the status of that draft email or transferring it to the inbox, you can find yourself cringing after accidentally sending it.

Finally don’t make joke or comments via e-mail that you wouldn’t make in person. If you can’t say it aloud then don’t put it down. When in doubt click on the Cancel button instead of the Send.

HOW TO SECURE YOUR DIGITAL PHOTOS AND CERTIFICATES FOR POSTERITY

2012-01-24T16:31:00.003+03:00

The digital revolution has left an indelible mark in our personal lives. Taking family photos has never been easier. We simply click away on our digital cameras and transfer the images to a computer or a portable device. Viewing them can now be through the new USB compatible TVs.

Personal record keeping has also evolved. Photocopying and sealing those important academic and achievement certificates is outdated. It is now much easier to scan and store the digital image in your computer.

This historical data has to be secured due to its vital long-term importance. How do you effectively preserve these personal records?

Digital preservation is basically the keeping of data in such a way that its significant content can still be extracted and understood for an extended period of time. One thing to note is that all storage media (including your computer or external hard disk) becomes unreadable, or more difficult to read, eventually. These devices simply deteriorate.

There are two options available. You can constantly convert the data after a few years so that it is easily processed by the software systems of the future. The other option is to convert the original digital record into a stream of bytes. This would ensure that you can retrieve it into as many formats whilst retaining its original quality. This option is definitely more secure but technically challenging.

The third option would be uploading all your personal data to a cloud provider. This would free you from the anxiety of contemplating what would happen if you lost your computer or portable storage device. However this option comes with a risk. What would happen if the cloud provider went bust or lost your data?

All these options must be considered against the backdrop that ICT was different twenty years ago. Advances in technology will inevitably make technology fundamentally different twenty years from now.

The format of your digital documents and snaps will therefore change and conversion will be necessary. My option would be to use the second option in which you use a conversion utility that will convert your records into a stream of bytes.

Use this utility to attach metadata that contains information about its properties and store these records into your portable storage device. As a redundancy upload it to a cloud provider. This way your future generations will be able to access those digital family snaps and documents with the technology of their time.

WHO IS LIABLE WHEN THE COMPANY SMARTPHONE GETS LOST

2012-01-24T16:31:00.001+03:00

The ICT security industry has seen more changes in the past four years than the last twenty years computers have been with us. These changes have mainly been a result of the advancement in portable devices, especially smartphones. These smartphones are basically microcomputers with processing power capabilities that were resident in PCs of a decade ago. Popular smartphones have Android, Symbian, Windows Mobile, Apple and Blackberry operating systems.

Many companies issue smartphones, and other portable devices, to employees for business. It is often taken for granted that company ICT security policies also apply to these devices. This is often not the case because many companies are yet to resolve the question of who is responsible for the loss of these devices (and the data contained therein).

Best practice states that the data controller is the person liable. This is explicitly stated in most Data Protection legislation, for example the Data Protection Act in the United Kingdom. This data controller is defined as the person (either alone or with other persons) who determines the purpose for which and the manner in which any data are to be processed.

That company issued smartphone is meant for company business and the data stored in it is there by company consent. This means that it is the company that determines the purpose and method in which the data is to be processed. It is therefore clear that senior managers are data controllers and the other persons are effectively the Board.

It can be argued that the employee would be responsible for the loss of a company issued smartphone if he/she did not implement the security policies of the organization. However the employee would only be directly responsible to the employer.

One effective way this can be done is by implementing encryption in company smartphones. Employees would then be obligated in ensuring that the encryption software is on and effectively protecting company data.

If, however, the lost smartphone contained unencrypted sensitive data that would have far-reaching consequence to the general public, then the manager and Board would land in court.

The absence of a Data Protection Act in Kenya means that apportioning liability for data loss due to portable devices getting lost is difficult. The draft Data Protection Bill, that is currently undergoing review and stakeholder consultation, should conform to the generally accepted liability principle of data protection.

Protecting data with appropriate organizational and technical measures is the responsibility of managers and the Board.

BUSINESSES ARE EXPOSED TO IDENTITY PSEUDONYMS THIS SEASON

2012-01-24T16:30:00.003+03:00

The festive season is with us. Most of us will transact in a shop, a supermarket, a school or even online. To do this we shall use our credit cards, ATMs, M-Pesa PIN numbers, certificates, badges and other identifiers. These identifiers will allow us to prove we are who we claim to be. This aspect of proving who we are is becoming increasingly tricky for businesses.

Most of us have different identifiers. You might have a credit card, two ATM cards, a debit card, an M-Pesa account, a national ID and a supermarket smart card. These are all pseudonymous which means your identifiers are different personas to different organizations.

It is assumed that the person in a credit card is the same person in the Smart Card. But the bank cannot prove that the John Mutiso who holds the credit card is the same John Mutiso who has the Uchumi Smart Card.

This is because customer data is not shared between the bank and Uchumi supermarket. This means you are the only person who can prove who you are. Businesses are therefore vulnerable due to this pseudonymity and they need to take steps to protect themselves.

Businesses therefore require identity management so as to guard against this high risk of pseudonymity. The purpose of this management would be to establish the eligibility of John Mutiso to conduct a transaction and to assign the limitation of liability in the event of a failure.

Biometrics is an identity management solution that is proposed in the absence of data sharing and data matching. Biometrics are however not 100 per cent accurate especially in real environments where reliability thresholds are marginally lower.

To effectively protect businesses a highly distributed citizen database is required. This database can be accessed by businesses to determine who John Mutiso is, whether he is in the system and whether he is unique. In other words is this person who he claims to be?

This distributed citizen database would not necessarily be wholly housed by government. Elements can exist in credit reference bureaus, NGOs, county offices and local government systems.

This pool of citizen data would create an environment where government, commerce and citizens not only trust identity services but businesses would be able to use this database to reduce identity pseudonymity.

The technological infrastructure is now in place. What we need is the political will to implement this solution.

OPEN SOURCE SECURITY IS THE BEST PROTECTION

2012-01-24T16:30:00.001+03:00

Many people assume that securing ICT systems is an expensive undertaking. When it comes to security software, expensive does not equate to secure systems. Vendor security solutions can be very expensive and yet their Open Source (OS) software equivalents tend to be even more secure.

OS software has undergone various misconceptions. The first one is that OS costs as much as proprietary/vendor software. OS security applications are capable of providing adequate security without bursting your budget. Most are either free or dirt-cheap. Notable examples of free OS security software are SpamAssasin, Snort, Nmap, Nessus, FreeBSD and many others.

Another prevalent misconception is that OS security software is dodgy and dangerous because it is open and free. OS is more secure than proprietary software because more developers are assessing and critiquing the code.

OS software code being freely available means that many “white hackers” are constantly ensuring its integrity and security. OS security software is not invulnerable. However by using any of the OS software packages that are widely used, it is possible to use security software whose vulnerabilities have been minimized.

It is also widely believed that outsourcing of a company’s internal network security can only be done through proprietary/vendor software. This is yet another misconception. Paying for expensive vendor systems that purport to prevent your network from being compromised can be avoided.

Open source perimeter management systems are equally capable in monitoring logs/traffic from your internal network. For example Nessus is a reputable OS network vulnerability scanner that can be able to discover bugs throughout an entire organization.

OS security software has some fundamental advantages over vendor software. Probably the most potent advantage is the so called “many eyes” theory. Security vulnerabilities are typically found by examining source code and testing the software for failures. The fact that OS source code is freely available means that it is under constant improvement by developers all over the world.

This transparency means that many people are motivated to sift through the code of OS security projects for a variety of reasons. Bugs are therefore fixed swiftly and better products released to consumers. This therefore discourages those who might try to sneak malicious code into OS security software.

In my opinion, Open Source security applications tend to be more secure than their commercial equivalents. Having in place good basic security controls and practices based on an Open Source platform can better protect your ICT systems.

SOCIAL MESSAGING SECURITY TIPS FOR YOU

2012-01-24T16:29:00.001+03:00

The power of social media is no longer a periphery international issue, it is now with us. The doctor’s strike (“Operation Linda Afya”) was organized through Tweeter and Facebook.

Media reports indicate that the doctors used this fast, prompt and reliable mode of communication in executing their industrial action that crippled healthcare delivery in all public hospitals in the country.

Tweeter and Facebook messaging is what made it possible for doctors to quickly converge and hold peaceful demonstrations all over the country. This phenomenon is possible due to the wide coverage of telecommunication networks throughout most of the country.

Social networks are all-pervasive, however they aren’t always safe. Most malicious attacks are now emanating from social network sites. If you tweet regularly and update constantly in Facebook there are a few safety tips you should know.

The first tip is don’t click on links you don’t know. Sharing links in Twitter and Facebook is common and an effective way of directing your friends to interesting sites. However avoid clicking on subsequent blind links where you cannot discern the destination website from the link, for example www.23433.co.ke is a blind link. This link can open you up to a malicious attack and place your sensitive phone/computer data at risk.

Secondly don’t share personal information. Some personal details should never be shared online and these include your current address, date of birth, next of kin, bank details, ID number and company staff number. You would be surprised how much information about you can be gleaned from these details.

Setting up strong passwords for your Tweeter/Facebook accounts is a must. You can imagine what would have happened if the Tweeter account, that was used to mobilize doctors during “Operation Linda Afya”, had a weak password. It would be possible to hijack it and sabotage the whole effort.

Beware fake friends. A common attack that is used by online criminals is where messages are distributed from accounts whose names are vaguely familiar or resemble the names of your long lost schoolmates. Clicking on a message from such a “fake friend” will lead you to an external site that installs malicious code in your mobile phone or computer.

Social media is here to stay and as internet penetration slowly permeates in Kenya its power can only grow. Users should however use these rudimentary safeguards so as to prevent online criminals targeting your interaction with friends or colleagues on social media sites such as Tweeter.

ARE INDUSTRIES THAT USE SCADA SYSTEMS SECURE?

2012-01-24T16:28:00.003+03:00

Supervisory Control and Data Acquisition (SCADA) systems are a suite of software used by the utility, gas, oil, water and manufacturing sectors to achieve efficient control over their complex operations. These systems control various components for example the opening and closing of valves in an oil pipeline. In the electrical utility sector they control power grids.

A major development in these systems is the introduction of a smart component in these systems. This entails the implementation of an end-to-end IP (internet protocol) network that connects critical components such as valves in a pipeline, smart meters in an electrical grid or pumping stations in a water pipeline. Smart meters are generally at a more advanced stage in the electrical grid systems of advanced western countries.

What makes the security of these smart grids important has to do with the deployment of these networked and IT and IP enabled critical components. These IP enabled components have to interface with old legacy components such as Programmable Logic Controllers (PLC). This presents a threat because most of the old components are not designed to support the complete IP communication stack.

Besides the system integration risk the implementation of IT and IP enabled components introduces the same security threats attendant with such technology. Cybercriminals can for example bring down communication links between these components and the control stations by using denial of service, routing, flooding and buffer overflow attacks.

Another factor to consider is the lack of skills to identify and manage risk in SCADA systems. Professionals in the industries that use SCADA (e.g. electrical) are not aware of the proper security controls necessary and suitable for their industries.

For example the electrical utility sector in most countries is only at an initial stage of developing the required skills to conduct risk assessment. This risk assessment would allow ICT security professional to design security architectures tailored to SCADA systems.

What then is the way forward? Industries that use SCADA, risk, ICT and ICT security operations must find a way of working together. The security management of IP endpoints and devices is the forte of ICT professionals. They are however ill-equipped to manage foreign endpoints like valves, smart meters, breakers, PLCs etc.

A complex network with hundreds of thousands of endpoints and network interconnections is extremely difficult. For a SCADA network to be truly, reliable, scalable, and secure, both ICT professionals and utility operators have to work together.

BUSINESS DATA TRANSFER CAN BE VERY RISKY

2012-01-24T16:28:00.001+03:00

The volume of data that is shared between business entities is growing every year. Companies are constantly sharing information with each other. I.T. systems are linked to each other at various business contexts for example supplying, selling, regulation and management. A manufacturing firm, for example, is likely to have its procurement system linked to its suppliers and its sales component linked to distributors on a real time basis.

Whether it’s a document sent over email or sales figures transmitted through a file transfer protocol, the risk of a data breach during the transfer or sharing process is high.

Many business people are yet to appreciate the value of the data in their possession. USBs and CDs are lost at a very high rate. These same devices are couriered in unsecured envelopes. Loss of company data can have an irreversible impact on and company’s finances and reputation.

In most cases the loss of mobile devices such as USBs and CDs results in loss of valuable company data. These devices are by their nature easy to lose, especially USB drives. People usually overlook the real value that is contained in a USB drive itself and instead value the physical device more. USBs might be small but the data in them is vitally important.

Other means of data transfer that pose considerable risk are websites that allow users to upload large files. These files can then be accessed by other people with a link that was sent to them. Photo sharing websites use this concept.

Companies should not use these sites because it is nearly impossible to ascertain where you files are hosted and who has access to them.

Implementing more secure and reliable data transfer technologies is imperative. Relying on USBs, CDs and file hosting websites to transfer your business data is unsafe.

File transfer technology has advanced considerably in the recent past. It offers enhanced features like audit trails and are better alternatives to the old transfer methods.

An example is Managed File Transfer (MFT) which is a data transfer service provided by vendors. MFT keeps an audit trail of the transferred file(s) by keeping receipts. MFT also encrypts the files thereby securing them against man-in-the-middle attacks.

This technology is vital for sectors that have huge volumes of data transfer for example healthcare, pharmaceuticals, banking and government.

Data transfer is a grey area that needs immediate attention by all companies that exchange information with another business entity.

SECURITY RISKS OF CLOUD COMPUTING II

2012-01-24T16:27:00.002+03:00

This article is a continuation of last week’s article in which we concluded that due diligence should be conducted before subscribing to cloud computing provider.

Cloud computing is basically the use of computing resources, like applications and servers, as a service (Software as a Service). This means that a cloud computing provider provides access to computing resources when needed and the client is charged for this usage.

Any business that subscribes to cloud computing has to consider a few security risks. Any cloud computing firm that you use should, at the minimum, have appropriate certifications like ISO27001. These certifications ensure that their internal controls are in place and maintained against insider attacks.

Any firm that outsources should also ensure that their data is backed up. Backing up should not be taken for granted and it is the responsibility of the client to ensure that the provider makes redundant copies and restoration can be successfully done.

Businesses that outsource should not put all their digital eggs in one basket. Outsourcing to one cloud provider effectively means that should anything untoward happen, applications and information will be at risk. This risk can be mitigated by disintegrating your dependencies. Using a redundant storage provider will enable crucial data to be stored by different vendors and in different locations.

Data commingling is another risk that businesses which outsource to the cloud should be aware of. Cloud providers run many applications and handle data for many client organizations. Data therefore commingles in the same databases and servers separated only by the software itself. This is a security risk in that a flaw in the code could be exploited to allow access to other data. It is therefore advisable to ensure that segregation is done and maintained by the cloud provider.

Data migration procedures are also very important. As a business that outsources to the cloud it is important to ensure that procedures are in place that allow and ease the migration of data. Data migration is the extraction of data so as to re-use it. The procedures for this should be clearly established and the cost should not be prohibitive.

Finally any business that outsources its applications and data should have clear Service Level Agreements (SLAs) with the cloud provider. Just like any other third party service provider. the SLA with the cloud provider should have clear parameters for performance, change management, liability, access and provisioning.

SECURITY RISKS OF CLOUD COMPUTING

2012-01-24T16:26:00.001+03:00

Cloud computing is finally with us. Recently a leading telecommunication service provider launched a cloud computing service for individuals and businesses. Cloud computing is basically the use of computing resources, like applications and servers, as a service (Software as a Service).

An example would be a small construction and road repair company somewhere in Kericho. At the end of every month the company runs its payroll and pays its casual and permanent employees. Before the advent of cloud computing this company would be forced to invest in a computer, a payroll system and stationery so as to automate its payroll process.

The cost of purchasing a dedicated payroll computer and its system would be prohibitive to a small enterprise. The concept of cloud computing means that instead of dedicating resources to a process that is run only once a month the company can subscribe to a cloud computing provider to do it. The company is then billed only for the time it uses the payroll system.

So instead of worrying about the costs of the payroll system, and security of the data, the cloud computing provider provides access to these computing when needed and charge for specific usage only.

Examples of global cloud computing providers include Hewlett Packard, Fujitsu, Red Hat, Amazon and many others.

Cloud computing, just like any other technology process, has some security risks. These risks will be discussed in this article and the next.

There are many security concerns in cloud computing. One of the most common queries concerns access to data. Who has access to your data?

An example is the United States of America. In October, 2001 the USA Patriot Act was signed into law as a response to the September 11 terrorist attack. This Act allows the American government to access data in any American owned data center, no matter what country that data center is in. If you outsource any of your ICT functions to a cloud infrastructure owned by an American company, then your data can be accessed by the American government.

Who can potentially access your data becomes a priority concern when choosing a cloud computing provider.

Keeping data private and secure is an ongoing concern for everyone in this interdependent and connected world. Due diligence should be conducted. The only truly safe approach in cloud computing is to subscribe to a cloud computing provider that is locally owned and locally located.

USING AN AUTOMATED APPROACH TO MONITOR CHAIN MAILS

2012-01-24T16:24:00.001+03:00

Exchanging of chain e-mails is a common practice in many organizations. These are basically unsolicited e-mails that we receive and pass on to our colleagues and friends. Topics vary and their content may include jokes, inspirational messages or current affairs. Others however contain pornographic images and videos.

System administrators manage the corporate network and they are able to see the kind of e-mails workers send to each other and what images/videos they download. No company can impose an outright ban on the content of these chain mails.

The risk associated with chain e-mails and especially pornographic e-mails cannot be ignored anymore. It is common knowledge that the most virulent computer viruses are embedded into pornographic material. This pornographic material is a perfect vehicle due to the high distribution rate of this kind of content. Virus infection is therefore guaranteed to be swift.

Another factor to consider is duty of care. Legislation will soon be enacted to ensure that organizations have a legal obligation to prove they have taken all reasonable practical measures to protect their staff from pornographic material. The onus will therefore fall on the company, and not the worker, to ensure that this material is not circulating in the corporate network.

Sifting through the high volume of e-mails generated by employees is a daunting task and this job is best left to an automated tool.

Before this can be done the organization must develop and sensitize all employees on an acceptable usage policy. This policy must outline the do’s and don’ts of corporate e-mail usage.

Trying to manually monitor and apprehend users who breach the usage policy is impossible. That is why an automated e-mail monitoring tool is appropriate. This approach is non-invasive and can drastically reduce the volume of pornographic images/videos that circulate in the workplace.

This tool will screen all e-mails in the corporate network and respond in a number of ways. It can simply block the e-mail or send a warning to the sender and recipient informing them that they are infringing the company usage policy.

This approach will not embarrass anyone because the affected e-mail users will know what was contained in the chain e-mail.

The organization is now able to demonstrate duty of care and has all the information it needs if the situation requires disciplinary action. This approach will also safeguard the company’s reputation and bring down the volume of unofficial activity on the corporate network.

PRIVILEGED PASSWORDS MUST BE SECURED

2012-01-24T16:23:00.002+03:00

Every piece of hardware and software that we use has privileged identities built in. These are basically secret keys which are added to the system by the manufacturer. These keys (or passwords) are found in all systems that organizations use. They are for example Administrator passwords in a Windows workstation, Root on Unix and DBAdmins in Oracle databases.

Manufacturers make products with these passwords so that they can effectively support these products. These same passwords are used by customers of these products for administration purposes.

These passwords are like master keys. They can open all modules and files of the system. This is why they are coming under increased scrutiny by various regulations. In U.S.A the Sarbanes-Oxley 404 law requires that companies prove that they have control over their financial systems. If an organization has key financial information whose administrative access is not secured or managed, then that organization is in violation.

Of more relevance to us are the Payment Card Industry (PCI) standards. These standards are one of the most explicit. PCI requires organizations to restrict access to the fewest number of custodians necessary. Companies are also required to store keys securely in the fewest possible locations and forms.

Another area that countries are requiring secure administrative passwords is in the health sector. The American Health Insurance Portability and Accountability Act (HIPPA) has a component on administrative standards that requires medical records be absolutely confidential and secure. It states that if an organization allows unsecured administrative access to medical records it will be in violation of this Act.

The global trend is that countries around the world are enacting tighter local regulations in the control of privileged passwords. Kenya, however, is yet to develop legislation and regulations that require organizations ensure control over secret keys/passwords of their systems.

Hackers look for these secret passwords because most of them are never changed. Most successful hack attacks are insider in nature and these secret passwords are used to obtain access to systems.

The primary motive of demanding organizations protect privileged passwords is to ensure that these secret keys are secure and their use (or misuse) can be tied to a specific member of staff.

Kenya therefore needs to develop a framework that encompasses all the critical sectors of the economy for example financial, health and utility systems. This framework should require entities in these sectors to conform to the fundamental requirement of securing secret keys or privileged identities.

HOW DO YOU PROTECT YOUR INTERNET ROUTER?

2012-01-24T16:23:00.000+03:00

Internet penetration in Kenya is currently at 3.9 million users and rising fast. This roughly translates to 10% of the total population. The widespread availability of broadband internet, Government support and relatively low cost of hardware means that more Kenyans are accessing the internet. Internet connectivity will eventually become common, at least in the urban areas.

However in the rush to setup networks at home or work, many Kenyans are leaving themselves open to attack. The biggest risk is coming from routers, a network device that handles message transfers between computers.

Attacks against the routers we use are different from the common hack. A common attack is where your computer is compromised after downloading something you shouldn’t have downloaded for example pornographic material.

In the router attack malicious code infects your computer through a download. Immediately you do this the malicious code seeks and attacks your router, not your computer. This code changes the router settings which govern the way your router connects you to the internet and to other computers.

So every time you go online, instead of your traffic going directly to your desired website it is diverted. Just like a diversion on the highway, your data traffic is sidetracked through a hacker’s computer.

This means that the hacker can see all your data traffic. For instance, when you type your e-mail username and password, the hacker can not only view but can also store this vital information. Your data is then re-routed back to its designated destination. This makes it very hard for you to detect the diversion.

The best way to protect your router is by simply changing the default password. When you buy a router it comes with a default password that locks access to the configuration settings. This factory password is however generic and is usually as simple as the word password.

This default password must be changed and if you are also using a wireless network you should also change the name of your network. Harden your router by also using WPA or WEP encryption which most routers support.

Malicious codes that attack routers are akin to burglars patrolling for houses that have weak door locks or open windows. By not changing the factory password of your router and not using encryption you are leaving a spare key under the door mat hoping no one will ever look there.

DO BOARDROOMS UNDERSTAND CYBER SECURITY?

2012-01-24T16:22:00.003+03:00

Corporate Boards are composed of accomplished professionals and their main purpose is to govern a commercial entity by establishing broad policies and objectives. The Board also accounts to stakeholders on the overall performance of a company.

Board members are undisputedly busy people who have to grapple with varied and difficult aspects of directing a company, especially so in the current harsh economic climate. It is however clear that most Boards under-appreciate the importance of ICT security to their companies.

The importance of implementing ICT security measures in a company is usually misunderstood. This is due to one primary reason. Most Boards struggle to see the value of ICT security because it does not provide a measurable Return on Investment (ROI). This is understandable because an average computer user would find it hard to quantify the ROI on that antivirus program that he/she purchased one year ago.

The question can thus be framed - what positive impact does ICT security have on a company’s bottom-line? We can even go further and ask ourselves whether it would be possible to calculate the ROI on the high perimeter wall and strong window grills we have built in our homes.

Corporate Boards should understand that ICT security is not an investment that provides a return. It is not like a new shamba or a new boda boda motorcycle who’s ROI can be measured.

ICT security is an expense that pays for itself in the cost savings. In other words ICT security is about the loss prevention, not about the earnings. This loss prevention also affects a company’s bottom-line.

For example a company with a weak access control system would most likely suffer from frequent hacking attacks. Their credit card database would be attacked and this stolen data used to commit fraud. The business would suffer because customers would no longer trust this company and would move to the competition.

If, however, this same company implements robust access control measures it can reduce the chances of being hacked to zero. This loss prevention would positively impact on the company’s revenue and reputation.

IT professionals therefore need to present a compelling narrative to corporate Boards that will result in behavioral change.

Corporate Boardrooms in Kenya should conceptualize ICT security as a loss prevention process and not a measurable ROI exercise. They need to ensure that management implements an ICT security framework and that all employees know about it and more crucially understand it.

WHY SHOULD YOU CLASSIFY YOUR INFORMATION

2012-01-24T16:18:00.001+03:00

Businesses and individuals need to protect their information now more than ever before. There are many reasons that justify this observation but the most important reason is the increasing reliance we have on information systems. Critical business transactions are now done through the internet. On a more personal level we are shifting to the digital platform for our banking, communication and education.

An information security plan has many components and one of the most important pillars is Information Classification. This is the categorization of data so as to facilitate the implementation of information confidentiality, integrity and availability.

There are six steps that must be undertaken so as to achieve information classification in your organization. The first one is identifying all the information sources that need to be protected. Determining which information is possessed, where it resides, who the owners and custodians are, the infrastructure used and if there are existing protection measures are the sources that should be documented.

The second step in classifying information is identifying the information classes that will be used for example Secret, Confidential, Restricted and Unclassified.

Once the information classes are outlined, the next step is to identify the information protection measures that will be used to map onto the information classes. These could be authentication, role based access, assurance, encryption and others. These are mainly technical IT controls.

The fourth step is mapping the information protection measures to the classes. For example authentication helps to verify that a system user is who he/she claims to be by requiring this user to be identified. Authentication can be mapped onto any information that is classified Secret. This would ensure that Secret information is accessed by users who are duly identified. Note that any information classified Secret can have multiple protection measures apart from authentication.

In the fifth step, the classification labels and protection measures that were mapped must now be applied to the sources we identified in the first step. For example authentication is a measure we mapped to information that is classified Secret. We now need to determine which information is Secret. Staff medical records, for example, is a source than can be classified as Secret and requires authentication to access.

The final step is a loop back. This is where the process should be repeated at planned intervals.

Information classification helps to ensure that security decisions are made that conform to business objectives instead of IT departmental information protection goals.

BACK TO THE BASICS WITH ICT SECURITY

2012-01-24T16:16:00.003+03:00

Information and communication technology has transformed our lives as had been prophesized. The computer, the mobile phone, the internet and databases have had a considerable impact on the Kenyan society.

Many business opportunities have been created by the introduction of technology for example M-Pesa. M-banking, electronic payment systems and E-learning are technological processes that will radically impact our society in the short-term.

In the midst of all these positives it is important to remember the dark side of technology. Cyber-crime has increasingly become a serious concern. Online criminals/fraudsters, disgruntled employees, saboteurs, spies and foreign hackers are wracking havoc on personal lives, businesses and governments.

One would then ask – how can we secure ourselves? Before answering this question it is important to answer another question – who or what are we protecting ourselves and our ICT systems against? In other words we must understand the fundamental risks we want to protect ourselves against before we secure ourselves.

There are four damaging risks that warrant protection against. The first one is data theft. Most company losses and lack of competitive advantage are due to employee data theft. A sales person is more likely to steal a customer database so as to take a new job or simply sell it for money to the competition.

The second risk is internet crime. The likelihood of a technology user falling victim to this kind of crime has never been greater. Internet scams, fraud and identity theft are all over the internet. Unarguably the most famous is the Nigerian 411 scam which has caused suffering to many people all over the world.

The third most damaging risk is industrial espionage. This crime targets the big multinationals and the small businesses. Losses incurred by Kenyan companies when their strategies, patents, finances and marketing plans are stolen run into millions of shillings.

The fourth risk we face is malware infection. Cyber criminals target computers without protection so as to infect them with malware. Home users are especially vulnerable to this kind of crime. Malware is malicious software that is designed to gain unauthorized access to a computer’s (or device like a mobile phone) system resources so as to commit data theft or invade someone’s privacy.

All these risks if not mitigated by way of ICT security can cause severe financial loss for businesses and individuals. These are the reasons as to why we have to secure our personal and business ICT systems.

WHY I.T. SECURITY IS A MAJOR BUSINESS ISSUE

2012-01-24T16:16:00.000+03:00

Not many Kenyan business owners are convinced that ICT security is a severe threat to their firms. Business people are more likely to appreciate and react to the current inflationary fluctuations, the weakening shilling, high labour costs and increased energy costs. Little will however be heard about ICT and its security. This is despite that ICT is the modern day ‘nervous system’ that coordinates the business processes of most companies.

ICT systems support business processes and the dependency ranges from Enterprise Management Systems (ERP) for performing integrated business processes, emails for communication and document workflows.

All these systems have users who perform various tasks for the business. These employees must be able to access these systems at the appropriate level. The restrictions imposed on the employees are important. For example communication systems like Outlook e-mail should only be used for business.

An ERP system like SAP usually contains financially and personal data that is sensitive. Who accesses what is of utmost importance to the business. Restrictions will for instance ensure that a user who raises an invoice cannot also approve and pay this invoice. This example illustrates the business issue of ICT security.

Most businesses unfortunately treat the granting of permission and authorizations as the sole responsibility of the IT department. Business management only become involved when a user discovers they can’t perform a business function, for example re-ordering stock.

Treating ICT security as the sole responsibility of the IT department is counter-productive to the business. The marketing, finance, production and human resource representatives should be involved in the authorization design process.

This is because it is the business that will ultimately bear the consequences of a poorly secured system. Incidences of internal fraud are increasingly carried out in the ICT systems businesses use. This is because of the high level of dependency they have on these systems.

However these fraudulent attacks are aimed at the business processes which are reliant on the ICT systems. It is therefore logical that the internal fraudster uses the systems to achieve the end result of defrauding the company. This means that mitigating the risk of fraud and financial misstatements is not a purely ICT issue.

There is no excuse for ICT security not to be well-understood by the business side. It is for both business and IT departments to take the responsibility for ensuring that security of their systems are aligned and prioritized as a business issue.

HOW TO PREVENT INSIDER SABOTAGE IN YOUR COMPANY

2012-01-24T16:15:00.002+03:00

All companies face risks to their businesses. Others succumb to them while others mitigate against these risks and prosper. There is however a soft underbelly for most companies. Their information and communication systems have emerged as critical vulnerabilities.

Preventing attacks to these systems is hard enough when faced with external attacks. Protecting an ICT system from an insider attack requires exceptional in-house ICT security capacity.

Stories abound of employees who have crippled companies through various activities. Sometime this year a disgruntled former employee of a pharmaceutical company in the US was charged with sabotaging the company’s IT infrastructure.

He had remotely logged into a hidden virtual server that he had created before he was dismissed. He used this server to take out all the company’s other servers for email, billing, stock control and others.

This is a nightmare scenario any Manager would want to avoid at all costs. How then can we protect ourselves against insider sabotage?

The first defense is separation of duties. This means having more than one person performing critical ICT tasks. It would therefore be difficult to commit fraud or sabotage the systems without collusion among the IT staff. It is advisable to augment separation of duties by implementing robust logging or monitoring systems that would record activity of critical systems.

Knowing who you are hiring to take care of your ICT systems is the second defense against internal sabotage. Doing background checks on potential employees is sensible.

If you hire a skilled database administrator who has a history of hacking, then you should be ready for the consequences when the inevitable hack happens. Employee vetting is a practice local firms should embrace as part of their hiring process.

Another line of defense is limiting the use of administrator accounts that are shared between IT staff. Administrator accounts are privileged user accounts that let the administrator make changes that affect other users. They can change security settings, install software, create email accounts and access all the files and systems in the company. A smart IT Manager will try and convince administrators that they don’t need keys to all the ‘digital gates’ in the company. This is because when a cyber crime happens it is usually the gatekeeper (administrator) who will be the early suspect.

Most incidences of ICT fraud and attacks are insider motivated. This threat should be addressed by all organizations that depend on ICT systems for their operations.

DON’T FORGET THESE FIVE IT SECURITY FUNDAMENTALS

2012-01-24T16:14:00.000+03:00

Whether you are thinking of protecting your personal data or safeguarding business data, there are five ICT security fundamentals that you should never forget.

The first one is never forgetting who uses what sensitive data. Data is not sensitive for all people across the board. A company’s strategic five year plan may be invaluable to investors and management but is quite useless to the messenger. Developing an inventory of sensitive data and who consumes the same is critical. This inventory will allow you to segregate data accordingly.

The second fundamental relates to the previous one and is the application of resources to its value. Once you have an inventory of our sensitive data you will have to apply various resources to protect it. A return on investment valuation on the security measures you will apply to various data categories needs to be conducted. For example what types of encryption will be purchased and applied for the various levels of sensitive data you possess.

The third fundamental concerns customer data. Never forget that retaining customer data is more of a risk than a reward. Service companies that retain huge databases of their customers should be aware of the high risk they expose themselves to especially if the data is widely accessible. An example would be that unprotected server that stores all the credit card numbers that your business has ever accepted.

The fourth fundamental that should never be forgotten is that the absence of a comprehensive regulatory compliance framework exposes all of us to undue risk. Various sensitive data elements exist in any organizations database for example medical records and credit card numbers.

We are yet to locally develop an all encompassing compliance framework that caters for data elements, for example medical records, in a particular sector and data as a whole in the marketplace. The Kenya Communications (Amendment) Bill, 2008 is not s sufficient framework.

Finally, don’t forget that risk assessments tend to understate the inherent risk of sensitive data. It is not sufficient to determine whether access controls, for example, are in place. The crucial point of focus should be measuring how effective any access controls that are in place can be used against a hacking attack.

A good example is password circumvention. This is done by employees so as to get around certain controls. A risk assessment will point this out. However taking it further by implementing data protection effectiveness metric will provide greater security.

HOW DO SMALL COMPANIES PROTECT THEIR ASSETS

2012-01-24T16:13:00.002+03:00

There has been a significant surge of small and medium enterprises that conduct their business online. They are to be found in varied sectors from delivery, call centers, software programming, insurance brokerage, money transfer and many others.

These SMEs (Small and Medium Enterprises) are primarily a product of the rapid development of the digital infrastructure in Kenya. Wider coverage, faster internet access and cheaper bandwidth, compared to satellite, have spurred their growth.

SMEs use technology as a business leverage that enables them to reduce operating costs, enlarge their market footprint in East Africa and ultimately achieve sustainable competitive advantage over their direct competitors.

SMEs have therefore invested heavily in ICT but this reliance on technology creates a number of problems for them. One of their biggest headaches is ICT security.

SMEs that do not employ ICT security measures usually find themselves the victims of online threats. Valuable strategic plans are stolen, denial of service attacks can be aimed at their services and many other online threats could befall them. This is due to the cut-throat competition in this size sector.

SMEs could mitigate against the ICT security risks by doing the following. Getting a secure hosting provider would be a sensible place to start.

SMEs depend on their websites as the front facing their customers. These websites usually contain their email addresses, e-commerce engines and other valuable data. These websites can be hacked into if a web provider is dodgy.

Another must-do is blocking of all unwanted traffic – completely. SMEs operate on tight budgets and online downtime is usually very expensive to the company. It is therefore crucial to keep out unwanted ‘online visitors’. This can be done through a firewall. A firewall is software that filters incoming (and outgoing) traffic and is able to shut down traffic that it deems suspicious. It protects your resident server from attack.

The last must-do concerns Secure Sockets Layer (SSL) certification. SSL is a protocol for transmitting documents via the internet. It uses a strong scrambling technique that ensures information (for example credit card numbers) remain confidential during transmission.

SMEs can engage the services of reputable international firms like VeriSign or Thawte to certify their sites as secure.

SMEs are the backbone of our economy and as e-commerce gains a foothold in Kenya the onus is on them to reassure potential customers that it is safe to click and buy from their websites. This can only be achieved if they internalize ICT security as part of their business fundamentals.

HOW TO PROTECT YOURSELF FROM VOICE-MAIL HACKING

2012-01-24T16:12:00.002+03:00

Mobile phone hacking is now a reality. Your SMS messages and contacts were considered the most important data in your phone. Voice-mail (or voice messaging) had previously been ignored as a potential risk until revelations in the recent U.K. phone hacking scandal proved otherwise.

Voice-mail is a computerized system for answering and routing telephone calls. It also records, saves and relays voice messages and can also be used to page a phone number.

Voice-mail uses Personal Identification Numbers (PINs) to authenticate and access the messages. These PINs are usually four digits in length. PINs are used in phone networks where caller-ID is not available. Caller-ID is a feature in the phone network that provides subscribers the name and telephone numbers of a caller that appears on a phone display.

When caller-ID is available in a network then this caller-ID is used to allow someone access their voice-mail boxes. Accessing someone’s voice-mail is possible by pretending to be the genuine caller. This impersonation is called caller-ID spoofing. By using special software that hijacks a caller-ID, you can surreptiously listen to someone’s voice messages.

It is imperative that mobile phone networks implement measures that mitigate the risk of voice-mail hacking through caller-ID spoofing. Various conventional measures can be applied for example notifying users of repeated/failed login attempts to their voice-mail accounts.

Our mobile network providers should use mobile phone network-IDs instead of caller-IDs for authentication because the former are harder to spoof (impersonate).
Another very effective feature mobile providers can employ is by not allowing the masquerading of a calling ID when it is the same as the called number. This will prevent an impersonator being automatically admitted by the mobile provider’s filtering process.

As a voicemail user there are a few things you could do to secure your voicemail. If you use a PIN for your voice-mail, change it regularly. Just like your computer passwords that have to be constantly changed, so should you do the same for your voice-mail box.

You should also disable voice-mail if you do not regularly use it. This ensures that messages are not left on your voicemail account without your knowledge.
You should also look out for voice-mail alerts that don’t exist. Ever received a voice-mail alert and when you listen to the messages it’s the old ones that are playing?

Voice-mail hacking is a present day reality. You should report suspected breaches to your mobile provider and the relevant authorities.

CALLER-ID SPOOFING IS ABLE TO DECEIVE YOU

2012-01-24T16:10:00.002+03:00

Most of our mobile phones have a feature that allows you to identify the caller. If it is the landlord you want to avoid, just add his number to your contacts and switch on the Caller-Identification (C-ID) feature.

Caller-ID (C-ID) transmits a caller’s name and number to the called party’s network provider which then forwards this information to your phone. You can then decide to either pick or reject the call. Caller-ID is based on the informed consent principle.

C-ID is a powerful feature if linked to a database. The recent attempt to register SIM cards owners was a step in the right direction. A database of SIM owners would have eliminated anonymous calling that is currently rampant.

By using a database of SIM card owners the network providers can be able to ensure that mandatory C-ID is enforced. All calls would have a name and number indicated. This is a simple solution that could have been implemented to stop the threatening calls mobile phone subscribers receive.

C-ID however can be circumvented by new technologies that allow criminals to masquerade as other people and present a false identity. This is called Caller-ID spoofing. C-ID spoofing is where a criminal makes the call appear to have come from any name and phone number the criminal chooses. Caller-ID spoofing software easily allows criminals to lie about their identity and present false names and numbers which can be used to blackmail, threaten and defraud unsuspecting victims.

Imagine how useful this technology would be to the Kamiti fraudsters out there. A criminal would, for example, be able to impersonate one or our banks and convince an unsuspecting account holder to part with their ATM PIN.

This insidious crime is already with us and Caller-ID spoofing software is readily available in the internet.

C-ID spoofing is especially rampant with Voice over Internet Protocol (VoIP) or IP telephony systems that are in use by many multinationals in Kenya. VoIP basically allows you to use an Internet Protocol (IP) network such as the Internet to communicate via phones. The threat posed by spoofing is considerably higher in these systems due to the distributed geographic nature of the internet. Legal jurisdiction challenges therefore ensue.

SIM Card registration and implementing Caller-ID across all our networks is our first line of defense against the anonymous callers. Combating Call-ID spoofing is the next step in ensuring that we can identify all the callers in our phone networks.

DID YOU KNOW THAT KEYLESS MOBILE PHONE SYSTEMS CAN BE HACKED

2012-01-24T16:09:00.000+03:00

Keyless or smart keys, for cars, have been around for some time now. Smart keys allows the driver to keep the keys in their pockets (or handbags) when unlocking, locking and starting the vehicle.

Keyless keys use proximity. As you approach the car your key is identified via one of the antennas in the car. A radio pulse generator in the key ‘greets’ your car and a ‘handshake’ ensues. The vehicle’s alarm is immobilized and the doors are automatically unlocked. Simply walking away from the car will initiate the lockdown process – door lock, alarm activation and complete engine shutdown.

The convergence of technology is best illustrated by the latest smart key – your smart mobile phone. The mobile phone as a smart key is currently confined to up-market cars but expect to see your Japanese model using it in the very near future. Your mobile phone will, very soon, evolve into the ubiquitous universal remote control device.

GSM mobile phones are using applications (apps) that provide the same functionality as the smart key. Mobile phones with the smart key are able to disengage the immobilizer and activate the ignition without inserting a physical key in the ignition. Communication between the mobile phone and with the vehicle’s receiver is software driven. This software is vulnerable to hacking.

A hacker can exploit vulnerability in the latest and most secure mobile phone standard today, the 3G/UMTS/WCDMA standard.

By reverse engineering the network and then closely monitoring it by using “sniffers”, it is possible to figure out the codes needed to send rogue commands to cars that use mobile phones as smart keys. This technique is popularly known as “war texting”.

By using a “souped-up” mobile phone it is possible to analyze a GSM network more extensively. Data received from the network can then be sent to a laptop in real-time. It would then be possible to send a random SMS to a mobile phone and obtain its network ID number. You can then use this information to attack the mobile phone that acts as a keyless key.

This exploit would then allow a hacker to send rogue commands from a safe distance.
As GSM and UMTS standards become more and more well known, security flaws and shortcuts of this network standard become more widely known among hackers.

As the mobile phone becomes a universal remote control device it is important to appreciate that technological advancement is usually accompanied by vulnerabilities.

DO YOU KNOW THE VALUE OF THE DATA IN YOUR PHONE

2012-01-24T16:07:00.000+03:00

You have most likely received those fraudulent SMS messages that try to con you out of your M-Pesa money. Social engineering is the primary technique used to ensnare the unsuspecting into sending money to these criminals popularly known as Kamiti conmen.

These ‘soft’ techniques will eventually become well known and the conmen will naturally innovate other methods of getting those PINs that reside in your mobile phone. They can do this in two ways – logically or physically.

You data can be pried out of your phone’s temporary memory (logically) or from your phone’s hard drive/flash card (physically).

Your temporary (or cache) memory is simply the information that disappears when you switch off your phone and is similar to the computer’s volatile memory. Examples would include your PINS, passwords or email messages.

Permanent data in your phone is usually stored in the internal drive or the flash card in most phones. This data remains there until physically changed, or deleted. The data is not lost when the power is turned off.

Temporary data (for example online banking or money transfer details) can be obtained from your phone by conducting a logical dump. This technique basically dumps all your temporary data into a destination within a few minutes. Obtaining a physical dump on the other hand is much easier because it simply entails the copying of your data that is stored in the internal drive or the flash card.

Another concern that you should be aware of is that data stored on some smartphones can be forensically restored or retrieved. Data stored on physical media such as the phone’s internal drive, or its flash card, can be restored even after deletion. This data can, for example, be deleted voicemail messages, emails, SMS messages, calendar events, deleted photos and typing cache (where an SMS can be retrieved even if the SMS was deleted before sending).

The main point to note is that the data in your phone is worth more than your phone many times over. This data can be obtained overtly and covertly. Deleting it does not mean it can’t be retrieved.

The sheer amount of your personal data that is in your mobile phone is enormous and how you protect it should be of paramount concern to you.

HOW A ROBOT ATTACK IS CONDUCTED ON YOUR MOBILE PHONE

2012-01-24T16:01:00.000+03:00

It is exciting to be back after that brief hiatus. Welcome back readers and kudos to the Editor and the Management for giving us back our bullhorn.
Within the brief period we were away much has happened in the ICT security world.
One major development that you could not have missed is how important our phones have become.

Criminals have realized that the data in your phone is intrinsically more valuable than the phone itself. This is because your mobile phone has become ‘smart’ and has morphed into a portable computer among other devices. This is called convergence.
This has spawned an increasing number of attacks targeted at our phones. Your contacts, M-Pesa and banking details are increasingly sought after.

Basically your phone is now your computer, television, diary, photo album, bank, ATM and many other functions. If your phone can do all these things, and more, it is only sensible that you protect it. The problem is that we all know we need security software for our personal computers, but how many of us have protection for our phones.

So as to appreciate why you need this protection we shall examine the mobile phone threats that exist out there in this article and the near future.
At the start of 2010 the first real and genuine threat to the mobile phone was reported. This was the Zeus virus that was designed to steal banking details of mobile phone banking users.

Since then attacks on mobile phones have increased in complexity and frequency. One of the most potent threats to your mobile phone today is the Bot attack. A Bot is a program that allows an attacker to gain complete control of your phone and renders it a zombie or robot (hence the term Bot).

Apart from stealing your banking or M-Pesa details, Bots can do other insidious things like listening to your calls or sending SMS messages to those numerous SMS based competitions. They can also make surreptitious calls without your knowledge. Ever wondered why your phone intermittently gets hot or your credit balance has unusually gone down?

Your phone gets infected through chain sms messages, downloaded songs/videos and by visiting pornographic websites with your phone.

The mobile phone Bot business model is surprisingly quite solid. There exist Bot herders who co-ordinate infections and then hire out these zombies (infected phones) to cyber criminals to use as a route to fleece unsuspecting victims.

It makes logical sense that the so called Kamiti phone criminals who are currently engaged in rudimentary M-Pesa fraud and sending out of phishing sms messages will want to expand their businesses by graduating to Bot attacks.

KE–CIRT (Kenya Computer Incident Response Team)

2012-01-24T15:59:00.000+03:00

The Kenya Information and Communications Act CAP411A mandates the Communications Commission of Kenya (CCK) to develop a national cyber security management framework through the establishment of a national Computer Incident Response Team (CIRT). In this regard, the Commission has setup the Kenya Computer Incident Response Team (KE-CIRT) whose mandate is to coordinate response to cyber security incidents nationally and to collaborate with relevant actors locally, regionally and internationally in the management of cyber incidents. The KE-CIRT is also the national cyber security management point of contact for Kenya and is under the authority of the CCK.

Vision
To make the Internet secure, to develop a world-class security and information base and to become a publicly accessible forum for Internet and computer security.

Mission
To assist in the development of the Kenya information Society by making the use of computers and the Internet safer.

Stakeholders
In executing its mandate, the KE-CIRT works with various local stakeholders including various government agencies, the private sector, academia and civil society. The current KE-CIRT stakeholders are as follows:
The various law enforcement agencies;
The Directorate of E-Government;
The Kenya ICT Board;
The Kenya Network Information Centre;
The Telecommunication Service Providers Association of Kenya;
The Kenya Education Network;
The Central Bank of Kenya.

Constituency
Among other services, the KE-CIRT is responsible for responding to incidents targeting government entities and the general public.

Functions
The KE-CIRT is the national focal point for coordinating information flow, response to cyber attacks and remediation of cyber security incidents for Kenya and its role includes the following:
Coordinating response to cyber security incidents nationally;
Liaising with local sector CIRTs, regional & international cybersecurity management entities through forging partnerships;
Facilitating the development of a national Public Key Infrastructure (PKI);
Gathering and disseminating technical information on computer security incidents, vulnerabilities, security fixes and other security information, as well as issuing alerts and warnings;
Building capacity and creating awareness on cyber security best practice;
Facilitating the deployment of a national PKI framework ;
Research & Development on information (cyber) security.

Contact Information
Please report any cyber security incidents by sending an email to: cirt@cck.go.ke

You can also reach us on the following numbers: +254 20 42 42 000 or +254 703 042 000 (ext. 446).

EXPERTS INVESTIGATE CYBER ATTACK ON GOVERNMENT SITES

2012-01-18T21:57:00.000+03:00

EAStandard - Wednesday, 18th January 2012

By Cyrus Ombati

Cyber crime experts are investigating a hacker who took down 103 Government of Kenya websites in an attack on Monday night.

A Kenyan expert aware of the incident said an Indonesian hacker known as direxer was responsible for the hacking.

Among the ministries affected include the Ministries of Local Government, Livestock, Environment, Fisheries, Housing, and Industrialisation.

Others are ministries of Finance, Education, Public Health, Youth Affairs, National Heritage and Roads; as well as sensitive departments such as Administration Police, Immigration, Prisons and various city, municipal and county councils.

According to the local CIO, a technology magazine, the government normally hosts several websites in one server at The Treasury, Ministry of Finance.

Reports said the hacker is part of an online Indonesian security forum known as Forum Code Security and says he took down the websites following tutorials from the forum.

Such tutorials usually exploit programming errors in code, known as bugs, which have not been fixed.

A Cyber Incidence Response Team (CIRT) based at the Communications Commission of Kenya (CCK) has moved into action and was making efforts to restore the affected websites.

The CIRT was formed to handle such situations and ensures Kenya's security in cyber space. Officials at the commission said the experts had located the hacker who appears to have a website at http://www.direxer.com/,

A message he left on the Forum Code Security site said: "show off by me… thanks for tutorial in www.code-security.com all… i have exploit from cs web, and i attacking to server Government Kenya,,,, and then,,, success full… this is deface in this night…"

According to the local CIO, a technology magazine, the government normally hosts several websites in one server at The Treasury thus compromising the server may expose several websites to a hacker.

On his site the hacker said, "and I will carry out attacks on other servers if the Government is still neglecting security. My Security Code on behalf of Indonesia, Security is a necessity."

It is not the first time that some of the affected websites were hacked in the Monday night incident. Some of them were yet to start running while others are now functioning. The affected sites were:

http://www.administrationpolice.go.ke/index.html
http://www.aideffectiveness.go.ke/index.html
http://www.bungomacounty.go.ke/index.html
http://www.businesslicense.go.ke/index.html
http://www.cak.go.ke/index.html
http://www.commstaskforce.go.ke/index.html
http://www.cooperative.go.ke/index.html
http://www.crd.go.ke/index.html
http://www.crisisrcentre.go.ke/index.html
http://www.ditkenya.go.ke/index.html
http://www.doshs.go.ke/index.html
http://www.economicstimulus.go.ke/index.html
http://www.eldoretmunicipal.go.ke/index.html
http://www.emu.go.ke/index.html
http://www.education.go.ke/index.html
http://www.environment.go.ke/index.html
http://www.filmservices.go.ke/index.html
http://www.fisheries.go.ke/index.html
http://www.forestryandwildlife.go.ke/index.html
http://www.gender.go.ke/index.html
http://www.governmentpress.go.ke/index.html
http://www.greenenergy.go.ke/index.html
http://www.housing.go.ke/index.html
http://www.ifmis.go.ke/index.html
http://www.immigration.go.ke/index.html
http://www.industrialization.go.ke/index.html
http://www.isc.go.ke/index.html
http://www.iprs.go.ke/index.html
http://www.itentambachtowncouncil.go.ke/index.html
http://www.itmis.go.ke/index.html
http://www.kenao.go.ke/index.html
http://www.kapsabetmunicipal.go.ke/index.html
http://www.kenyayearbook.go.ke/index.html
http://www.kerugoyakutusmunicipal.go.ke/index.html
http://www.kesi.go.ke/index.html
http://www.kipi.go.ke/index.html
http://www.kisumucountycouncil.go.ke/index.html
http://www.kirinyagacountycouncil.go.ke/index.html
http://www.kitalemunicipal.go.ke/index.html
http://www.kituimunicipal.go.ke/index.html
http://www.kkv.go.ke/index.html
http://www.knfparms.go.ke/index.html
http://www.knsdi.go.ke/index.html
http://www.kntc.go.ke/index.html
http://www.laikipiacountycouncil.go.ke/index.html
http://www.lands.go.ke/index.html
http://www.leatherdevelopmentcouncil.go.ke/index.html
http://www.limurumunicipal.go.ke/index.html
http://www.livestock.go.ke/index.html
http://www.lodwarmunicipal.go.ke/index.html
http://www.maraguacountycouncil.go.ke/index.html
http://www.mariakanitown.go.ke/index.html
http://www.maurestoration.go.ke/index.html
http://www.migoricountycouncil.go.ke/index.html
http://www.minesgeology.go.ke/index.html
http://www.mirp.go.ke/index.html
http://www.monitoring.go.ke/index.html
http://www.moyalecountycouncil.go.ke/index.html
http://www.murangacounty.go.ke/index.html
http://www.murangamunicipal.go.ke/index.html
http://www.nairobicity.go.ke/index.html
http://www.naivashamunicipal.go.ke/index.html
http://www.nakurucounty.go.ke/index.html
http://www.nationaldisaster.go.ke/index.html
http://www.nationalheritage.go.ke/index.html
http://www.nccs.go.ke/index.html
http://www.nec.go.ke/index.html
http://www.northernkenya.go.ke/index.html
http://www.nyandaruacountycouncil.go.ke/index.html
http://www.othayatowncouncil.go.ke/index.html
http://www.pec.go.ke/index.html
http://www.pfmr.go.ke/index.html
http://www.pghnyeri.go.ke/index.html
http://www.pharmacy.go.ke/index.html
http://www.prisons.go.ke/index.html
http://www.psrpc.go.ke/index.html
http://www.publichealth.go.ke/index.html
http://www.publicservice.go. ke/index.html
http://www.publicworks.go.ke/index.html
http://www.reformskenya.go.ke/index.html
http://www.refugees.go.ke/index.html
http://www.regional-dev.go.ke/index.html
http://www.roads.go.ke/index.html
http://www.rprlgsp.go.ke/index.html
http://www.scat.go.ke/index.html
http://www.scienceandtechnology.go.ke/index.html
http://www.singlewindow.go.ke/index.html
http://www.sprogrammes.go.ke/index.html
http://www.tabakatown.go.ke/index.html
http://www.tanathi.go.ke/index.html
http://www.tfdg.go.ke/index.html
http://www.technologycentre.ac.ke/index.html
http://www.theenergytribunal.go.ke/index.html
http://www.thekenyawewant.go.ke/index.html
http://www.thikamunicipal.go.ke/index.html
http://www.transformingkenya.go.ke/index.html
http://www.treasury.go.ke/index.html
http://www.ugunjatown.go.ke/index.html
http://www.ukwalatown.go.ke/index.html
http://www.westernkenya.go.ke/index.html
http://www.vihigamunicipal.go.ke/index.html
http://www.works.go.ke/index.html
http://www.youthaffairs.go.ke/index.html

HACKERS STEAL ICC WITNESS EMAILS - THE STAR OF SATURDAY, 10 SEPTEMBER 2011 00:04 BY MATHEWS NDANYI

2011-09-10T18:34:00.000+03:00

INTERNET spies have hacked into the email of ICC witnesses. Two witnesses under protection abroad confirmed yesterday that some of their emails had leaked and their confidential information was being circulated by some individuals. The hackers have now been able to identify the witnesses putting their security at risk. The hackers also gained access into the email communications of two human rights groups handling issues of the 2007-08 post-election violence in the Rift Valley. The Centre for Human Rights and Democracy and the Centre Against Torture are both based in Eldoret.CHRD programmes officer Nick Omito reported the matter to police in Eldoret where investigations have been launched. Eldoret deputy police boss Benjamin Onsongo said they would investigate the matter after recording statements from the complainants. “This may expose us to serious security risks and we have reported to the authorities to see how we can deal with the matter,” said one witness who expressed fear for his life.The two witnesses whose emails were hacked are from the Rift Valley region. Those responsible for the hacking are said to be people inside Kenya with interest in the hearings at the International Criminal Court. Omito said confidential information from CHRD had been leaked out and was being circulated on the internet.He said the NGO had taken action to protect sensitive information that the hackers were targeting from the CHRD email addresses. “Such acts are dangerous and obviously expose us to security risks,” said Omito. He said the hacking would not deter the CHRD from fighting for human rights and justice.The hacking comes two months after burglars broke into the CHRD offices in Eldoret and stole computers and laptops containing information on the post-election violence. Police are still investigating that break-in and theft. CAT offices were also raided and several items stolen from their office which has since been relocated for security reasons.One hacked email from a witness indicates he is dissatisfied with the protection programme under which they have been placed in various European countries. The hacking took place from last week as the ICC confirmation hearings began at the Hague. Eldoret North MP William Ruto, Tinderet MP Henry Kosgey and Kass FM radio presenter Joshua arap Sang appeared for the confirmation hearings which will determine whether they should face charges of crimes against humanity in a full trial. Deputy Prime Minister Uhuru Kenyatta, Head of Civil Service Francis Muthaura and former police chief Hussein Ali are scheduled to appear next at The Hague from September 21.In May I published the below article in the EAStandard about the need to protect your e-mails titled DO YOU KNOW HOW TO PROTECT YOUR E-MAIL?E-mails are no longer the novelty they used to be a few years ago. Apart from enabling social communication, e-mails have also become integral to businesses. Environmental concerns have also contributed to the commonality of e-mails. In an effort to conserve the environment computer users are exhorted to use e-mails instead of paper correspondence. All these factors have contributed to the acceptance of electronic messaging.We have gotten so used to e-mailing that we send them across an insecure internet without a second thought. We attach private testimonials, sales figures, marketing plans and other confidential files to our e-mails, hoping that no one opens them. Sending these unprotected emails is usually convenient in the short-term. However this insecurity can be very costly in the long-term. Ensuring that only the intended recipients are able to receive your e-mails requires secure e-mail transmission technology. The average computer user can employ various solutions and one of the most effective is S/MIME (Secure/Multipurpose Internet Mail Extensions) that is installed on individual PCs. This is a protocol that secures your emails by using digital signatures and encryption. By digitally signing an e-mail it is possible to prove who the sender of that e-mail was. However this does not stop anyone from reading it as it transits through the internet. Encryption then comes in handy by making sure that the e-mail is unreadable during transit. The signing works in tandem with the encryption and this makes it extremely difficult to intercept and read the e-mail. For free to use web-based emails PGP (Pretty Good Privacy) is another appropriate solution for that ordinary computer user. It is a signing and encrypting software that works well with the popular browsers like Firefox, Mozilla and Netscape and is widely used for encrypting and securing e-mails. The fundamental difference is that it embeds with your browser.Another solution would be to implement centralized encryption protocols that shift the encryption functionalities from the individual desktop to a dedicated e-mail gateway. An e-mail gateway is a server that connects two or more electronic mail systems and transfers messages between them. Encryption technology is integrated into these servers with other security components such as virus scanners and firewalls. This solution is however highly complex and expensive and would be unsuitable for the ordinary computer user.Whichever security solution you opt for remember that e-mails are increasingly targeted by hackers nowadays.

2011-01-09T20:52:00.002+03:00

We are witnessing a historical occasion in South Sudan. Kenya-Byte wishes our brothers and sisters blessings and support in their quest for self-determination.

Mention South Sudan and ICT in one sentence and you have to acknowledge the contribution of the indefatigable Shem Ochuodho. Having pioneered the Internet in Kenya he has gone on to assist South Sudan join the digital world. Kudos Shem!!!

Kenya Police Website Hack

2011-01-07T08:13:00.004+03:00

Nice touch of irony here.

The Kenya Police website was hacked this month - twice. This is definitely a security issue.

The grapevine has it that this was as a result of a local hacking competition.

Reverse DNS points it to a local telco's IP pool.

Kachumbari Remembered

2010-09-08T12:10:00.004+03:00

Four years have passed on...Kachumbari - The True Kenyan Villager...we remember.

HOW TO CONVERT KSHS INTO DOLLARS THROUGH A BANK EFT

2010-09-08T11:51:00.004+03:00

I read an interesting article in the EAStandard of September 8, 2010. It's about an interesting fraud where money was transferred from several banks in thousands of shillings only to be received by another bank in millions.

An example was KShs 388,400 which was transferred from an account at the Co-op Bank, Kimathi Street destined for KCB, Moi Avenue. The destination account in KCB was credited with USD 388,400 (KShs 30,295,200).

Another transaction involving USD 96,800 had been transferred from another bank in KShs but credited into a KCB account at UN Gigiri branch in dollars and withdrawn immediately.

An interesting question immediately popped up in my mind – How did they do it?

We can of course glean that this is a simple, yet brilliant, play on the currency field. There is definitely a system breach involved here. What I don’t know is whether the inter-bank Electronic Funds Transfer system could have been breached (insider attack) or whether a man in the middle attack occurred.

Help me fill in the blanks. Is there any IT or banker guy out there who can outline a likely scenario on how such a fraud can take place?

ANATOMY OF A SUCCESSFUL INTRUSION – IN YOUR LANGUAGE

2010-09-08T11:14:00.001+03:00

Have you wondered what all this fuss about hacking is about? You might have asked yourself what is hacking and how is it done. The hacking process is really quite simple. You can compare it to a burglary because the concept is basically the same. A burglar will ask himself how and when he will break in, what is he looking for and how can he cover his tracks so that he is not caught.

Hackers are abit more systematic so they break down their attacks similar but more explicit stages: Stage 1 is gathering information about the target system; Stage 2 is an analysis of this gathered information; Stage 3 entails researching of the target system’s vulnerabilities and the fourth and final stage is the implementation of the attack. This modus operandi is universal and can be successfully transplanted into any other criminal activity. Understanding and adhering to these stages means that twenty five percent of your job is done and dusted, even before you begin.

Let’s begin with the first stage, gathering the relevant information about the target company and its computer systems. At this stage any kind of data is relevant. Knowing the company’s business core activity, the Board/Management structure, the physical location, branch locations, the approximate number of employees, product range and computer system infrastructure details are obtained.

Sources of information include websites, financial statement reports, discarded documents and of course the employees (through social engineering). Gathering of information also means the hacker has to determine how many computers are publicly exposed to the internet. Among this is the web server which is usually a good starting point. Scanning is done by using various software tools akin to the burglar’s “bag of tricks”. The scan results will outline the system’s characteristics, for example, the open ports, its internet location, the IP addresses of its computers and whether the web server (that hosts the company website) is in-house or not.

The second stage is the analysis of the information obtained. At this point the hacker wants to determine where to apply his most effort. Should the emphasis be more towards social engineering? Or should it be at hacking away, in ungodly hours of the night, trying to find out the vulnerabilities of the targeted computer system. A simple example would be where the hacker learns that the senior system administrator usually visits a certain bar every evening. The next step is to find out whether he carries his laptop home. The hacker can observe the said employee leaving the premises to establish this fact. Better still is to pretend that he is colleague and he makes a call to the office security (some minutes after 5pm) asking whether they have seen the said laptop the system administrator told him to collect from the office. They will unwittingly tell you that they saw him leaving with it.

Next step will be to break-in to his car when he’s inside the bar. This will save the hacker vital time because he will obtain crucial access data like passwords from the stolen laptop. The data from such a laptop, if relevant to the attack, would negate the next stage which is researching the vulnerabilities of the company’s systems.

The sole objective of this next stage is to determine the vulnerabilities of the systems so as to exploit a discovered vulnerability to gain entry. The experienced burglar also conducts this stage by either visiting the premises to find out which window is usually left unlatched at night or uses an insider to describe the vulnerabilities of the house. The hacker does the same.

DID YOU KNOW YOU THAT YOU CARRY A LOCATIONAL DEVICE EVERYWHERE

2010-09-08T11:02:00.001+03:00

If you have been recently keeping track of crime news reports in Kenya, you will have noted that there has been an increase in using mobile phones to apprehend criminals, for example Onyancha. Just like everyone else, criminals have woken up to the fact that we are all in a wireless grid that can work for and against them. Among all wireless technologies available the mobile phone has had a profound impact in all facets of our lives, especially the criminal underworld.

The mobile is now an integral component of the overall security component of individuals and organizations. The potential for its abuse as a tracking device makes it an information security issue. That is why locational tracking via mobiles, is a security concern we should all be aware of.

Before I outline the security implication of carrying that mobile, allow me to outline the coming locational services that might be on pipeline for implementation in the near future.

The mobile has become a platform on which various services are been bundled into. M-Pesa (money transfer), Skiza tunes/downloads and commodity price checking are among the most popular. Services based on the location of the mobile phone are the next frontier. These services are known as Location Based Services (LBS). Various applications have been developed in the context of LBS for example weather reporting. Once a mobile user enters a new area, the weather report of that area will be sent to your mobile. So if you are a truck driver you will be able to receive weather updates each time you cross a province or country.

Another very important location service is the Wireless Emergency Services (WES). When a mobile user calls the emergency 112 number, the location of the caller is determined by the service provider through the Automatic Location Identification (ALI). This location is then forwarded to the police or emergency responders. These locational services will really improve the quality of our lives especially in health and criminal emergencies like road accidents and carjacking.

It is evident that the benefits of location tracking can assist many Kenyans. Using ALI to track kidnappers, rapists and their ilk provides an immediate benefit to the society by swiftly tracking and removing criminals from our midst. There is however a flip side to this situation. Whereas ALI provides evident benefit it also poses a serious personal risk to mobile users. This facility, if abused, can be detrimental to innocent mobile users. In this age of interconnected networks (internet, GSM, CDMA etc) the security structures that are needed to protect this feature, by service providers, should be scrutinized in the interest of public good.

Various scenarios come to mind. Imagine a demented individual wants to stalk a spurned lover or a disgruntled employee wants to get back at the employer who laid him off. Accessing ALI to locate a potential victim would be possible from both the human and technological access points. Hacking into a service provider’s telecommunication system would allow a hacker to sell real-time locations of people to criminally intent people. By using social engineering techniques and outright threats, employees of service providers who maintain the ALI system, would be vulnerable to blackmail and physical harm.

There is definitely a greater good in using location mobile tracking to combat crime. We should however be cognizant to its potential abuse. As a consequence ethical and legislative frameworks should be developed to ensure that ALI is only used for the greater good of the Kenyan society.

HATE MESSAGES – DO YOU KNOW HOW THEY CAN TRACK YOU?

2010-05-08T18:09:00.000+03:00

The 2005 Referendum and 2007 election introduced Kenyans to a vile form of mass misinformation - the insidious power of hate messages.

It was the propagation of these hate-filled messages that inflamed Kenyans against each other in both instances.

To be able to prevent a repeat, we must understand why mobile telephony and the internet have become such powerful tools of incitement.

Group Action in Hate Messages
The telephone and television (old media) are one-way communication technologies that do not allow groups to be created and organised rapidly. This is because creating a group and mobilising it around a cause by using a television is not sustainable.

This is because a group has connections which have to be constantly maintained and the old media was not designed to nurture these interpersonal connections.

Mobile phones and the internet (new media) depart from the old media in that they enable near real-time two-way communication. Creating a group using your mobile phone has never been easier. Of more fundamental importance is the ease at which you can maintain connections to a group.

Having a group conversation with 500 like minded people is as easy as clicking a “Send” button in your mobile or selecting multiple e-mail addresses. The ability to ignite collective action by using new media will only increase in the future and this is the reason why hate messages were so effective in 2005 and 2007.

Investigating Hate SMS messages
SMS (Short Message Service) is a service for sending short messages of up to 160 characters to mobile devices. The transmission of SMS messages involves an SMS center (SMSC) which is responsible for forwarding the SMS messages to their destination(s).

The main duty of an SMSC is therefore to route SMS messages and regulate the process. For instance, if a recipient’s mobile phone is switched off, the SMSC is the one that stores the message and re-forwards it when the recipient’s phone becomes available. SMS centers are gradually being replaced by SMS routers that offer a more intelligent forwarding process apart from increased capacity.

When tracking SMS messages the main challenge is in the storage of these messages due to the high storage costs involved. Since it is not logical to retain these messages the other solution is to have rules that are triggered when certain conditions are met. These rules are located in sophisticated SMS routers and firewalls.

For instance, an SMS firewall/router can be programmed to filter messages from a particular origination to destination point. They can also have alarms that respond to specific content, for instance certain keywords such as kill, murder, gun etc. Another likely rule that can be implemented is where a spike in SMS traffic from a certain known political hot-zone can trigger an alarm that initiates SMS message monitoring and retention.

Once these rules are triggered it would then be possible to segregate these messages for onward investigations. It would then be easy to store and determine the details of the sender and recipient such as phone number and last known cell location.

Investigating Hate E-Mails
E-Mails (or electronic mails) are text messages sent through a computer network to a specific individual or group. These messages used to be sent from one computer to another. Nowadays the writing and transmission of these messages includes other devices for example the mobile phone and the television.

Sending hate e-mails is fraught with danger because tracing an e-mail is possible. E-mails are composed of two parts, a header and the body. An e-mail header contains information about the email’s origin for example who sent it, where it came from and the path it took. This can roughly be compared to the stamped envelope from which you can tell where a letter came from. The body of the e-mail contains the message that you read.

The header is very useful in tracking the origin and sender of an email, even if the sender might have forged various aspects of it. Since the header is a detailed log of a message’s history, investigators usually commence investigations here.

If you have a Yahoo account you can view headers of e-mails you have received by opening any e-mail in the Inbox. Scroll down to the bottom of the page. On the bottom right you will see a link titled Full Headers. Click on it once. The page will immediately rebvert to the top and you will see a list of common headers for example X-Apparently-To, Return-Path, X-Originating-IP and many others.

All these headers can assist in tracing the origin of an e-mail. X-Originating-IP, for example, indicates the IP address of the computer on which the e-mail originated. Internet Protocol (IP) address is a numerical label that is assigned to a device that is in a computer network.

Once you have an IP address, from an e-mail header, you can use various websites like LookupIP, that can indicate the service provider and location of that IP number (the sender).

Of course, much more work is needed thereafter to nail the offender but with this as a starting point it won’t be impossible to put a face behind that hate e-mail.

Conclusion
During this period of intense political activity, sending hate laced SMS messages and emails will be a very risky venture. The Government however needs to do more than threaten potential broadcasters of tribal hate. They should build capacity to investigate and prosecute these perpetrators. The legislative framework is now in place. What is lacking is the investigative capacity. A fully fledged High Tech/Cyber Crime Unit of the Kenya Police should be formulated and equipped to handle this nefarious form of crime.

HATE MESSAGES

2010-05-08T18:07:00.000+03:00

A list of 1,700 phone contacts of various Kenyans was compiled by the government after the 2007 post election violence. These are the people who created and forwarded hate messages meant to incite people to tribal violence. Prosecuting them was not possible, then, due to the absence of a legislative framework.

The Kenya Communications (Amendment) Act, 2008 refers to an offensive message as a message or other matter that is grossly offensive or of an indecent, obscene or menacing character. Where a text is offensive, the sender becomes liable to a sentence of up to three months or a fine of up to Shs 50,000.

Cyber and conventional crime share a fundamental concept; evidence is a primary determinant of innocence or guilt. Locard’s exchange principle applies to the real and virtual worlds. This principle is applied to crime scenes and states that when the perpetrator of a crime comes into contact with the scene, he/she brings something into scene and leaves with something from the scene. Every contact leaves a trace. Every e-mail or SMS sent leaves a trace.

The Penal Code makes it criminal for anyone to use threatening, abusive or insulting words or engaging in provocative acts or breach of the peace.

DO YOU KNOW HOW TO PROTECT YOUR E-MAIL?

2010-05-08T18:06:00.000+03:00

E-mails are no longer the novelty they used to be a few years ago. Apart from enabling social communication, e-mails have also become integral to businesses. Environmental concerns have also contributed to the commonality of e-mails. In an effort to conserve the environment computer users are exhorted to use e-mails instead of paper correspondence. All these factors have contributed to the acceptance of electronic messaging.

We have gotten so used to e-mailing that we send them across an insecure internet without a second thought. We attach private testimonials, sales figures, marketing plans and other confidential files to our e-mails, hoping that no one opens them. Sending these unprotected emails is usually convenient in the short-term. However this insecurity can be very costly in the long-term.

Ensuring that only the intended recipients are able to receive your e-mails requires secure e-mail transmission technology. The average computer user can employ various solutions and one of the most effective is S/MIME (Secure/Multipurpose Internet Mail Extensions) that is installed on individual PCs. This is a protocol that secures your emails by using digital signatures and encryption.

By digitally signing an e-mail it is possible to prove who the sender of that e-mail was. However this does not stop anyone from reading it as it transits through the internet. Encryption then comes in handy by making sure that the e-mail is unreadable during transit. The signing works in tandem with the encryption and this makes it extremely difficult to intercept and read the e-mail.

For free to use web-based emails PGP (Pretty Good Privacy) is another appropriate solution for that ordinary computer user. It is a signing and encrypting software that works well with the popular browsers like Firefox, Mozilla and Netscape and is widely used for encrypting and securing e-mails. The fundamental difference is that it embeds with your browser.

Another solution would be to implement centralized encryption protocols that shift the encryption functionalities from the individual desktop to a dedicated e-mail gateway. An e-mail gateway is a server that connects two or more electronic mail systems and transfers messages between them. Encryption technology is integrated into these servers with other security components such as virus scanners and firewalls. This solution is however highly complex and expensive and would be unsuitable for the ordinary computer user.

Whichever security solution you opt for remember that e-mails are increasingly targeted by hackers nowadays.

DO YOU KNOW WHO OWNS THAT BUNCH OF KEYS?

2010-05-08T18:05:00.000+03:00

Sometime in the not too distant past we used to lock secret office documents in metal file cabinets. The more powerful a manager the more keys that he or she used to carry and jangle. Juniors generally had only one key, the one that opened their desk drawer. Fortunately those days are long gone and that huge bunch of keys disappeared and no longer denotes seniority. However the concept is still with us albeit with an electronic twist. Instead of those physical keys we now have electronic keys which are passwords and seniority is denoted by the privileges that are assigned to these passwords.

The most widely known password with maximum privileges in hardware and software is the administrator. In databases it is the Database Administrator (DBA) and in a Unix platform it is the root. Passwords with these privileges are our modern bunch of jangling keys because where you are on the corporate hierarchy is directly proportional to the system password privileges you have.

Knowing how many of these privileged passwords exist and who is assigned to them is an information security priority for any organization. It is therefore important to conduct an inventory of these passwords.

With the existence of a multi-layered information technology framework in most organizations, conducting an inventory of these passwords is not as easy as it sounds. The starting point would most likely be the PCs which come with administrator privileges that can access the computer without restriction. Beyond that are privileged passwords for firewalls, servers, routers, databases, anti-virus programs etc.

The dangers and risks inherent in these privileged passwords cannot be understated. Anybody with the slightest interest can Google and search about privileged identities. It would then be possible to learn how to acquire them by using pre-written software scripts freely available in the internet.

Regulations, therefore, need to be implemented. In organizations where password regulations are absent, or lax, the IT security and audit departments are wholly responsible.

The best practice is to implement regulations that tie privileged identities to personal ones, and have the paper trails as a backup.

In sum, a security conscious organization should firstly conduct an inventory of the privileged passwords. Secondly any activity performed by these passwords should be tied to real-life individuals. These two aspects can be achieved by the use of automated software solutions that are readily available in the internet.

ARE YOUR COMPUTERS PART OF A BOTNET CONSPIRACY

2010-05-08T18:04:00.000+03:00

Cyber-criminals in Kenya are very much in tune with global criminal trends. The perpetrators of cyber-crime can generally be loosely divided into two categories. The first one consists of traditional crime organizations that have discovered that cyber-crime can be lucrative. These traditionalists have an established hierarchy and can be national or global depending on the availability of computer skill sets within the organization.

Cyber-crime to these traditionalists is another revenue stream like kidnapping, burglary, mugging amongst many others. The form of cyber-crime that these traditionalists engage in includes credit card skimming, identity theft and general fraud. Good examples, in Africa, are the Nigerian criminal organizations whose cyber-crime tentacles undoubtedly reach into Kenya.

The second group consists of skilled hackers who initially get together for other reasons apart from money. The initial motive might be to share technical knowledge but with time the collective goal translates into obtaining money illegally. This group is loosely structured and engages in technically demanding cyber-crimes for example hacking, denial-of-service attacks, coding of viruses and others.

There are a number of cyber-crimes that are perpetrated by both the traditionalists and the skilled hackers. One of them is the creation and control of botnets.

Botnets, also called bots, are malicious software programs that are loaded on a target system unbeknownst to the victim. This malicious software is installed through viruses like Trojans. Once a computer is infected with a botnet virus it is controlled through the back door. Infected computers are then controlled to distribute more malicious software such as keyloggers and forward transmissions such as 419 scams and spam.

Businesses have to be aware of botnet attacks because these attacks can spread like a pandemic across an organization. They therefore have to consider a botnet attack when evaluating risk. There are various ways businesses can protect themselves from these botnet attacks. They should participate in information sharing with law enforcement agents so as to better understand these threats. Secondly they should conduct stringent employee background checks. This will reduce exposure to criminal activity from inside.

Businesses should also implement a combination of detection, incident prevention and management. This means sensitive data should be secured with need-to-see access. Separation of duties should be enforced and strong authentication mechanisms employed.

The internet is simply a new medium to commit old crimes and botnets are a new vehicle. Botnet crime is a serious threat and local businesses should protect themselves.

HAVE YOU LEFT YOUR BACKDOOR WIDE OPEN?

2010-05-08T18:03:00.000+03:00

We all know what a backdoor is. If you live in a house with a backdoor you will understand the concept of locking it before leaving the house. Going back to make sure it is locked is normal. This is because an open backdoor ranks very high as a serious security vulnerability in the home. This same concept applies to the computer.

In computing, a backdoor (or trapdoor) is an undocumented way of gaining access to a program, online service or computer. This access is achieved by the use of hidden software tools to bypass security controls thereby allowing unauthorized access. Common software tools used in backdoor attacks are spyware and Trojans.

A frequent method of the backdoor attack can be found in emails where spyware is attached to innocuous looking attachments. Once you open the attachment, spyware is immediately downloaded. It then proceeds to sniff out installed firewalls in your computer or network. Once it recognizes a firewall, it attacks and disables parts of it. This allows an unauthorized remote attempt to access that particular computer or network.

Backdoors should be a special security concern for Kenyan companies. It is common knowledge that many IT employees usually have backdoor access to their former employer’s data and systems.

The IT sector in Kenya is as volatile as any other and employee turnover is quite high. This is bad news for employers because protecting sensitive company data becomes harder where former IT employees are concerned. Procedures and policies have to be constantly developed and refined to safeguard the company against backdoor attacks by former employees.

The responsibility for protecting a company’s digital jewels ultimately lies with the top management. However the first people who should come under serious scrutiny where backdoors are concerned are the IT security staff. It is their job to ensure that any employee who had privileged access to company data does not leave the company with a backdoor open.

In the past when everything was committed to paper you would find strong metal cabinets or safes in the office in which files were locked. Nowadays everything is digital but it still needs to be locked away in a digital vault. Forgetting to lock the backdoor to this vault is bound to happen and someone should constantly be going back to check whether it is locked.

IS IT TIME TO ACCEPT IDENTITY MANAGEMENT?

2010-05-08T18:01:00.000+03:00

This week we shall continue describing what identity management is. Last week we noted that Kenyans who use plastic cards (ATM, credit/debit cards etc) are currently enjoying pseudonymity. This is where privacy has been guaranteed because local companies do not share identity information between themselves. Another important aspect we discussed was the fact that local companies should adopt Identity Management as a conscious response to the increasing risks associated with identity theft.

The main objective of Identity Management is to establish trust by ensuring that eligibility between two transacting parties is accurately determined before transaction commences. This means that a company should be able to verify that you are who you claim to be and that the credentials (username, PIN or password) you are presenting are actually yours.

A major fundamental in Identity Management is biometrics. In information technology, biometrics refers to the technologies that measure and analyzes human body characteristics, such as fingerprints, eye retinas/irises, voice or facial patterns and hand measurements. These characteristics are measured to aid in identification and authentication. Biometrics has always been part of identity assurance. It, however, has limited usage in Kenya.

Using biometric characteristics in ATM transactions would, for instance, go a long way in mitigating the risk of fraudulent withdrawals. The use of biometrics has however been controversial. Civil liberty campaigners protest that invasion of privacy occurs when these characteristics are widely adopted.

While this claim cannot be dismissed, the benefit of using biometrics in identity management far outweighs the risk of non-use. In this regard a distinction between biometric images and biometric templates must be understood.

A biometric image is a copy of the biometric. A fingerprint image which has been scanned and stored in a database is a copy of the original. A biometric template, on the other hand, is a one-way mathematical function that describes key characteristics of a biometric image. A fingerprint template will, for instance, describe the key attributes of the fingerprint and these key attributes are the ones used to determine a match.

Therefore, the main difference between a biometric copy and the template is that an image cannot be reconstructed from a template. This means that if you have the template you do not have a copy of biometric and cannot reproduce the same.

It is therefore not possible to breach privacy because reconstruction from a template is impossible. This therefore deflects the main argument that privacy is at risk when biometric features are resident in company databases.

Companies should therefore embrace biometrics aggressively as an active component of their Identify Management policy.

HOW CAN COMPANIES DEFEAT IDENTIY THEFT?

2010-05-08T18:00:00.000+03:00

When was the last time you counted the number of cards you carry around with you? You would be shocked at the identity, bonus, credit, debit, ATM and other plastic identifiers that line up our wallets/purses. These cards identify and authenticate us at various transactions be they an ATM withdrawal or a purchase in your local supermarket. The common thread in all these transactions is that every time you transact you give away some more of your personal data.

The interesting fact is that these companies you transact with cannot prove that you are who you claim to be. The supermarket you bought your groceries from in Kisumu, when using your credit card, does not have a mechanism to verify that you are the same person who used a debit card to purchase an airline ticket from a travel agent in Nairobi.

This means you are enjoying pseudonymity. This is where you are guaranteed a degree of privacy because your identity information is not shared between the companies you transact with. Whereas this might be good news for you, this situation presents a security risk to companies.

This absence of data sharing or matching, between companies, means that they are prone to identity theft and abuse. A response to this risk is the establishment of credit reference bureaus who attempt to establish a relationship between these disparate commercial entities. This process, as an end in itself, is however not error free and is expensive. It is at this point identity management gains relevance.

Identity management seeks to establish the eligibility of each individual to conduct a transaction, and to assign the limitations of liability in the event of a failure. Eligibility is assured when databases are interconnected so as to determine a few fundamentals.

The first is establishing who you are. Whether you can be found in various databases as the same person you claim to be. The second fundamental is determining whether you are a unique person within a database. If you use your credit card to pay your hospital bill for the first time the Hospital Management System should be able to pick this up and use further eligibility criteria to ensure accurate identification.

Lastly eligibility is assured when it can reliably be proven that you are the legitimate holder of the credentials you have presented for a transaction. This can, for example, be achieved by using biometrics in tandem with a credit card.

HOW CAN YOU DEFEND YOURSELF FROM A CYBERWAR?

2010-05-08T17:59:00.000+03:00

Recent reports in mainstream western media have indicated that Europe and USA are bracing themselves from a surge of cyber-war attacks originating from China.

Information security has now become a national security concern. Understanding how a complex national IT system can be protected and defended is crucial because some of these lessons can be applied at both the individual and corporate level. There are however three fundamentals that should be grasped first.

The first fundamental is the fact that a complex IT, or cyber system, is any network with more than two interconnected computers which are accessible to any number of human users. Most of these networks (in schools or companies) are invariably connected to other computers in Kenya and the world. This means that your information security headache becomes a cyber security migraine once your computers are connected to the internet.

The second fundamental that must be comprehended is that no system can be made invulnerable to attack. Total security can never be guaranteed in both the physical and digital contexts. This is because the attack space is infinitely larger than the possible defense space. Sophisticated firewalls, biometric access features and standard operating procedures can be implemented and religiously maintained. These measures can be shattered by a social engineering phone call targeting users who carelessly release sensitive information (e.g. passwords). Nobody can wholly defend the digital space they occupy.

This brings us to the third, and last, fundamental. A complex IT/cyber system can only be defended by a dynamically stable and robust defense. This means that your overall defense strategy must be based on agility and flexibility. A good example of dynamic defending is applying profiling and matching as part of your security posture.

Profiling is observing and recording the behavior/modus operandi of an attacker with the aim of identifying and rectifying vulnerable system points. Computer matching involves the computerized comparison or two or more automated systems of records or files. An example of matching is where the national ID number of a person is used to search various databases for information and data elements linked to this unique ID number.

The application of a dynamic security framework will of course include more technological security measures but the outlined three are the most critical. Securing an IT system is not an event. It is a continuous process that requires fleet-footed defense frameworks.

WHO EXACTLY IS THE INFORMATION TECHNOLOGY SECURITY MANAGER???

2010-05-08T17:58:00.000+03:00

By this time many regular readers of this column will have learnt that information technology security is increasingly becoming a serious concern for many Kenyan companies. This is because information has become a valuable currency that sustains businesses.

Access to timely information of a high quality can mean the difference between survival and bankruptcy of a business entity. Ensuring information is secure cannot therefore be overemphasized.

A company’s information technology infrastructure consists of people, processes and technology. These three elements have to be managed concurrently if data security is to be achieved. This task is usually left to the IT Security Officer/Manager. This is a mistaken notion because the IT Security Manager is ultimately you.

Every employee with access to data in a company is often considered one of the greatest risks. The presence of policies, frameworks, risk management solutions and other security features is usually defeated by the lack of personal responsibility on the part of employees. Information security tasks should therefore be carried out by each individual.

Companies have in the recent past increasingly become more dependent on Information Technology. The potential damage that can be caused by a security breach is severe at the very least. This means that if employees play their parts then the whole becomes more secure.

We should therefore have management and staff adopting a more active role in the adoption and implementation of security measures. To be able to achieve this, the roles and responsibilities of each employee, in relation to information security, should be clearly outlined and communicated across the whole company.

Apart from this, management should keep security policies and documents updated and current. This would assist employees adopt best practices that are at tandem with the ever changing tactics of hackers.

To effectively empower the employee the company should develop a programme for training on security awareness for all staff. This programme should target all irrespective of whether they are computer users or not. To ensure this sensitization effort succeeds it should be continuously adapted and improved on the basis of the feedback received from the employees.

Security managers are therefore everywhere and more personal responsibility on the part of company staff should be encouraged by management in companies that rely on information technology for operations.

DO YOU KNOW THE TOP FOUR DATA SECURITY RISKS IN YOUR COMPANY?

2010-05-08T17:56:00.000+03:00

Ensuring information is secure in a company is challenging at the best of times. The risks are numerous and fluid. The impact of an information security breach to a company is subsequently high. Today we shall identify and outline the main information security challenges a company faces and how to deal with them.

The first common challenge is, not knowing who in the company uses what sensitive data. Not many organizations perform audits/inventories of sensitive data. An inventory should be initiated to develop a data flow map that charts sensitive data and employees who use the same. This data map will help in identifying the vulnerable points in your information infrastructure.

Another regular challenge is not protecting sensitive data appropriate to its value. Data generated and stored by any organization (or individual) has an intrinsic value. It is important for management to have a sense of the worth of sensitive data to the company. For example the recipes of a confectionary company can be considered very sensitive. It is therefore prudent to conduct a data asset valuation that evaluates and determines sensitive corporate data. It is then possible to apply justifiable information protection resources to these data.

The third challenge is the propensity of companies to embark on redundant information security compliance projects. Data security regulations are developed and implemented by various regulatory bodies for example the Communications Commission of Kenya (CCK). To reduce redundant compliance efforts it is crucial to develop a regulatory compliance grid. This grid indicates which specific data elements/databases are covered by information security regulations. The grid will facilitate the focusing of resources on protecting the really important data for example credit card data.

The final difficulty is the implementation of simple annual security awareness programs. Most companies conduct these programs to show their employees/contractors that they are serious about information security. Questionnaires are distributed; sensitization talks conducted and expansive warnings are dispensed. This is not enough. An information protection testing program should substitute these awareness programs. The main objective of protection testing programs is to test the data handling procedures and policies in the organization. Samples of employees/contractors who handle sensitive information should be targeted.

Identifying these common challenges is necessary for any information security conscious company.

DOES THIS EQUATION HOLD TRUE: POSSESSION = CONTROL = SECURITY

2010-05-08T17:55:00.000+03:00

There is an interesting equation that bedrocks most security frameworks. It states that possession = control = security. The fact that you possess something means you control it and is therefore secure.

If you own a commodity controlling it is possible. This control automatically allows you to develop and implement measures that will secure it from theft. This premise is valid when you apply it to tangible possessions for example cars or jewelry. It however becomes a slippery principle to hold onto where information is concerned because determining the possessor of information is not as clear cut. When distance exists between the info-owner and the custodian then the fundamentals change. This is because when your credit card and other personal details reside in some far away corporate server, ownership of the same is translated differently.

If a company outsources its data functions and uses a remote data centre then some ownership concerns arise. The main fear is that the company’s information is being processed somewhere else and so the aspect of owning, controlling and securing their own data is no longer in their hands. There is also the question of the blurred boundary between absolute information ownership and custodianship. For instance does your bank (through their database) own your personal details by virtue of storing them or do you have a right to claim ownership.

This question is best answered by the element of custody. Information is usually kept by third parties and they are the custodians. This does not mean that they are the owners of the information because transfer of custody does not equate to transfer of ownership in the info-context. Even if your personal details are located in distant servers owned by Mashada or Yahoo, that information is still yours.

These data providers are merely custodians of your info-property. It is also important to understand that the responsibility for ensuring your information is secure is shared equally between you, the owner, and the custodian for example Yahoo. The final essential is that the responsibility for ensuring that the custodian secures your information lies with you - the owner. This essential is applicable irrespective of the geographical distances involved.

In sum the equation applies to information with a small tweak. Custodianship/Possession = Control = Security.

YOUR BLOG IS AS VULNERABLE TO ATTACK AS OTHER WEBSITES

2010-05-08T17:54:00.000+03:00

A blog is an online journal on any subject maintained by a blogger. The word blog is actually a contraction of the term weblog and the writer is called a blogger. We have many local bloggers who write on subjects as varied as farming to tribal architecture. The popularity of these blogs has increased in the recent past and they have become the de facto sources of social, political and economic information that would never be published by mainstream media organizations.

Popular Kenyan blogs include bankelele, a blog that provides valuable insights on our economy. Kumekucha is another popular blog that presents a no holds barred political analysis of Kenyan politics.

Blogs are however not immune to hacking attacks due to their power to shape and sway public opinion. Various Kenyan blogs have been attacked and local bloggers need to secure and protect their blogs. You might be a budding blogger yourself and you will need to implement a few security features before you blog away.

You should first protect your blog username and password. This is like stating the obvious but blog passwords are valuable to identity thieves out to impersonate a blogger so as to damage his/her reputation. You should ideally have a unique login credential for your blog that is different from your email account and other websites you visit.

Backing up your blog is another good way of securing your content. Most blog hacking attacks are usually out to deface the blog with offensive content. A hacker who can penetrate the blog server can also delete the contents of all blogs that are hosted in it. Periodically backing up your blog makes it possible for you to re-post your articles immediately thereby retaining your readership.

Sometimes we get too busy to update our blogs and they slowly die after a few months of neglect. The danger of not regularly updating your blog means that you can have old vulnerable blogging software that can be used to penetrate the blog and your computer. At the very least you should frequently update the version of the blogging software so that security patches can be up-to-date.

Finally choose your blogging host carefully. Use a responsive and helpful host company so as to save you considerable ache when things go wrong.

IT IS TIME YOUR BUSINESS HARNESSED THE POWER OF SOCIAL NETWORKING

2010-05-08T17:53:00.000+03:00

Online social networking is widely defined as people having conversations through a range of digital communication tools such as Facebook, Linkedin, Twitter and others. Facebook, for example, has become the rage in Kenyan secondary schools and colleges. It is estimated that 417 million people use a social networking site globally. The reach of social network sites is therefore undisputable and businesses (especially small firms) need to wake up to their potential.

Googling for the best deal is a common practice among online shoppers. Maximizing visibility in these search engines is the best way a business can stay ahead of the competition. A local online business needs to get noticed by the increasingly growing number of online Kenyan shoppers. By using social networks it can build an online reputation that can ensure prosperity in the digital marketplace.

A small business can build an online reputation by using social business networking tools like blogs, wikis, bookmarks and discussions boards in these social network sites. These tools would enhance the relationship between a business and its customers by, for example, offering dedicated customer support. Customers can seek clarifications, report problems and suggest solutions through a blog located in Facebook. This online interaction is distinctly lacking in Kenya because businesses use their sites as static adverts that don’t offer any facility for interaction with customers. However some are catching up and a good example is Mama Mikes blog (http://www.mamamikes.com/blog/?cat=10).

Another way social networking can be used by businesses is through Search Engine Optimization (SEO). Getting noticed is the first fundamental step in been able to compete online. Customers use search engines to identify companies and websites that offer the services/products they are looking for. The high traffic of social networks ensures content is constantly refreshed and links to other sites are built. This activity subsequently improves the search engine ranking. This ranking is simply the order in which sites are listed after a search. A high ranking is achieved by a good SEO which can be driven by the high number of in-bound links found in social business networks.

There are many more ways of harnessing the power of social networking sites for your business which we cannot exhaustively list. However my attempt at getting examples of Kenyan companies who have a presence on Facebook was difficult. If you know of any local firm in Facebook please send me its web address so that we can examine the potential and risks of local firms using social network sites, with examples, next week.

THE CHAIN OF CUSTODY SHOULD NEVER BE BROKEN

2010-05-08T17:52:00.000+03:00

Last week we looked at the hash Function. This is a set of instructions that turns a variable-sized amount of text into a fixed-sized output number or single integer (hash function). We saw that hash functions are used to ensure the integrity of digital evidence. The use of hash functions is an integral concept in computer forensic investigation. Without its use digital evidence can easily be contested in a court of law and determined as contaminated.

Today we look at another pillar of computer forensic investigation. This is the chain of custody.

Evidence is at the centre of any computer investigation because it is used to support legal proceedings. This digital evidence is however inherently volatile and susceptible to damage or corruption. A simple act of switching on a seized computer can trigger software code that erases all the contents of a hard disk. It is not uncommon to hear that crucial digital evidence was contaminated because an over-zealous investigator briefly switched on the computer just to “check” what was in it.

The fundamental point in the handling and investigation of digital evidence is documenting the activity relating to its seizure, examination, storage, or transfer. These activities should be scrupulously documented and the documentation should be available for review at all times.

This chain of custody ensures integrity of the evidence through a paper trail that details the whereabouts of all evidential sources during custody. It, for example, documents the circumstances, place and state of a laptop that was seized for investigation. The chain of custody goes further and details all individuals who have had access to the seized laptop (or evidence), what they did with it, how they did it and their findings. This documentation ensures that a seized media has not been corrupted or compromised following seizure.

Adhering to the chain of custody requirement combined with the application of the hash function guarantees the integrity of evidence. This ensures that crucial digital evidence is not tossed out of court because it was contaminated by the presence of a gap in the chain of custody timeline.

LET THE EVIDENCE SPEAK FOR ITSELF

2010-05-08T17:50:00.001+03:00

Crime involving technology is increasing globally every year. In Kenya, corporate organizations are the most impacted due to their early automation. Tech savvy crooked employees are now able to use new methods, through technology, to commit traditional fraud.

This fraud is part and parcel of an organization’s risk profile and for it to be resolved a forensic investigation has to be conducted. This investigation attempts to reconstruct the crime scene and analyze the audit trail of the suspects. The motive is to ensure that any evidence can be identified and used to support any legal proceedings.

What is interesting is that digital evidence is increasingly becoming more prevalent and critical within a wider range of criminal and civil cases. These include rape, murder, assault, divorce, employment disputes and child abuse cases.

This means that lawyers in modern Kenya will have to acquaint themselves with the core components of digital evidence. One of the most important ones is the verification hash function. A hash function is a set of instructions that turns a variable-sized amount of text into a fixed-sized output number or single integer (hash function).

Hash functions are used in creating digital signatures or hash tables that are used for analysis and verification purposes. In simple terms, text or pictures which have been classified as evidence are assigned a hash function (or number) so as to prevent evidence contamination.

This hash function is important when a forensic ‘image’ of the hard drive or storage device is taken. This ‘image’ consists of an exact byte-by-byte copy of all data.

As a rule forensic investigators do not analyze the original device and its data. Investigators use copied ‘images’ of the storage device. At the start of forensic copying a hard disk or any other storage device is assigned an acquisition hash function. Once the evidence has been forensically copied (or imaged) the evidence is assigned a verification hash function.

The purpose of assigning these hash functions (acquisition and verification) is to apply a mechanism to confirm that the copied evidence is a complete and accurate copy of the data contained in the original device. It also confirms that if the acquisition and verification hash values match then no alteration of the evidence could have taken place. Integrity of evidence is therefore maintained.

It is this ‘image’ that forms the basis of any cyber criminal investigation and should be verified by any lawyer who presents or examines digital evidence.

HOW DO YOU SECURE AN EXAM

2010-05-08T17:49:00.000+03:00

Early every year national exam results are released. We have become familiar with the joy and disappointment that attend these releases. The seriousness of exams is best symbolized by the media saturation at this time and when cheating is unearthed. Exam fraud has become the uglier flip side that reminds us how critical exams have become in modern Kenyan society. All manner of tricks are conjured up and applied to obtain exam content.

An exam’s credibility is proportional to the security applied at every stage. An exam that does not ensure that candidates are who they say they are and that their performance is based solely on their own efforts is worthless and derided by all.

It is now evident that the lifecycle process of examinations from formulation to exam results has become reliant on technology. Computers, servers, networks, sms messages and mobile phones are used at each stage. Technology therefore provides a risk that can contaminate the whole process. To compound this problem is the fact that many people are involved in each phase.

Content theft is the most popular method of exam fraud. This is where attacks on computers or exam setting centres are conducted so as to steal as much of the test content as possible. Due to the number of people involved in the process, exam content can be, and is usually, stolen by internal and external fraudsters. It is therefore prudent to create test items in a secure environment.

By using appropriate workflow management controls it is possible to track exam content through the development process. These controls can also be used to implement role-based access rights where exam setters have limited access to the content. These workflow controls can also be designed to allow as few individuals as possible to have access to the final examination that resides in a server/computer.

Another popular method of exam fraud is proxy testing where the exam taker gains an unfair advantage by using someone else to take their exam for them. This can be prevented by using biometrics to identify and authenticate exam takers.

Apart from implementing workflow controls to prevent content theft, forensic analysis software can be used to detect pass rates, unusual patterns in scores and other aspects. Analysis of exam results is vital in identifying anomalies and reducing the likelihood of examination fraud.

HOW SAFE ARE THOSE SOCIAL NETWORK SITES FOR YOUR BUSINESS

2010-05-08T17:48:00.000+03:00

Social networking has recently become the in-thing. If you are not on Facebook, Twitter, Linkedin or MySpace then you are not connected (pun intended). Social networks have become all-pervasive and have become starting points for many a friendship.

These sites have however become a test for companies. Apart from contending with lost productivity, companies are also challenged by the security threat these sites pose to corporate data. This is because web-based attacks are increasingly coming from social network sites.

Spammers and hackers have discovered that they can distribute more viruses and malicious code through social network sites. If company employees are accessing these sites on their business PCs and laptops, then company data can be at risk. It is therefore crucial to sensitize employees on the do’s and don’ts of social networking.

Clicking on unknown/shortened links in a social network site can open you up to malicious attacks and breach company data security. These links are also called blind links where the destination website cannot be seen in the URL due to shortening. Bit.ly is an example of a web service which shrinks long URLs.

Another way to stay safe is to beware of fake friends. I am sure you heard this advice when you were a child, it is still relevant today. Cyber criminals are hijacking accounts and distributing messages to all the contacts in a hijacked contact book. By clicking on such a message from a fake friend you are led to an external site that downloads a Trojan in your computer. If you receive an unusual message from a friend confirm who the sender is before opening.

Setting strong passwords for a Facebook or Twitter account is recommended. These passwords should be changed at least every 30 days. Employees should also be encouraged to improve IT security by not leaving passwords on default settings when using these sites.

Any social network user should be careful not to share personal information when communicating online. Information such as postal address, date of birth, bank details and others can be pieced from different sites in order to steal an individual identity. This is possible if personal details are liberally revealed.
Investing in anti-virus software is a must. Simply downloading free anti-virus software only saves you in the short term but once your computer is infected it can cost a fortune to fix.

BEWARE VIRUSES THAT CAN DESTROY YOUR LIFE AND REPUTATION

2010-05-08T17:46:00.000+03:00

A computer virus is a malicious software program that infects computers. Some viruses are harmless invaders that introduce themselves with a nuisance message on the screen. Others damage computer programs, delete files or reformat the hard drive and crash the computer.

The impact of computer viruses is usually not fatally personal and we find it hard to fully appreciate their harmful effects. They are perceived as nuisances that cause work disruption at most and cause minor inconveniences at the least. Most times it is the corporate, not the individual, that is left to grapple with the attendant losses of a computer virus infection.

This however is about to change. Computer viruses are mutating and becoming more personal. Viruses today are now capable of putting illegal content on your computer leading to the risk of being arrested for serious crimes you never committed.

It was recently reported that there is a virus that plants child pornography, or any other type of file, on an innocent user’s computer. These viruses are used by pedophiles who remotely infect and use your computer to store child porn. This is so as to make it possible to access the illegal images without running the risk of being caught with them in their computers.

This scenario can however apply to any other kind of digital contraband material for example stolen credit card details, pornographic images, terrorism training videos or manuals on how to detonate improvised explosive devices.

These viruses are also able to redirect your web browser to sites you did not intend to visit. This will leave a digital trail between your computer and the web site(s) you inadvertently visited.

Computer forensic investigators are however able to determine how images got onto your computer and who was responsible for putting them there. It is also possible to tell the difference between someone who deliberately downloaded contraband images/material and someone who unintentionally downloaded the same because of a virus.

These viruses are not yet common but they exist and will propagate themselves once we enter the era of cloud computing. You can avoid infection by making sure that your operating system and anti-virus software are up-to-date.

MOBILE SPYING – IS IT PRACTICED IN KENYA?

2010-05-08T17:45:00.000+03:00

It is relatively hard to tap and spy on mobile phone calls using traditional cracking and hacking techniques on the wire, but since cell and mobile phones contain more computer power than earlier, some software vendors have introduced applications to overcome the fairly hard problems related to wiretapping directly on the wire data transmissions.

BlackBerry spy software works by secretly recording BlackBerry cell phone events such as text messages sent and received, emails sent from the BlackBerry, and the phone's call history logs.

Have you ever wondered where your second half is going when they say they are going for a safari, or perhaps when you try to call someone, and they are not answering their phone, do you wonder where they are? If you do then you should get a cell phone tracker.

There are a group of researchers who have initiated The GSM Software Project. They aim to develop to share information and get others to collaborate on developing a scanner that can eavesdrop on GSM phone calls. The goal is to make an under $1,000 (USD) device and share information on how to build it. This project bears watching, simply because if relatively low-cost GSM scanners become available, it would definitely create a new threat model for GSM phone users.

MOBILE SPYING – IS IT PRACTICED IN KENYA?

2010-05-08T17:42:00.001+03:00

Mobile phones are used for a variety of purposes, including communication, entertainment and conducting business.

The acceptance and permeation of this technology in Kenya has been unprecedented with over 10 million mobile phone subscribers been registered in the past few years.
No other device in recent history has become more ubiquitous and pervasive as the mobile phone.

The year 2009 proved to be a technological watershed for mobile telephony in Kenya. Various unique developments occurred in the Information Communication Technology (ICT) sector that had a direct bearing on the mobile sub sector.

2009 also saw mobile telephony further embed itself in our social fabric. M-Pesa has entered our everyday lexicon and its run-away success has come to symbolize our increasing dependence on mobile telephony.

The mobile phone has inexorably intertwined itself to our lives as can be attested by Mobile Banking. You can never leave home without a mobile and anyone who doesn’t possess it is disparaged as a simpleton.

Mobile Security
Data security in mobile devices has therefore come into sharp focus due to the rich data hunting ground provided by the increasingly powerful mobile phones we carry around.

Mobiles have evolved into miniature computers with all the attendant functionalities and weaknesses that exist in the computing environment. This is the most important point to grasp if you are to understand how a mobile can be bugged.
Various vulnerabilities exist in the Short Message Service (SMS), Voice and Bluetooth mechanisms of our mobile phones.

SMS
Apart from voice, the most commonly used data application on mobile applications is SMS text messaging. It is reported that over 74% of global mobile phone owners are active users. It is also very lucrative considering that such a high percentage of global mobile phone owners are active SMS users. This makes it a logical starting point for any spy.

Programs exist that can turn your mobile into a bugging device. Short messages are sent using a protocol (rules determining the format and transmission of data) supported by an SMS center (SMSC) which forwards messages sent from a mobile to the destination.

These protocols have flaws which can be exploited to introduce a Trojan horse into your mobile. One such weakness is found in the service SMS.

A spy only requires your mobile phone number and sends off a service SMS. A service SMS is used by phone operators to update software on phones. These updates can vary from routine tweaks to an overhaul of the phone’s internal systems. These service SMS messages are, however, never challenged by the phone to verify whether they are legitimate.

It is therefore easy to pose as a phone operator and send a Trojan virus which never registers in your inbox. You will never hear a sound or see any indication that a Trojan has been installed. The Trojan is then used by the spy to listen to all your mobile phone conversations and read all your SMS text messages. You can Google Rexspy for more details.

Voice
Voice tapping used to be very simple in the days of analog cellular/mobile phones. With a simple radio scanner it was possible to eavesdrop on wireless phone conversations. The switch over to digital technology greatly reduced this vulnerability because digital protocols like GSM were able to use encryption to secure conversations.

It is therefore considerably difficult, but possible, to intercept and eavesdrop on digital cell phone conversations The equipment to do so is quite costly and telecom providers, government intelligence, law enforcement agencies, and some unethical corporations engaged in industrial espionage, tend to be the only ones who have access to such sophisticated equipment.

However there are software products out there that enable call interception which is the ability to secretly listen into a live phone call on the target’s cell phone.

To do this, you simply specify the numbers you are interested in and when any calls to or from these numbers occur on the target's cell phone, the software will send a secret text message to your cell phone. Once you get notified that a call is being made, you then call the target's cell phone, and you will be added to the live call.

The main shortcoming in these products is that there is no way you can install this kind of spy software without getting access to the target phone. So think twice next time you leave your phone at the gate of some embassy, company or government installation. Check out flexispy blogspot for further information.

BlueJacking
Bluetooth wireless communication systems are basic features on mobile phones, computers and other modern electronic gadgets. Bluetooth means that Bluetooth enabled devices can send things like phonebook/address book contacts, pictures & notes to other Bluetooth enabled devices wirelessly over a range of about 10 meters.

The Snarf attack, also called bluesnarfing, is a Bluetooth-enabled hacking technique that allows hackers to access another Bluetooth device without the victim's knowledge. This attack is similar to bluejacking and raises obvious concerns similar to where the spy gains access to the victim’s phone book, missed, received or dialed contacts. It is also possible for the attacker to use the phone’s commands through their own phone.

Conclusion
Our mounting dependence on mobile telephony will in the near future expose us to the risk of mobile spying. It is important to educate yourself on the inherent vulnerabilities that are found in this technology. This is the only way you can mitigate against the mobile telephony risks that we are getting exposed to.

CLOUD COMPUTING AND ITS SECURITY IMPLICATIONS

2010-05-08T17:41:00.000+03:00

There has lately been a lot of hype in the ICT sector about Cloud Computing (for brevity’s sake let’s call it CC). CC is a computing service from which an end user can subscribe to any of the offered ICT services. The term Cloud is used a metaphor for the internet because the computing services are accessed via the internet.

CC uses a pay-per-use model. It can be compared to as a utility service you constantly use, say for example electricity. You get the meter read every end month and you subsequently receive a bill for energy consumed. This concept also applies to CC.

CC is offered by providers (e.g. Amazon) and delivers common business applications online which are accessed from a web browser, while the software and data are stored on servers in huge data centers.

This brings huge economies of scale where the customers get software, infrastructure or applications (for example enterprise software) as an on-demand service cheap whilst the provider is able to capacity plan globally, taking advantage of time zones and other regional differences. Small enterprises would significantly benefit from the cost savings provided by CC.

However there exists an elephant in the Cloud room - security. Various concerns have been raised because many infrastructure-based clouds do not even have contracts between the vendor and the client stipulating security and continuity. Only Service Level Agreements and a monthly bill exist and if you do ever have a problem, the only recourse would be to re-locate to another provider.

Issues of security concerns that should be initially addressed include the following:

What levels of protection are in place to protect one customer from accessing another customer's data or application within a shared cloud space? Who will be liable for security breaches and how will the law regarding this in any one jurisdiction ensure compliance? How well will a CC provider integrate with a client’s security systems?

A client should also ask about the methods the CC provider is employing to protect data such as high physical security as well as what types of monitoring, intrusion detection and firewall equipment is installed in their data center.

It is expected that CC will be the wave of the future but this massive availability of resources and data within a Cloud will present a very attractive target for attackers.

HOW DO YOU DEFEAT A WEBSITE ATTACK

2010-05-08T17:39:00.000+03:00

Last week we briefly outlined the way websites are targeted by cyber criminals. They are deliberately infected with malware that takes up control of your computer or mobile phone. Malware is a general term for software programs that have been designed with or can be used for malicious intent. These include viruses, worms and Trojans.

Legitimate websites can be infected with links to other web pages where malware is embedded. In a more sophisticated technique, scripts (programming languages) are embedded in websites that automatically download malware from other sources.

Another interesting technique is clickjacking. This is where a button or link is altered so that instead of the proper function executing when you click on it, malware is instead downloaded into your computer.

All these attacks can be countered. Firstly, it is advisable to use a browser that deliberately protects you from malware. Modern browsers will warn you if you accidentally access an attack. The browser will also tell you why it isn’t safe to click that link. Firefox is an example of such a browser that checks every part of a web page before loading it.

Using instant web site ID is also another safeguard. This is an option in browsers that allows you to check a site’s legitimacy before you make a purchase. By clicking on the favorites icon in Firefox you can get an instant identity overview. You will be able to determine how many times you have visited the website and whether your password is saved in it.

Using updated anti-virus software is a must. A competent anti-virus application will automatically check any file that attempts to conduct a stealth download. This will protect you against viruses and other malware which you could have picked up during a surfing session.

Finally, anytime a website asks for your personal information, for example credit card PIN, you need to identify whether the web page is secure or not. You should look out for a URL (web page address) with https. Normally, when browsing the web, the URLs begin with the letters http. However, over a secure connection the address displayed should begin with https - note the s at the end. Check also for the padlock icon somewhere in the window of the browser.

BEWARE THAT WEBSITE YOU FREQUENT

2010-05-08T17:28:00.000+03:00

If there was any doubt on when we would finally embrace digitization then it was dispelled by the rapid TV digital switchover. Accessing the internet via the conventional computer monitor will soon be old hat. You will soon be able to access the internet through various ubiquitous devices such as your television, mobile phone, car, refrigerator and other common interfaces.

Local content will be widely available and we shall be surfing popular websites regularly. A good example will be the advent of programming on demand. This is where digitization will allow you to access Citizen TV, through your television, and download that episode of Papa Shirandula that you missed due to the recent matatu strike.

Websites will therefore become focal points for entertainment, communication and education. They will consequently be a battleground and will provide various opportunities for cybercrime such as fraud and identity theft to name but a few.

Websites are deliberately infected with malware (Trojans or spyware) that downloads itself into visitors’ computers. The malware then takes up control of your computer or device. The scope to exploit both the infected computer and its owner is almost limitless. It is therefore important to know how websites are attacked.

A web attack has three phases which every web surfer should know. The first stage of a web site attack is the decision. The attacker decides exactly why they would want to gain access to your computer or a business system. Acquisition of bank account or credit card passwords/PINs is a common motive.

The second stage is the hit. The attacker entices or compels potential victims to download the malware, after visiting the infected site. Malware has however become more sophisticated. This means that no action is required on the part of the web visitor to become infected. Instead a concealed malware program automatically installs itself on your computer simply as a result of visiting the infected website.

The third and final stage is the aftermath. After the malware has infected your computer or device it proceeds to execute the programmed instructions. It collects personal information, opens ports that allow the cyber crook to further access your computer, modifies settings and records your actions. The aftermath will expose you to fraud, blackmail or having your computer become a botnet that can be used to send spam or forward stolen data.

WATCH THOSE ONLINE DEFAMATORY COMMENTS

2010-05-08T17:21:00.000+03:00

Cyberworld is an interesting place. You will find virtual libraries, gaming, blogging, photo exchange sites and social network sites among many others. One of the most popular sites in the internet are the virtual discussion forums and blogs.

They typically allow you to post your rebuttal or comments, anonymously or otherwise, on a myriad of social, political or economic topics. Some of these interactive sites are invaluable. Medical discussion forums allow someone to exchange vital experiences on ailments with others. Mechanical or electronic discussion forums assist in locating elusive spare parts and fixing problems that appear complicated. Political and social discussion forums like Mashada, YahooGroups, KenyaTalk and Jukwaa allow you to comment on any topic under the sun. Popular Kenyan blogs like Kumekucha generate a high number of comments and some are invariably defamatory and offensive. Therein lies the big risk of defamation.

Heated comments sometimes border on the defamatory which is defined as a false accusation of an offense or a malicious misrepresentation of someone's words or actions. We are well acquainted with our politician’s propensity to utter defamatory and derogatory remarks in public. How they get away with it is a topic for another day. What you should be aware of is that those defamatory comments you “anonymously” post on a forum or blog can be traced back to you. The Internet Service Provider (ISPs) have a role in this process.

With an application to the courts an ISP can be made to reveal someone’s IP (Internet Protocol) address. The ISPs usually absolve themselves from any blame by asserting that they provide a means of transmitting communications without in any way participating in them. This means they are mere conduits like the old postal company that delivers letters and packages. ISPs are therefore not liable for transmitting or temporarily storing defamatory comments.

They are however liable to some extent. When informed of the existence of these defamatory remarks an ISP is obligated to remove the content. If the ISP refuses to remove these comments then it can be regarded as a publisher and can subsequently be sued for knowingly storing and transmitting defamatory remarks.

As an online discussion forum participant you need to know two simple essentials. Your “anonymous” diatribes can be traced back to you through your IP. Many inflammatory comments are however made in public cyber cafes. This however does not fully protect the author of the same from been identified.

The second essential is that if you become an online victim of insults or defamatory remarks you can request an ISP to remove them. If the ISP refuses it becomes a publisher and legal action can be initiated against it.

ARE YOU A DATA CONTROLLER?

2010-05-08T17:18:00.001+03:00

The time has come when we need to develop comprehensive legislation that protects our personal data. One of the major cornerstones of information security is the Freedom of Information Act (F.I.A) that should be enacted in Kenya as soon as possible.

Personal information is these days collected by various organizations. The loyalty cards in supermarkets gather our purchasing data and hospitals are crammed with electronic medical records. Educational institutions, banks, companies and the government have become massive repositories of personal information. These entities are called data controllers and under the F.I.A they have to comply with certain legal obligations. Personal information, in this context, is data about where you purchase goods or services, how these purchases are paid for, the delivery address for the same, your home address and names.

Before we outline those obligations let us expound further on who a data controller is because it could include you. A data controller is a title given to a person or entity (individual, company or organization) that decides why personal data is held and the way in which such data is dealt with. Any local company that holds personal data and uses it to do business is a data controller. That kiosk owner who keeps a record of customers who purchase on credit is also a data controller. If you hold a list of your friends’ addresses so that you can send them a Christmas card then you are, strictly speaking a data controller.

Data controllers in Kenya should be subjected to two main legal obligations once the F.I. A is enacted. They should first comply with the eight principles of good information handling. The data controller is obligated to: process personal data fairly and lawfully, obtain and process personal data only for one or more specified and lawful purposes, ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held, ensure that personal data is accurate and, where necessary, kept up to date, ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained, process personal data in accordance with the rights of the individuals to whom the information relates, ensure that personal data is kept secure and finally ensure that personal data is not transferred to a country that does not provide an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates. These obligations if entrenched as a law would go a long way in protecting your personal information.

We shall outline the second legal obligation in next week’s article and examine the risks we individually and collectively face when our personal information is not protected by legislation.

ICT SECURITY IS A HUMAN RESOURCE ISSUE ALSO

2010-05-08T17:16:00.000+03:00

A security consultant was conducting an audit in a local company one day. It was discovered that employees used to exchange numerous dirty images and they were clogging up the server’s hard disk. The company’s ICT policy forbade the exchange of unofficial e-mails that contain attachments.

It stated that this offence was dismissible. The Chief Information Officer (CIO) was informed and with the consultant they agreed to circulate an e-mail alerting everyone that personal e-mail boxes would be checked for unofficial e-mails/attachments. The advance warning was meant to see an immediate deletion of these emails. The response was typical. Employees immediately deleted the illegal material and a 50% increase in available disk space was obtained.

The security audit, nevertheless, continued and only one employee was caught with dirty e-mail attachments in his inbox – it was the CIO. At his dismissal hearing he was asked why he didn’t delete the images like all his colleagues. His response was that he did not imagine that his e-mails would be checked. This was a strange, but not unusual response.

A similar response was witnessed from a busy CEO of a medium-sized company. His job entailed constant travelling to branches in the country. Due to this he found it convenient to share his access credentials to the company’s systems with his Secretary, despite it being a dismissible offence. This fact was discovered during a security audit and he was promptly fired. His defense was similar to the CIO’s: he never thought the ICT policy applied to him.

These two cases illustrate that computer security is also a function of the Human Resource (HR) department of any organization. Controlling the technology absolutely is possible. Managing the employees absolutely is, on the other hand, not possible. Managing people is done by implementing procedures, standards and policies. Ensuring employees adhere to these structures is extremely difficult and this is where HR comes in.

People management has to be done in tandem with computer security. Its criticality cannot be overemphasized. HR has to be fully involved in the implementation of a firm’s ICT security policy. This is because information security has become so critical it has become a corporate and not an ICT departmental responsibility. The roles of HR are indispensable to ICT security in that it is HR that conducts the initial background checks, implements the umbrella employment policies and staff review processes. It is also HR that drives the termination process.

In a nutshell information security is usually a soft people problem rather than a technological one especially when you consider the impact of insider threats. People are the soft underbelly of any ICT infrastructure and the role of a HR department is to ensure that processes are in place to effectively manage them.

DO YOU TRUST THOSE PEOPLE WHO WORK FOR YOU

2010-05-08T17:13:00.001+03:00

In any information security setting there is the elephant in the room that no one likes talking about. This is the threat posed by employees which is more commonly known as the insider threat. This threat is not new but it has recently gained more prominence in this recessionary period.

When companies are cost-cutting employees are thrown into uncertainty by impending down-sizing. This makes a company vulnerable to insider attacks. When the eventual layoffs begin normal controls are dispensed with due to work pressure, necessity and self preservation. Departing employees take away sensitive company information, especially ICT staff that are privy to critical information systems.

The insider threat has two participants: current and ex-employees. They both have intimate working knowledge of a company’s processes and operations. Current employees have legitimate and up to date access to the information systems. They can potentially leak corporate secrets, plant viruses and generally commit covert cyber-crime.

Ex-employees, on the other hand, do not have access to the company’s systems. They cause damage by changing passwords on departure or leaving logic bombs in the system. A logic bomb is malicious software that is left by a programmer that activates once certain conditions are met. For example an ex ICT staff can leave software that immediately deletes company sales files if his/her name or staff number is deleted from the payroll.

Controls are therefore crucial and need to be in place to reduce this threat. The first control is having a current and robust security policy that outlines the does and don’ts when using corporate information systems. This policy must be understood by all new employees. Consequences of ignoring these security policies should be internalized and constantly reviewed. This security policy should be signed by all employees so as to obligate them to good practice and usage of the systems.

Another control against insider threat is carrying out background checks before hiring employees. Stringent checks should be carried out to detect reasons for previous resignation or termination. Testimonials and academic certificates should be scrutinized for authenticity.

Separation of duties is another effective control. It eliminates the likelihood of employees colluding and circumventing controls. In this regard monitoring systems should be installed to flag any unauthorized activities. Finally all network access should always be revoked immediately an employee is terminated. Any company issued IT equipments should be returned and screened to prevent insertion of logic bombs into the corporate system.

This elephant is best dealt with immediately and professionally because it has fatally damaged many companies in the past.

WHAT DO YOU DO WHEN YOU BECOME A VICTIM OF IDENTITY THEFT

2010-05-08T17:10:00.000+03:00

This is the third and final part of a three part series on Medical Identity Theft (MIT). Over the past two weeks we have defined MIT and outlined its various categories. We have also grasped that MIT is a cyber-crime that can kill you. Victims of MIT may receive the wrong medical treatment, discover their health insurance is exhausted or could become medically uninsurable. These are all serious consequences.

MIT is committed by various people. Just like other cyber-crimes, MIT is committed by Organized Crime. There are also the usual solo hackers. Other perpetrators can, surprisingly, be your own relatives and even medical staff for example doctors. “Bad apple” doctors have been known to rent their patients records to scammers.

Most people find out they are MIT victims through a myriad of ways. The most common one is receiving someone else’s bills. These bills are sent to you by your insurance provider. Another way is through demand notices from debt collectors or lawyers. If you receive demand notices from a hospital lawyer and you are sure you haven’t received the claimed medical services, then you are a victim of MIT. Indicators of MIT can also be found in your medical credit card reports and through notification by your insurance provider or law enforcement agency. You can also know you are a victim of MIT at the worst moment, when you are in a medical emergency and obvious discrepancies are discovered in your medical file.

How then can you protect yourself against MIT? You should review all medical bills, notices and statements very carefully. The statements we get from hospitals and health insurance providers usually run into many pages. Despite this you should go through them stringently.

It is obvious that Kenyans face serious challenges in grappling with MIT. There is no government agency dedicated to help victims of MIT. There are also no enforceable rights that demand medical institutions disclose to you your own records. Our nascent police cyber-crime unit has yet to come to grips with with this problem.
The obligation therefore rests with custodians of medical records in Kenya. Hospitals, clinics, medical insurance providers, employers and any other entity that generates, maintains or retains medical records should disclose data breaches immediately.

Individuals must be informed directly anytime their protected health information is inappropriately accessed. If individuals are not notified of a breach, then they may not know that their medical files may be altered by criminals in ways that may threaten their health, impact their insurability, or cause other harm.

Data breach notification is the only option currently available before the legislative framework on disclosure and freedom of information is developed and implemented.

THIS IDENTITY THEFT CAN KILL YOU

2010-05-08T17:07:00.001+03:00

This is the second part of a three part series on Medical Identity Theft (MIT). Last week we defined this lethal form of identity theft and outlined its various categories. For the sake of readers who missed the previous article we summed that medical identity theft occurs when someone uses a patient’s name and sometimes other parts of their identity – such as medical insurance information – without the patient’s knowledge or consent.

There are various motives behind MIT. The first one involves the use of a patient’s details to steal their insurance cover. The second one involves the creation of fictitious medical records to circumvent statutory requirements like immigration or employment regulations. The third one involves false and erroneous entries in victim medical files that result in the use of wrong prescriptions and where operations are erroneously conducted.

MIT is not just a crime against a health care system. It is a crime involving theft or abuse of identity information that has financial and other life-consequences for patients. Victims of medical identity theft may receive the wrong medical treatment, find their health insurance exhausted, and could become uninsurable for both life and health insurance coverage. They may also fail physical exams for employment due to the presence of diseases in their health record that do not belong to them.

Among the three categories of MIT, the switching of records or insertion of false entries is the most hazardous one. The possibility of your records being switched and thereby receiving medication or procedures that are totally unrelated to your ailment is a possibility which we should understand.

Hospitals should implement stringent security procedures in their Electronic Medical Records (EMR) systems. This is unfortunately not the case in most health institutions. You would be astonished how many people have access to your medical records.

Another common form of MIT involves impersonation. One case involved a patient who impersonated a cousin and gained hospital admittance. He ran up bills running into hundreds of thousands of shillings. This forced hospital administrators to require current picture IDs before admission. In other instances the thief can be your own doctor. There are doctors who defraud patients by billing their health insurance providers for fictitious consultations or treatment.

MIT is a form of cyber crime that has hidden itself very well in Kenya. Victims are often defenseless and at the mercy of bureaucratic red tape from health insurance providers and the pathetic Freedom of Information and Disclosure legislation in Kenya.

ARE YOU AWARE OF MEDICAL IDENTITY THEFT?

2010-05-07T20:49:00.001+03:00

This week we shall begin a three part series on a serious form of cyber crime that can affect you and your family. It is medical identity theft.

We have previously discussed identity theft which occurs when personal information is stolen for unlawful purposes. The fraudster will use a false identity (yours) to commit a series of crimes, usually cyber based and financially related. ID theft has in most instances had financial gain as its motive. This has however evolved into a more sinister and damaging aspect where your electronic medical records are either stolen or switched.

Medical records have always being problematic in storage and retrieval due to their voluminous quantity. The advent of ICT has solved this problem in a radical way. Electronic Medical Record (EMR) systems have been developed and they simplified the whole process of updating, preserving and retrieving these records. The unfortunate flip side to this development was that our medical records were now more vulnerable
to theft and manipulation.

Medical identity theft has therefore become a major problem globally and in Kenya. It can cause great physical, psychological and financial harm to its victims. Yet despite its serious risks it is the least known and most poorly documented of all other identity thefts in Kenya.

It occurs when someone uses a patient’s name and sometimes other parts of their identity – such as medical insurance information – without the person’s knowledge or consent. The motive is to obtain or make false claims for medical services or goods.

There are various categories of medical identity theft that are underlined by their motives. The first one involves the use of a patient’s details to steal their insurance cover. The second one involves the creation of fictitious medical records to circumvent statutory requirements like immigration or employment regulations. The third one involves false and erroneous entries in victim medical files that results in the use of wrong prescriptions and where operations are erroneously conducted.

In relation to this we shall discuss the rights that we should demand concerning medical records. These involve the right to access your medical records, the right to ask for amendment of your medical records and the right to have a history of disclosures involving your records.

We shall also outline various ways you can protect your medical records. This involves being aware of medical identity theft, proactively requesting a full copy of your health care files from all providers, guarding your insurance and medical card numbers carefully and educating others about this crime and its various variations. Next week I shall describe the various forms of medical identity theft.

THE FIVE ‘W’s OF ANY INVESTIGATOR

2010-05-07T20:47:00.000+03:00

Computer security invariably demands investigative skills from its practitioners. The basic premise, in both the digital and physical worlds, is that intrusions demand a reaction and this is in form of an investigation. There are obviously differences between investigating a house burglary and an online theft of credit card numbers. However there are five similar basic concepts that a cyber-crime investigator and a police detective have to abide by.

Before examining these fundamentals it is prudent to remind ourselves what is meant by the word investigation. It is a systematic, minute, and thorough attempt to ascertain the facts about something complex or hidden. Another definition states that an investigation is a detailed systematic search to uncover facts and determine the truth of the factors (who, what, when, where, why and how) of accidents. This definition outlines the fundamentals any computer investigator should adhere to if they are to investigate cyber crime.

The first fundamental is asking Who was involved. Knowing who might have been involved or contributed to an online breach creates the opportunity to gather more information and stitch a suspect profile. Knowing the types of people involved is also valuable when determining whether the breach originated internally or externally.

The second fundamental is asking What happened. All details that are relevant should be gathered, such as details that provide links to other information and/or that indicate necessary corrective action and/or that provide tracking evidence.

The third fundamental is asking When did it happen. The time at which a hacking attempt happened can reveal important elements in the evolution of the event. A hacker who consistently probes for network access points at certain times provides clues about his location.

The fourth fundamental is asking Where did it happen. The place of the actual event often reveals important facts. Which server was targeted, which data was copied and such facts often point to the motive of the attack.

The fifth fundamental is asking Why did it happened. Asking why should reveal new information on a level closer to the root causes. Asking why repeatedly often reveals new information that would otherwise not be uncovered.

The sixth and final fundamental is asking How did it happen. This is the core of the cyber investigation because how a cyber-crime is committed provides vital clues about the offender. For example an intruder that hacks your network behind multiple proxies (computers) and retrieves password protected logs reveals the technical expertise of the intruder.

For any aspiring cyber crime investigator these fundamentals should be guiding principles. They apply across sectors and professions that are the subject of any investigation.

IS MANAGEMENT SAFE WITH THOSE SMART PHONES???

2010-05-07T20:32:00.003+03:00

In the not too distant past the only way you could distinct top management from the corporate troops was the laptop bag. This was a status and power differentiator. Management was issued with laptops which they lugged around with barely concealed pride. With time, laptops became affordable and accessible to most employees. Today management has a new differentiation tool – the smart-phone. If you are perched up there in the corporate ladder then you are issued with a company smart-phone.

These smart-phones are powered by Windows Mobile, Symbian, Apple and Blackberry operating systems. They are microcomputers in their own right and apart from being status symbols, they are useful business tools. These phones, for example, have data capacities of 2 gigabytes, meaning they can store over 2,500 emails and/or 3,500 medium-sized documents.

Their ubiquitous multi-functionality means top managers and business-people use these devices for commerce. They access company e-mails and applications on the go.

This raises serious issues of data protection. A stolen or lost smart-phone would be a treasure trove for any hacker even if it only contained company e-mails. These devices are not only being targeted by your run-of-the-mill criminal but more worryingly by cyber criminals.

Implementing security measures like encryption is a popular security measure but has limited success. Encrypting data on most smart-phones takes a lot of processing power with the result that most users get frustrated with seeing busy hour-glass icons and eventually just switch off the encryption or ignore it altogether.

Despite these shortcomings organizations are advised to implement encryption in their company issued phones. This will not stop eavesdroppers (something that is becoming prevalent in Nairobi) but will impede the cyber criminal from obtaining useful data from your stolen device.

Another pertinent aspect of company phones, apart from security, is liability. Who is responsible for their loss, data and hardware? It is arguable that since it is company issued and the data on it is there by company assent, then it is the company that is liable. This includes the Board and the immediate ICT managers.

The company should put in place appropriate technical and organizational measures to protect corporate data in these smart-phones. One of these measures is to make it mandatory for all employees with these phones to encrypt the data and ensure encryption is always implemented.

Company issued smart-phones will increase in the near future especially due to privacy concerns and work separation needs. Encrypted data will therefore be commonplace in mobile devices because it is safe data and is hidden from industrial spies and hackers. This is the immediate available course of action organizations should adopt if they are to secure their systems from remote break-ins.

BUSINESS REENGINEERING – THE TIME FOR OUR BUSINESSES TO CHANGE NEARS

2010-05-07T20:30:00.001+03:00

Change is a constant for any Kenyan business entity. Due to economical, technological, environmental, regulatory and social shifts, local businesses are forced to periodically re-define or re-engineer themselves. The bottom-line is usually survival and any rigid company caught flat-footed by the market perishes. In the recent past may companies have become aware of this and consequently restructured.

This change is equivalent to re-engineering which is the fundamental rethinking and radical redesign of business processes to achieve dramatic improvements in critical areas of performance such as cost, quality, service and speed.

Business re-engineering used to be perceived as the alignment of an organization’s processes with technology. Bringing in the ICT artillery and automating as many processes as possible was considered the silver bullet.

It has being proven that implementing ICT and disguising it as a reengineering effort is a sure way of failing. The focus on achieving rapid results, by adopting ICT-based solutions as substitutes, leads to problems of lack of integration, employee resistance, low morale and eventual failure.

Re-engineering is often seen as a smokescreen for retrenchment. This is unfortunately the case in most instances. The objective of restructuring is therefore based on the wrong business premise(s). Short term-cost reductions due to external pressures usually take precedence over the strategic objective of attaining market penetration, customer retention and empowerment of employees.

Majority of business re-engineering failures can therefore be attributed to the lack of attention to the change itself and people issues. It is therefore important to deal with re-engineering from the perspective of two concepts: change and people management. Change management is concerned with the issues of improvements that are to occur. People management appreciates that employees are a major differentiating factor from company to company. Technology is an important facilitator in this total re-engineering process.

To be able to determine and organize the changes required, information flow needs to be at an optimum. Co-operation and exchanging of ideas from employees requires communication. Using technology in form of e-mails, telephoning, video-conferencing, databases and others will fundamentally tilt your restructuring towards success.

The role of ICT is therefore generally involved with improving co-ordination and information access across an organization that is in the process of re-engineering. This allows more effective management and solution implementation. The main IT tools used by companies in their re-engineering projects are usually SAP, databases, internet and simulation applications. Implementing ICT, in the re-engineering process, is therefore not an end in itself.

BEWARE THE ONLINE DATING SCAMS

2010-05-07T20:28:00.001+03:00

A testimony of how pervasive technology has become in the modern age can be found in how and where we look for potential mates. We now seek love and happiness in online and print media bulletin boards. Some people would cringe at the very idea of finding a life partner on a website or digital bulletin board. The presence and success of Kenyan online dating sites is, however, proof enough that a substantial number of Kenyans don’t mind using these websites to look for their other half.

Therein is the cyber security issue.

No one wants to think that they can be taken advantage of by an internet dating scam but these forums have become rich hunting grounds for con artists. Behind that pretty photo of that beautiful woman or handsome man can be a real predator that has downloaded a photo of an unknown model from the internet and is using it to lure you. In essence what you see is not what you get.

The common modus operandi is to exploit someone’s emotions. After obtaining contact they first build up a victim’s confidence and inevitably ask for money with a bogus story to back it up. There are various red flags that should point out a con in an online dating site.

The con artists usually create an overly attractive, but vague, profile for themselves. This profile is accompanied by a gorgeous professional photo. This is usually the first red flag.

Another warning is that most scam profiles are based overseas. Often people list their location as being in Nairobi, but when you start talking to them, they reveal they are from overseas. They are usually either from Nigeria (no surprise there) or Russia.

Another indicator is that e-mail messages change in tone, style or grammar throughout the communication. This evolves over a short time and is easily discernable to an alert reader.

An additional obvious warning is that after a few weeks of communication they suggest a meeting. They say they would really like to meet you but unfortunately they are stranded abroad or have been robbed and beaten. Or they require urgent surgery and you are the only person who can help them. The formula for detecting these scams is simple: Long distance + request for money = SCAM.

The basic advice is never to hand over personal details, such as home address, bank account details or money to someone you have never actually met.

Remember the formula: Long distance + request for money = ONLINE DATING SCAM.

TIMESTAMP EVIDENCE IS NOT PERFECT BUT IT CAN CONVICT

2010-05-07T20:24:00.000+03:00

Defense lawyers, in a cybercrime case, usually ask the wrong questions. If stolen credit card data is discovered in a suspect’s laptop, the most likely query directed to the prosecution is whether the said data was actually found in the suspect’s laptop. This is the wrong question because the answer is invariably yes.

What should be of more concern to any defense lawyer is how the data got into the laptop and of paramount importance – when did it get there. When data got into a computer is a very crucial part of the forensic computing evidence chain. If, for instance, those stolen credit card details got there before the accused owned the laptop, then it is unlikely that he/she knew that incriminating data was there.

To be able to determine when a file was saved in the computer, when it was last accessed and when it was last modified, you would need to examine timestamps. A timestamp is the date and time a file was last changed.

Most timestamps are generated from the computer’s internal clock or from the clock of another computer that the file may have been transferred from. Timestamps are however open to manipulation and can be unreliable at best. A desktop in Nairobi will be adjusted for the local time zone of Kenya. A laptop that belongs to a globe-trotting marketing executive will travel the world and time zone adjustments will be made.

Determining the timestamps from internet activity is also fraught with inconsistencies. The internet history file, for example, exists as a daily, weekly and full history file. Each however records the time somewhat differently. For instance the full history file uses the local time zone as its base point, whereas the daily history file uses daylight saving time as its base point.

It then becomes crucial to tie file timestamps with secondary evidence. For example if the laptop was legitimately purchased from a computer shop on Moi Avenue, then a receipt indicating the date of purchase can be used as additional evidence that can help recreate a timeline.

Timestamp evidence is not the silver bullet of forensic evidence. But if effectively used in conjunction with secondary physical evidence, it can build or destroy a prosecution’s case.

HAVE YOU EVER FALLEN FOR THE NIGERIAN 419 SCAM?

2010-05-07T20:22:00.000+03:00

Cons and scams are one of the mankind’s oldest occupations. Adam and Eve fell for a con and ever since victims have continued piling up. Technological advances have paradoxically increased the scope and impact of these scams.

Internet scams come in all shapes and sizes, from the comical to the macabre. Examples include fake websites, charity scams, fake job offers and many more.
The Nigerian 419 (or advance fee) scam is one of the most pervasive and insidious. It is named after Section 419 of the Nigerian Criminal Code that deals with cheating and obtaining property by false pretences (fraud). It has been around for a long time but despite repeated warnings, it continues to draw in victims from around the world, including Kenya.

The gist of this scam is to delude the victim into thinking that he or she has been singled out to participate in a very lucrative business deal. An e-mail is sent to the intended victim after obtaining their contact details from a stolen mailing list or computer. This e-mail may be in form of a business proposal that requests the victim’s assistance to transfer thousands of dollars into their bank account. They request his contact, bank details and an authorization letter. They then invite the victim to Nigeria or a West African country to complete the transaction.

Once someone travels to this country, violence and threats are employed to extort money and further pressure the victim. Numerous foreign nationals from America, Africa and Europe have been murdered and reported as missing after travelling to West Africa in pursuit of these “deals”.

This scam preys on victims who want to get rich quickly. It is unfortunate that promises of large amounts of money continue to impair peoples’ judgment.

Kenyans should beware of any unsolicited e-mails that promise monetary windfalls. Detecting these e-mails is easy because of the following common elements. Claims are made that the other parties are employed in, or have strong ties with the Central Bank of Nigeria, the Nigerian Government or dependants of a dead or living victim. The victims are usually told that there are no risks involved in the process. Their bank details and personal documents are usually requested and finally an advance fee is usually required to either pay for some transfer fees or bribe government or bank officials.

This scam should not be allowed to further defraud Kenyans. The Kenyan Police Cyber Crime Unit and the ICT sector should combine forces and sensitize Kenyans on the perils of this scam.

IS YOUR BUSINESS COMPETITOR SPYING ON YOUR COMPANY JEWELS?

2010-05-07T20:21:00.000+03:00

Saying that business competition in Kenya is intense is stating the obvious. Business survival is now the name of the game. All tactics are being employed to survive and in the process beat the competition.

Industrial espionage is one of the less palatable tactics being employed to wipe the competition on the floor. You might think that these goings-on only happen amongst the resource rich blue-chip companies. The techniques employed might differ but everyone from the kiosk owner to the multinational is vulnerable to industrial espionage.

In this technological age, company jewels are in digital form and reside in an ICT infrastructure. These jewels are in the form of customer details, credit card numbers, research findings, source code, strategies and source code. Getting them out is easy. Take your pick: USB stick, email attachment, mobile phone or a file transfer.

To protect your firm against industrial espionage you must take into account the following. Do not expose your internal network by allowing unauthorized users to access it. The process of transferring your files out of the network should be carried out without exposing the files to interception.

Protecting your data against tampering is crucial. Your data must be tamper proof in that any changes to it must be detectable. This is possible by integrating authentication and access control that ensures that only authorized staff can change the data. Using digital signatures should also be employed to detect unauthorized changes in your data files.

End to end network protection is another effective anti-espionage strategy. Security must be maintained while company data is being transported over the network. Users that store, transfer or retrieve data must use strong authentication mechanisms. In addition, access control must ensure that users only take appropriate action and that only authorized actions are carried out.

Of utmost priority is implementing a comprehensive auditing and monitoring framework in the organization. Auditing of your systems and their security will allow your company to ensure that its policy against espionage is being carried out. Secondly, it provides the company with the ability to track the usage of its data.

Finally it provides a deterrent to potential spies who are now aware that tamper-proof auditing and monitoring can help in exposing and identifying unauthorized access and usage.

Industrial espionage has, unfortunately, become part and parcel of business in Kenya today. You cannot afford to ignore this risk if you intend to survive and prosper as a business entity.

DO YOU SECURE THE MOBILE PHONE OR THE DATA IN IT?

2010-05-07T20:19:00.000+03:00

No other device in recent history has become more ubiquitous and pervasive as the mobile phone and the growth rate of mobile computing in Kenya shows no signs of abating. It is now possible to blog or twitter from your mobile phone. Many Kenyans have been seduced by the informality of social networking sites (e.g. Facebook) or chat rooms into inadvertently revealing personal or corporate data that should have remained confidential. This has been done through mobile phones.

It is often perceived that the hardware is the most valuable component. What we fail to note is that the data the phone contains, transmits and receives is inherently more valuable than the phone itself. We need to change the approach we take to mobile data security.

We should no longer make the mistake of focusing on the device rather than the data. This problem is especially critical for companies. Individuals will at worst loose personal contact details. But if the phone or laptop was company issued the repercussions would be far-reaching.

For companies that have distributed PDAs or Blackberries, an Acceptable Use Policy (AUP) should be formulated and implemented. This policy should, for example, regulate the number of different devices used within the company. It should also be sensible. Including a ban on the use of USB sticks in this policy is not sensible. Requiring that mobile device encryption is used to protect mobile data is a sensible component in any AUP.

Another approach, albeit slightly radical, is to simply not allow sensitive data to reside on personal devices. Even if this sounds draconian, most users of these devices would struggle to come up with adequate reasons why the most of their data cannot be stored in the central server. This approach addresses Data Leak Prevention (DLP) by allowing organizations to see exactly where key, confidential information is stored and how it is used.

It is also possible to monitor and ensure that data does not leave the network boundary through PDAs, USBs or other media devices.

As an individual you should also have your own mobile security strategy. It can involve using mobile encryption, tagging or frequent deletion of vital e-mails.
Data security in mobile devices has recently come into sharp focus due to the rich data hunting ground provided by the increasingly powerful mobile phones and laptops we carry around. Get ahead of the game by formulating a mobile security strategy for yourself and your company.

IS YOUR FILE TRANSFER INFRASTRUCTURE AS SECURE AS YOU THINK?

2010-05-07T20:17:00.001+03:00

As we become more and more reliant on information technology for business and individual purposes, it is important we re-examine how we transfer data from one place to another. You are most likely using a memory or flash disk to transfer data from your laptop to your office desktop. For companies, the process of data transfer has to be achieved in the most cost effective and secure way. File transfer is therefore a technological security component that cannot be ignored.

Data has become an asset and this is best illustrated by financial firms. A bank head office, for instance, used to obtain and exchange ledgers, statements and other documents with its far flung branches. These records are today sent as electronic files online. Your ATM, Credit/Debit card and E-banking transactions are now authenticated and validated online. These data is valuable to you and the bank.

The same painstaking security procedures that used to be applied when transferring sensitive corporate files need to be equally employed to digital data transfers.

The advent of telecommuting and remote working has given many more employees in Kenya access to vast amounts of data. They can view, amend, upload and download data to their company servers from anywhere in the country. Using File Transfer Protocol (FTP) servers to transfer large files is the most common way this is done.

Unfortunately FTP was designed when security was not a primary concern. It’s main drawback is that simple FTP cannot provide audit trails. FTP has enhanced offshoots such as FTPS, SFTP and EFTP. They do address security but need specialist programs installed on users’ desktops; adding overheads for IT departments.

Organizations need to employ data transfer technology that uses encryption, is capable of authenticating the recipient, manages each file transfer, is simple to install and cost effective. These technologies are out there in the market and can send or receive folders of upto 60GB securely. They have minimal impact on IT resources and are simple to install. Of a more crucial characteristic is that their audit trails meet the security and compliance standards of Sarbanes-Oxley, COSO and other global ICT regulations.

Various companies in Kenya are progressively appreciating their reliance on information for their success. They are therefore developing their ability to move data securely and effectively from one location to another. The importance of secure file transfer cannot be understated. It has become a core business process used by leading local organizations to run, maintain and manage their operations.

ARE OUR COMPANIES PRACTISING DUTY OF CARE

2010-05-07T20:15:00.001+03:00

Last week we established that our personal information has now become traceable and sellable due to the recent advances of ICT technology in Kenya. We noted that our local corporate bodies have traditionally being crucial custodians of our information and they have a duty of care in looking after it. It is now more important than ever to understand what social and legal obligation our local companies have to us in relation to the personal data they store.

Duty of care is a legal principle. It means that one must take reasonable steps to ensure their actions do not knowingly cause harm to another individual. In the context of personal information, it essentially means that the government, companies and owners of large databases would treat them as valuable data depositories that should be secured.

The flip side of duty of care is negligence, which is carelessness. This is a failure to take reasonable care for the safety or well-being of others. The primary rider here is that negligent actions address issues of “reasonableness” or, put simply, what the reasonable person might have done or not done in the circumstances of a particular case. When dealing with information the question of whether reasonable security is implemented to protect it is addressed.

Kenyans should therefore demand professionalism from our firms. ICT security is a major pillar in any company that expounds its professionalism. These firms should build systems that are secure by design. It is unfortunate that what usually happens is that computer systems are designed with business functionality as the number one priority. The ICT security guys are usually involved at the end of the systems development cycle where they are required to patch up the security as best as they can.

For Kenyans to entrust their information, money and other resources in the burgeoning technological industry, companies must avoid data breaches. Sometimes data breaches do happen. In this kind of situation a company can be liable if it cannot prove that it had implemented a reasonable and robust security framework around its ICT systems.

E-commerce will inevitably boom as technology percolates to more Kenyans. When you have Kenyan companies building more secure systems this will feed through into trust which will then translate into Kenyans being attracted to companies they have faith in. This trust will only come through when they know that their personal information is secure. This sense of security will ultimately give the few companies who have invested in ICT security a competitive edge.

YOUR PERSONAL INFORMATION HAS BECOME TRACEABLE AND SELLABLE

2010-05-07T20:14:00.001+03:00

The arrival of Seacom subsea cable two weeks ago generated considerable excitement in Kenya. This fibre optic cable, and others to come, will provide broadband to countries in East Africa that previously relied entirely on expensive and slower satellite connections.

This development will, in the long run, provide cheaper access to the internet. We shall therefore witness a few interesting trends over the next few years. One of the most obvious realities we shall have to contend with is the sheer amount of our personal information that will appear on cyber space.

Cheaper access to technology will make it possible for the government and other entities to automate their records. This automation will make it possible for someone to easily scan for your personal details, especially in sites that trade personal information.

For example financial institutions with an online presence often ask you for your mother’s maiden name as a security word. You will soon discover that this name, and other security phrases, will be publicly available on the internet. This will happen when the births, marriages and deaths records will be automated and digitally published.

Linking your searches through these disparate databases will easily yield your personal information. Your details are therefore traceable and sellable.
Kenyans will now be forced to discard their nonchalant attitude towards their personal information.

Kenyan companies have traditionally being crucial custodians of our information. They unfortunately don’t appreciate just how valuable this personal data they hold is and that they are holding this information on trust for their clients.

Most companies feel that people have given them their personal information and they can use it to run their business in any way they like. Until recently, banks implemented more stringent measures in looking after your money than your personal information. Fortunately the financial sector has changed its mindset and is currently in the forefront of data protection. There are however, many other local companies that need to practice duty of care.

Taking care of data is a complex affair. Unlike money, if data is stolen or lost, the original is usually left in place and the sense of loss is therefore minimized.
In the next article I shall outline the duty of care our local firms need to practice and the regulatory and compliance requirements we need to develop so as to force these organizations to invest more in taking care of our personal information.

IS A COMPUTER FORENSIC INVESTIGATOR DIFFERENT FROM A POLICE DETECTIVE

2010-05-07T20:09:00.002+03:00

Last week we looked at what attributes and skills are required to become a computer forensic investigator. Today I want to outline the similarities between the virtual and real-world detective. It is important to appreciate that a digital detective operates within the same principles that are used by a homicide police detective.

Criminal investigation, be it digital or real-world, has the end product of bringing someone to justice; that is, arresting, prosecuting, and convicting perpetrators of crimes.

An investigator that hunts a cyber-criminal in the netherworld of the internet borrows the fundamental working philosophy from the well tested norms of the homicide detective.

The first one is that no two crimes are alike. Every instance of identity theft, for example, has its own unique characteristics and these can be found in the way an identity was stolen and what it was used for. The second working philosophy that computer investigators borrow from their real-world colleagues is that most crimes are solved within 48 hours. Though this might not apply strictly in cybercrime, it is vitally important to initiate an immediate response otherwise tracing becomes difficult.

Another common area is that modus operandi (method of attack) provides clues as to who did it. The methodology of a cyber-criminal usually provides important details that point to the perpetrator and make profiling possible.

Thinking like a “native”, not a criminal is another crucial working philosophy. It takes a thief to catch a thief. This also applies in cyber-crime because an investigator has to be familiar with the mindset, hacking tools and techniques of the cyber-criminal. It is however important to have some familiarity but not too much intimate familiarity with the criminal underworld.

Another common working philosophy is that you can never receive too much training. Any kind of detective needs as much training as he/she can possibly obtain. This is especially true for a computer investigator that demands you keep abreast of new technology all the time.

Another very critical philosophy shared by both kinds of detective work is that evidence is always present. In whichever context, be it a real murder or a cyber crime like phishing, the perpetrator will always leave traces of his/her presence. This premise is based on Locard’s Principle of Exchange which states that any person who enters a scene of crime leaves something behind and takes something from the scene with them. A computer forensic investigator is therefore grounded by the same working philosophies that are found in real-world detective work.

A COMPUTER INVESTIGATORS STERILE WORLD

2010-05-07T20:07:00.000+03:00

Many readers of this column have asked me what it takes to become a computer forensic investigator. I will mention the attributes and skills required. Though not exhaustive I hope they paint a sketch of who a computer forensic is.

One early point to make is that it is very short on glamour and long on hard slogging. It basically requires you to solve an investigative puzzle with some of the pieces are missing. You must therefore have an idea of how these devices work, how data in them is saved in various operating systems and how to describe this to someone else in simple language.

Understanding computer hardware and how a normal operating system works is essential. Formal training is therefore recommended because it will enhance your credibility and accord you the time to test different forensic tools.

As any investigator will tell you, experience counts. Experience will show how things should look so that you can start seeing what should or should not be there. You should know that files can be renamed, what file headers and extensions are associated with a particular file and how application files can masquerade as operating system files.

Working from Standard Operating Procedures (SOP) is a crucial element of computer forensics. They should be followed religiously when handling an incident. These procedures allow you to be absolutely sure you have not contaminated the case with your own data.

Your SOP should have the acronym PPAD as its pillars. This stands for Preserve the data to ensure the data is not changed, Protect the evidence to ensure no one else has access to the evidence, Analyze the data using forensically sound techniques, and Document everything.

You must be a stickler for documentation. Document everything you do including a log of all your investigative actions. You can’t always rely on your memory after a year, when the case makes it to court, on how you conducted the investigation. Legal defense prefers to poke holes in the procedures and documentation you used than the fact that evidence was found in the device.

You must be thorough. Checking and count-checking all aspects of your investigation is a must. For example there are various password cracking, imaging and investigative tools in the market. It is very important to personally test and evaluate your tools irrespective of positive testimonies from professional quarters. It is better to be aware of bugs in your tools than be told about them in court.

ONLINE TRUST IS A PREREQUISITE TO SUCCESS IN E-COMMERCE FOR KENYA

2010-05-07T20:01:00.002+03:00

Online trust will soon emerge as a key success factor for businesses that want to succeed online. Trust is an important social lubricant for cooperative behavior. This fact is tried and tested on a daily basis.

On-line trust towards a technology is an attitude of confident expectation in an online situation of risk that one’s vulnerabilities will not be exploited. Simply put, online trust is achieved when you stop calculating the risk you are exposing yourself to when visiting a website or using a technology like the mobile phone.

Research indicates that people do enter into relationships with websites, computers and other new media. People also respond to these technologies based on the rules that apply to social relationships. Interestingly, people identify technologies as polite, rude, assertive, timid, helpful or unhelpful.

Social identity is therefore transferred to these technologies because they are social actors in the sense that they have social presence. This is what prompts people to respond to this social presence.

Mobile phones, computers, websites, ATMs are all participants in our interpersonal social relationships. A good example is the M-Pesa money transfer technology. It occupies an integral social space in Kenya and is therefore defined through social terms. It is friendly to the money recipients and becomes hostile and unhelpful whenever it is inoperative.

As we prepare to embrace e-commerce and online transactions, budding Kenyan electronic entrepreneurs should incorporate the following components of trust into their digital ventures.

They should consider the generality of trust. On-line general trust occurs when I trust the government website (www.kenya.go.ke) to provide timely, reliable and trustworthy information.

Another component is slow trust which occurs over time. It is the kind of trust typically seen in long-term working relationships. In the online context this is defined by the frequent return visits to a website. Case in point is Mamamikes.com that has gained slow trust from Kenyans in the diaspora.

The degree of trust is another element of online trust. This trust runs from basic to guarded to extended. Basic trust is the belief that the website you frequent will be there tomorrow as it is today. Guarded trust is trust protected by formal contracts, agreements, disclaimers and promises. Extended trust is trust based on openness.

Trust is in short supply in Kenya. If we are to securely roll out a new electronic commerce sector we must internalize these components of on-line trust and develop a trustworthy relationship with online Kenyans.

CHILD ABUSE IS A COMPUTER SECURITY PROBLEM WE NEED TO CONFRONT

2010-05-07T19:57:00.001+03:00

In the recent past we have witnessed an increase in reported child abuse cases. It is a disconcerting fact that we have pedophiles in our midst. Pedophiles are adults who are sexually attracted to children. This reprehensible behavior is not usually confined to individual sexual predators.

Pedophiles usually operate in a network or ring that cuts across national borders. They distribute digital images of their diabolical acts through the internet. This darker digital side of pedophilia has manifested itself in child pornography.

Pedophiles have for a long time used the internet to distribute videos and images of children being abused. Law enforcement agencies in the developed west have in the recent past hunted and hounded these sexual predators, especially in the internet. This intense crackdown has resorted to pedophiles hiding their graphic digital images within other innocent looking images.

This practice is called steganography and is most likely being used by our homegrown pedophiles. Steganography is the art of concealing data/images within data or another image.

One of the most common functions of steganography is in digital watermarking. To be able to protect images posted in the web a watermark is inserted in the image.
This is usually a logo, or text that enables the source of an image or document to be authenticated. Some digital watermarks are overt and others are covert. A good example of overt watermarks can be found in www.airliners.net.

To evade detection, a pedophile will send (via e-mail) a pornographic digital image which is transposed into an innocent digital picture. These hidden images are received by fellow pedophiles who are able to extract the hidden images by using special steganography software.

Special software is required to hide and unhide these images. There are many freeware versions available at any good download site.

One of the negative effects of the recently arrived undersea fibre-optic cables will be to make it easier for local pedophiles to send steganographic images to other ill-minded people.

The need for an efficient Cyber-crime unit in Kenya cannot be over-emphasized. Within it would be stega-analysts who would digitally investigate images with the objective of detecting and breaking steganography.

It is high time we confronted pedophilia by using technology to stop their nefarious activities. Our children are under threat and increased computer security can assist apprehend these criminals.

CRIMINAL INTELLIGENCE – A VITAL RESOURCE FOR KENYA TODAY

2010-05-07T19:56:00.000+03:00

Crime in Kenya has been on an undeniable ascendancy in the recent past. We are constantly recoiling from the horrific escapades of gangsters. Our law enforcement agencies are indisputably trying their best to counter these criminal threats with various tools and skills at their disposal. However, the potential of technology as a crime busting tool has yet to be fully exploited and applied. The time has come to harness the power of a criminal intelligence IT system.

Intelligence is the end product obtained after information has been subjected to a systematic intelligence process. This process involves planning, collection/evaluation, collation, analysis and dissemination of information.

A central digital repository of criminal intelligence information goes beyond the compilation of data that is used mainly to react to immediate routine investigative needs. It encompasses criminal, tactical, operational and strategic intelligence.

The criminal intelligence aspect of this system would process and store information on known or suspected persons involved in criminal activity in Kenya.

It would also provide tactical intelligence. This is information that has not been subjected to analysis, for example criminal histories/associations, hideouts and past convictions. This information is usually used on short-term and uncomplicated cases.

Of more importance would be the operational intelligence such a system would make available to our Police officers. This operational information offers a broader understanding of the workings of a criminal gang/enterprise for example its leadership/succession structure, membership process, rules and regulations, degree of dominance and general practices. This information is used in formal reports that generate recommendations for future action.

The criminal intelligence system would finally provide strategic intelligence. This information provides an overview of the scope and character of criminal activity. Apart from serving the needs of the Police, this information is also consumed by the executive and legislative arms of government. It assists them in developing policies and programs that would combat a particular criminal sector.
The current fragmentation of criminal intelligence efforts weakens the ability of central police management to conduct criminal, tactical, operational and strategic responses to crime.

As we move further into the technological era, we should not produce criminal intelligence for its own sake. This system should be developed and applied to direct the collective response of our law enforcement agencies to crime. That is why we must develop an indigenous criminal intelligence system that increases our capability to collect, analyze and report information on criminal activities.

DISK WIPERS AND THEIR FORENSIC FUNCTION

2010-05-07T19:55:00.000+03:00

It is an undisputable fact that our modern day lives have become inexorably intertwined with technology. Be it the mobile phone, the home PC, the micro-chips in our cars or the computers in medical life support systems, technology has become indispensable.

A by-product of this dependency is the high value digital data/information stored in these devices. Laptops have been lost that contain thousands of employee records. Trade secrets have been stolen and transported in flashdiscs.

Disk wiping or data erasing has as a result become increasingly crucial in the protection of confidential and private information for the law-abiding computer user. Before disposing of your old computer, it is important to know a few basics about disk wiping.

Your procedure should begin by using Windows to delete all files and directories. You then use a disk wiping utility to obliterate empty space and examination for residue should then be conducted.

Windows and other operating systems do not delete files when you “trash” them. It simply removes the file headers and marks the physical space that the files occupied as unallocated and therefore available for reuse.

Disk wiping utilities typically erase this unallocated space. They basically involve the creation of a new file that contains a wiping pattern. So instead of the original zero ones, it creates all zeros or random zeroes and ones. This pattern is applied to all available free disk space including, most crucially, space left behind by deleted files.

Therefore a disk wiping utility should obliterate all of the space formerly occupied by deleted files.

After this free space has been wiped, it is advisable to conduct a post-erasure disk analysis using software tools such as WinHex or Access Data’s FTK. These tools allow you to determine whether any disk residue exists.

Most disk wipers, however, leave behind information that may have proprietary or security implications. Despite their advertised claims, disk erasers may leave enough metadata (data about data) residue that would provide enough clues about your files.

There are various Disk Wiping tools, for example Cipher.exe, Cyberscrub, PGP Wipe, Wincleaner and many others. Evidence Eliminator is one of the best Disk Wipers around.

Another interesting category of products are the so-called disk sanitizers or disk purgers. These are tools that are marketed to vendors who recycle computers.

USING THIN CLIENT COMPUTING AS A SECURITY MEASURE

2010-05-07T19:52:00.000+03:00

The vulnerabilities of laptop computers are well documented. Incidents of laptop theft and loss have caused severe damage to individuals and companies in Kenya. Lost or stolen, company issued, laptops usually contain valuable data that can include anything from financial transactions, customer/employee records or secret product designs.

Traditional laptops therefore translate into a large risk exposure for local companies. Aside from lost information, organizations are exposed to significant costs in terms of regulatory fines. Legislation, for instance the Data Protection Act, will soon mete out serious penalties for companies that breach privacy codes.

The threat of identity theft and potential damage to a company’s reputation should compel Kenyan companies to radically rethink laptop security.

Using thin clients is an alternative that should be accorded serious consideration. The term thin client refers to a network computer (laptop or desktop) without a hard disk. This computer (and its software) is part of a network that acts as an interface while the network server computer does all the real work.

Thin client laptops contain enough information to start up and connect to the company’s network. It might have a hard disk and program/files are accessed and saved in the network server.

The security advantages of thin client portable computing have prompted multinationals to increasingly deploy them. Various aspects are evident.

Thin clients do not have a hard disk drive. As a result valuable data cannot be stolen. Virus infection is minimal because thin clients are XP embedded and have a Hyper Write Filter which prevents any virus from installing itself locally. If infected, the ‘locked down’ mechanism means that a simple reboot removes any malicious code.

Apart from offering a lower risk of being stolen, thin laptops offer a secure environment for remote working because users access data over an encrypted network.

E-mail and internet usage are two indispensable applications for the mobile worker. They are therefore targeted by malware. However Microsoft Internet Explorer and Microsoft Outlook are more secure when server-based.

Data backups and restores are not necessary in thin computing because all the data is stored on the server and is managed by the enterprise backup strategy.

Thin computing however demands a well developed ICT infrastructure with high data rates of internet access in public networks. The current laying of fiber optic cabling in the country will go a long way in making thin computing a viable alternative to traditional laptops.

ARE OUR COURTS READY FOR THE FUTURE CRIMINALS?

2010-05-07T19:51:00.000+03:00

A new wave of criminal offences will soon be coming our way. With the implementation of advanced technology such as satellite and fiber optic networks in Kenya, new forms of criminals are getting ready to exploit the opportunities that will be available.

Electronic Commerce provides a relevant illustration. The valuable financial tokens that underlie e-commerce - credit card numbers and bank account information - have to be secured against these “new” criminals who will use various methods like internet sniffing to obtain these details. With increased success, these criminals will emerge with the sole motive of defrauding unsuspecting Kenyans for a quick profit.

Cyber and conventional crime share a fundamental concept; evidence is a primary determinant of innocence or guilt. Locard’s exchange principle applies to the real and virtual worlds. This principle is applied to crime scenes and states that when the perpetrator of a crime comes into contact with the scene, he/she brings something into scene and leaves with something from the scene. Every contact leaves a trace.

Fibers from where the criminal sat on the upholstered chair are examples of physical trace evidence. Digital trace evidence on the other hand includes deleted files and registry entries to the internet history cache among others.

Cases involving complex computer evidence require our judiciary system to be technically prepared. What would happen if our courts were swamped with cyber-crime cases where abstract and technical information needs to be communicated and thoroughly understood?

To ensure a successful prosecution digital evidence has to be evaluated. An example would be in an investigation where child abuse images are found in a suspect’s computer. The defense or prosecution of the offender can often rest on the precise way in which these images arrived in his/her computer.

Were the images simply downloaded or were they viewed? Did the offender distribute them to others? Are there messages hidden in the images that point to other criminal activities such as drug trafficking?

In many cyber-crime cases, data is often deleted or moved about in an effort to cover tracks. This trail is difficult to investigate and outline. Understanding that no digital data is ever permanently deleted and that digital files have fingerprints known as MD5 hash values requires in-depth computer knowledge.

Our courts are currently ill-prepared to handle this new type of crime. It is time the legal system developed and implemented a comprehensive training system for its judiciary staff so as to have reasonable level of ICT expertise.

TIME IS NIGH FOR SECURITY SHARING

2009-05-08T18:56:00.000+03:00

For the past two decades we have been witness to an electronic revolution. Social functions as we used to know them have been radically turned inside out by technology. Records from bank accounts, tax returns, property registers and shopping transactions have become electronic.

Of equal importance are the mundane everyday systems that have discreetly been automated. For instance burglar alarms are no longer the sirens of yore that woke up the whole sub-location. They instead send silent messages to security control rooms. Locks are no longer mechanical affairs. They are now swipe cards or remote controls.

All these developments have a common fabric. Technology has permeated nearly every sector of our society. Computer security will suddenly mean more to you when almost every electronic device that affects your life is connected to the Internet.

Computer security systems frequently break down and the same elementary mistakes are repeated in one organization after another. These systems apart from failing also just don’t work well enough.

Instances of credit card fraud, identity theft, DSTV pirating and other cyber crimes will become commonplace in Kenya once we get connected through the submarine fibre cables.

Most failures of security systems (computerized or otherwise) can be prevented if security experts had a bit more knowledge of what had been tried, and had failed elsewhere. ICT security technologies (eg. auditing, encryption, access controls and others) are relatively well understood in themselves.

The problem lies in the knowledge and experience of how to apply these technologies in a nascent ICT sector like ours. The rapid computerization that is happening has not given Kenyan ICT security professionals enough time to learn and exchange these lessons.

As a result the same old security square wheels are being applied in most local organizations. The companies that have managed to understand that exchanging security incidents and lessons have been able to reduce their vulnerability.

Within a few years there will be more mobile phones, lifts, refrigerators, electricity meters, burglar alarms and CCTV cameras on the Internet than personal computers. This will require security professionals to think differently.

Knowing what works, and more importantly what has failed, in other organistions is a great help in developing good ICT security practices in Kenya. It is therefore imperative that ICT security professionals develop a forum for exchanging ideas and good practices.

DO YOU FEAR DEPLOYING ENCRYPTION IN YOUR ORGANIZATION?

2009-04-30T14:32:00.001+03:00

The last time we discussed encryption we examined its role in enhancing and protecting personal privacy. This piece continues by discussing why organizations should employ encryption as a priority tool in their security framework.

The current depressed global economy has resulted in a burgeoning market for stolen data.

Companies have, in the recent past, been slow to employ encryption due to various reasons. It used to be hard to set up and would slow network performance. The primary fear was that if a company used encryption on critical data and something went wrong, then that data would be irretrievable.

These concerns were justified then but are no longer relevant today. The first fear we should dispel about encryption is that implementing it is insanely difficult. Enterprise encryption software is now easy to deploy and maintain. You need to first establish how critical data flows through and out of the company. You also need to locate where this data resides. You will then be able to identify who has or can gain access to the data. Deploying encryption in these areas therefore becomes easier.

The second concern has been that encrypted data compromises network performance. This was true when encryption technology was in its infancy. Today’s solutions have been developed to make the best use of available computing cycles. They extensively use background processing to minimize their impact on the network.

It is also widely believed that managing an enterprise encryption solution is excessively complicated. Today’s encryption solutions are centralized and fundamentally simplify the oversight and administration functions.

It is also feared that encryption negatively affects data availability. Encryption does not limit access to data. It will only do so if you encrypt your database without carefully examining your enterprise use patterns. You should determine which critical applications are accessing the database most often. This will help you optimize your encryption solution to remove any bottlenecks or access delays.

Encryption finally invokes one doomsday dread. This is where a technical or staffing problem makes it impossible to decrypt your data. Imagine if the IT manager suddenly leaves the organization in a huff. Enterprise encryption will not leave you in such a lurch. There are double-authentications which require more than one person to access the key. If the key somehow becomes unavailable you can use the built-in restoration tool to decrypt your data. And with the numerous checks and balances that are in the software, any encrypted data can be decrypted and restored without resorting to expensive external consultation.

Encryption is necessary for any company that handles customer details and other critical data. There is now no sensible fear that justifies delaying usage of this crucial defense tool.

ARE WE PROTECTING OUR WIRELESS NETWORKS?

2009-04-21T08:01:00.000+03:00

Not too long ago applying for a fixed-line phone used to fill one with dread. After being on a waiting list for eons, you would finally get the treasured land line connection. That, however, would not be the end of your troubles. The connection would constantly break down, bills were often wrong and maintenance service was pathetic.

It is against this backdrop that we have readily embraced wireless communication technologies. Cellular networks have experienced phenomenal growth in the recent past. Wireless computer solutions have also experienced substantial demand as we seek to become more flexible and productive.

Dependence on wireless computer networks is therefore increasing. Wireless Local area networks (WLANs) and Wireless Metropolitan area networks (WMANs) that connect several WLANs have become common in Nairobi. People and businesses use wireless networks to send or share data quickly whether it be in an office building or across the world.

Wireless networks are, however, inherently more vulnerable than wired ones. Denial of service (DoS) attacks against this type of network does not require a very sophisticated modus operandi.

These attacks can be launched from within or from outside using widely available standard wireless equipment. They can be carried out by a hacker using a standard laptop equipped with a high output wireless client card and a high gain antenna. There are many other methods of attack and protecting these wireless networks requires the implementation of defensive measures.

Deploying WLAN intrusion detection systems will assist in identifying Dos attacks. Strategically mounting the access points at sufficient height will deter hackers from easily reaching and destroying the access points.

It is also important to aim directional access point antennas towards the inside of the building. This will help to contain the RF (radio frequency) signal.

Making a building as resistive as possible to incoming radio signals is another crucial defensive measure. Installing metallic window tint instead of curtains or blinds can help prevent RF leakage and keep incoming radio signals out. Wi-Fi proof wallpaper and Wi-Fi paint also serve the same purpose.

Implementing the IEEE 802.11w standards that outlines the Protected Management Frames is advisable. WLANs send system management information in unprotected frames. This standard aims to increase security by providing data confidentiality of these frames.

Finally, it is good security practice to carry out wireless audits with the aim of determining how far the RF signal actually extends outside the building.

COMPUTER GAMES HAVE BECOME SECURITY THREATS

2009-04-18T11:13:00.001+03:00

If you encountered computers at an early age then you most likely indulged in computer gaming. Can you ever forget the excitement when you first played Prince of Persia, Wolfenstein 3-D and Doom? Other memorable ones include Counter-Strike and Grand Theft Auto.

Gaming has evolved from solo playing in one computer to interacting with multiple online players from far flung locations. This has spawned a lucrative business with revenues from online games being estimated to be in the billions of dollars. This has obviously attracted cyber criminals.

The rise in massively multi-player online role playing games (MMOGs) has made computer games attractive targets. Crooks are able to exploit the vulnerabilities in MMOGs to commit identity theft and intrusions.

MMOGs require permanent internet connections and this access is used to steal user data from both real and virtual environments.

In these games, players often change or purchase virtual commodities. These may be weapons, clothes, medicine, money or property. The items are bought using real money which is converted into virtual currencies. These virtual funds are attracting crooks. Profits derived from illicit activities are hidden in the game economies of virtual worlds in a new form of money laundering.

Due to the competitive cut-throat business of computer gaming, vendors have overlooked security in their mission to be first to market the next big game hit. The result has been increased vulnerability to data stealing Trojans. These Trojans have the aim of recording user IDs and passwords together with the IP addresses of the servers these MMOGs are hosted. Keyloggers are also introduced which record all keystrokes.

After compromising a player's online account, the online crooks are able to convert the virtual objects and currencies they steal into real money.

Other vulnerabilities that are easily exploited are scripting holes. These are typically found in web applications which allow code injection by malicious users into the web pages viewed by other users. An example would be where you play an online game from a website that has a link to another site that exploits a scripting vulnerability. Upon clicking the line malicious scripts execute in your browser and steal sensitive information like passwords and billing information.

Games that require permanent internet connections and use some form of virtual economies need to be used with caution.

ARE YOU PROTECTING YOUR MOBILE DATA?

2009-04-01T12:35:00.000+03:00

The power of mobile computing has resulted in tremendous work flexibility and productivity. Tools such as laptop computers and sophisticated mobile phones have allowed us to perform functions that were previously unachievable. You are now able to conduct professional corporate presentations while visiting clients or updating budgets while on vacation among many other work related activities.

Mobility unfortunately has brought new and serious challenges in the areas of corporate security and information privacy. It is now common practice for companies to issue laptops to employees as replacements for their desktop computers. Powerful mobile phones are also provided so as to maintain constant e-mail communication. This has resulted in vast volumes of corporate information being delivered and stored electronically.

A dramatic upsurge of laptop theft has been witnessed in Nairobi. These device losses pose a serious risk to both the owner and company. Personal and trade secrets can easily fall into the wrong hands. Beyond the loss of hardware, the greatest concerns are often the value of data and the unsecured enterprise access available through a company laptop. Corporate data obtained from a stolen laptop can be sold to competitors. Unauthorized access to a company’s customer database can be achieved by use of a stolen laptop. Your personal data can also be used to commit identity theft.

These scenarios demand a layered approach to mobile computing security where data protection is also included. This approach encompasses Compliance, Protection and Recovery.

Compliance is the ability to comply with applicable mobile data protection regulations and to provide an easily accessible audit trail. To ensure compliance, companies must protect data, track the mobile hardware (and their users), provide auditing capacities and maintain historical records. The Kenya Communications Act and the Communication Commission of Kenya’s regulatory framework are good starting points. Non compliance will expose the organization to law suits in the event of data loss.

Protection is the ability to prevent mobile data losses from occurring. Data loss from a stolen laptop can be prevented by encrypting mobile data. Encryption, however, fails to protect sensitive information in cases of internal theft. In instances of external theft, encryption only delays access to sensitive information. To ensure total protection a multi-faceted approach of combining encryption, strong authentication and deployment of asset-tracking software will ensure aggressive protection.

Asset-tracking software tools are able to track and recover laptops that are lost or stolen. They also monitor any changes or disappearances in computer memory, hard drives or peripherals.

Recovery is the ability to recover lost or stolen mobile data, to retrieve lost or stolen devices and return them to the control of the organization, and to facilitate prosecution. Companies should have in place procedures that include law enforcement officials in the recovery of these devices. A fully functioning Cyber-Crime unit of the Kenya Police would be able to increase the asset recovery and prosecution capacity. Subsequent prosecution would act as a powerful deterrent against future theft.

This multi-layered approach will go a long way in ensuring that mobile asset and data protection controls are in place and reduce the exposure of legal action due to device loss.

HIGH TIME WE INTRODUCED A POLICY TO PROTECT OUR SURFING CHILDREN

2009-04-01T12:34:00.001+03:00

Computer usage by our children in our primary and secondary schools has become commonplace. Computers have also become familiar in private and public libraries. Nurseries have not been left behind either, albeit only a few upscale ones provide computer instruction to toddlers.

Introducing this technology to our children at an early age is recommended because their adult lives will be synonymous with technology.

In the near future access to the internet will become cheaper in Kenya. This will enable most schools to provide full time broadband access to their students at a subsidized rate. This access will mean our children will have access to all shades of digital material.

Time is nigh for us, as a society, to develop an internet safety policy that will ensure educational institutions and libraries have technology protection measures. These measures must be tied to government funding or licensing.

Waiting for legislators to introduce this initiative would be akin to waiting for Godot. Educational institutions should also not be left with the sole responsibility of implementing safety measures. Parents should be ready to develop and enforce this policy as an additional component of sound parenting.

An internet safety policy, that specifically targets schools and libraries, should include measures that block or filter internet access to pictures that are obscene or harmful to minors and teenagers.

These institutions must prove compliance by educating minors about appropriate online behavior, including cyber bullying awareness and response and interaction with online individuals on social networking sites such as Facebook or MySpace.

Educational institutions should also be required to restrict minors’ access to materials harmful to them. They should limit unauthorized access, including hacking and other unlawful activities by minors online.

There are software tools out there that can enforce these measures. These tools offer complete protection from internal and external threats for instant illegal P2P file sharing, data leakage, data loss and more.

Schools can be able to implement software that offers content monitoring and complete visibility into individual users, allowing them to protect minors and students while securing the institution from issues of legal liability.

The computer and the internet have become rapidly growing tools that enable children and adults to instantly access information and resources. It is also a powerful communication medium. It is our duty, as parents, to ask whether the schools our children attend have implemented basic computer and internet safeguards.

Not to be forgotten is the role of parents at home. It is common for parents to assume that rules are being adhered to when in actual fact they are not. There is also an assumption that rules are not needed when they are.

Rules and regulations in educational institutions should be in tandem with the ones at home. We cannot afford to be lax on this issue of protecting our children from the dangers of the computer and the internet.

Parents must learn to protect their children from the array of undesirable digital content both at school and home.

SHOULD YOU PUBLICIZE YOUR SECURITY VULNERABILITIES & BREACHES?

2009-04-01T12:29:00.001+03:00

Many local companies experience IT security breaches and keep mum about it. A breach is a rupture, break or gap whose cause has not been determined. It can be more vividly defined as an opening or gap in the wall. Digital walls protect valuable data systems and when they are breached the repercussions are extremely costly to both individuals and companies.

When a tree falls in Mau forest it certainly makes a sound. If a section of a perimeter wall collapses it makes a sound. If there is no on around to hear the tree crashing down or the wall falling apart then the event is not immediately registered or discovered.

What if a computer network is vulnerable or breached and no one knows about, is it insecure? A collapsed section of a wall makes it insecure to those who know about the vulnerability. This also applies to a computer network with a security hole. If no one knows about it, that is the vulnerability has not been discovered, then the computer network or digital wall is secure.

However if someone knows about it, then the IT system is insecure to the discoverer but secure to everyone else. If part of that perimeter wall round your residence is vulnerable and you have no knowledge about it, then that wall is secure to you. But to a robber who knows its vulnerability, it is insecure.

What if you knew that your network was vulnerable? What if you knew if part of that wall round your home was vulnerable? Would you publicize this fact?

The vulnerability exists, whether or not anyone knows about it. Keeping computer breaches and vulnerabilities secret does not guarantee your security.

An attacker can’t exploit a vulnerability he does not know about. A defender, also, cannot protect a vulnerability he does not know about.

In Information Technology, security that is based on publishing breaches and vulnerabilities is more robust. Those companies that suffer hacking attacks and keep them secret undermine the natural flow of information. Instead of fighting this flow, companies should embrace full disclosure which ensures they end up with more security than less.

The internet is still an insecure cyber-world, but it would have been much worse if its software vulnerabilities had been kept secret. Disclosure about its vulnerabilities has resulted in many of them being fixed.

Companies should stop sweeping their vulnerabilities and problems under the rug. They should instead embrace the full disclosure security movement. This will not only enhance their system security but also prevent those holes in their walls being announced in blogs and newspapers.

DO YOU HAVE THE ESSENTIAL INFORMATION SECURITY CERTIFICATIONS?

2009-04-01T12:27:00.001+03:00

Information security is only growing in importance. Whatever an organization’s mission, product, or service, its information security is paramount.

Many readers of this column have asked me about IT security courses and certifications. Which one is the most suitable and whether these courses are available locally. I want to oblige today and list three essential IT security certifications.

These security certifications can significantly bolster your curriculum vitae and assist in job retention. Generally, choosing which certification you do is dependent on the career road map you have outlined for yourself.

So once you have decided that your career road map is IT security, it is important to appreciate that the best certification for you depends on your education, skills, and goals. For this reason, when pursuing any professional accreditation you should give much care and thought to your experience, skills, goals, education and desired career path.

One of the pre-eminent IT security accreditations is the Certified Information Systems Security Professional (CISSP). This certification is administered by the International Information Systems Security Certification Consortium, commonly known as (ISC)². (ISC)² is a global vendor neutral not-for-profit organization that provides various information security certification programs.

CISSP is a globally respected certification that is designed for security industry professionals with at least five years of full-time experience. It is internationally recognized for validating a candidate’s expertise with operations, network and physical security, as well as the ability to manage risk and understand legal compliance responsibilities and other security related elements.

The exam is particularly daunting. It consists of 250 questions with four options each and is six hours long. You can obtain more information from www.isc2.org.

Another accreditation worth pursuing is Security+ offered by the Computing Technology Industry Association (CompTIA). This certification is vendor neutral and recommends at least two years of on-the-job technical networking experience. It validates knowledge on organizational security, cryptography, assessments and audits, access control security systems, access control and network infrastructure. You can find out more about Security+ from www.comptia.org.

There are, of course, other security certifications out there. The Certified Information Security Manager (CISM) certification is for security professionals who manage, design, oversee and/or assess an organization’s information security. CISM is offered by ISACA. The website is www.isaca.org.

Certification in itself is not the end. These certifications should instead be pursued with the aim of enhancing your IT security skills and providing an additional competitive advantage that sets you apart from the crowded IT field.

ARE YOU A RECKLESS SHOPPER

2009-04-01T12:23:00.002+03:00

Despite the global recession, experts predict online retail shopping to grow. Online retail demand, in Kenya, will be boosted by the imminent arrival of several submarine cable systems this year.

Online shopping is un-disputably more cost effective and faster than the traditional commute from one duka to the other. Comparing prices and bargains is merely a click away.

The current global recession will prompt more Kenyans to consider shopping online in search of better bargains. Following closely behind are the scammers who, also due to the recession, will increase their presence in the internet.

Kenyans need to be more vigilant and aware of the pitfalls that exist in this electronic supermarket. We can never be too careful and this message needs to be constantly repeated.

I have outlined some golden rules one should adhere to if you are to shop online and come out unscathed.

Never go shopping without ensuring that your personal firewall is enabled and updated. Standard firewalls included with operating systems are insufficient. They do not adequately control outbound connections. By installing a reputable firewall you will be able to monitor and prevent sending out of your shopping data on the internet by malware.

Online shopping is synonymous with credit cards. This is the Achilles heel of e-commerce. To be able to protect yourself you should ensure that your cards are registered with online providers such as MasterCard SecureCode that verify your transactions via a private code.

It is also prudent to use only one card for online shopping. Never use multiple cards or mix normal purchases with your online credit card. Maintain the limit for this card to be as low as possible. Better still, use a top-up card for your online purchases.

Remember that your bank provides you more security guarantees with a credit card than a debit card. So avoid debit cards for online shopping otherwise you might be exposing yourself to exploiters.

Checking your card statements regularly for any irregular activity is a good habit. Scammers use small transactions over a long period of time so as to avoid detection. That 400 bob that cannot be explained in the statement is warning enough.

On the site you should always check for the little padlock at the bottom right hand corner of the Internet Explorer browser. This confirms that an encryption key has been activated for your data transmission.

Also make an effort of checking the site’s privacy policy. Check for details of how your personal information will be used and try to provide only the required minimum information.

Adhering to these few rules will help you keep the scammers at bay. Embrace online shopping but keep it safe.

Can you use Encryption to Enhance your Privacy?

2009-01-24T20:26:00.001+03:00

Continuing on from a previous article, which looked at privacy in today’s internet age, this piece continues by discussing how one can use encryption to protect privacy.

One aspect of privacy that I didn’t discuss is what information your employer holds with regard to your surfing activities. Employees are now provided with internet access and every click and typed address is tracked by your employer.

There are various monitoring tools available that account and report on employee internet usage. These tools are evolving and improving giving employers the ability to chart what a particular user does, how often and when they do it.

This monitoring is sometimes justifiable. Employees that abuse their access to the internet instead of doing the job they are employed to do are identified through these tools.

A perturbing observation still remains: organizations can create a profile of you that includes personal information such as purchases, transactions, medical status and others. This constitutes private data.

You cannot do much to control who accesses your internet or network usage information in an organization. However, as a home user, there are various security and privacy aspects you should be aware of.

The storage media you use, for example USB sticks and CDs, are easy to lose and steal. Laptops have become much sought after items by thieves.

The loss of computer hardware is incomparable to the data loss. It is therefore crucial to encrypt your files so that they are unreadable to all but the owner of the decryption key, you.

Encryption can be simply described as the conversion of ordinary language into code. This is where information (plaintext) is transformed using an algorithm (cipher) to make it unreadable to anyone except those possessing the key. The process of converting this encrypted data (sometimes called ciphertext) back into its original form is called decryption.

Encryption solutions are inexpensive and widely available whether it is for large organizations, small businesses or home users. It is a good practice to encrypt all valuable information on the portable storage devices we use. That way if your laptop or USB device is stolen, the thief will be unable to make any use of it whatsoever.

Another advantage of encryption is that it protects sensitive data against malicious code. When malicious code manages to bypass network security, encrypted data acts as an extra layer of defense. This way privacy can be ensured.

Encryption renders your personal data useless to thieves. Using the encryption solution is advisable to all corporate and individual computer users.

The Communications Act could have gone Further

2009-01-24T20:24:00.000+03:00

Putts Law states that technology is dominated by two types of people – those who understand what they do not manage and those who manage what they do not understand. The Kenya Communications (Amendment) Act 2008 has made a spirited attempt in assisting us manage what we don’t fully understand.

From an electronic commerce, security and forensics point of view, The Act has commendably addressed various substantive issues.

A range of financial tokens that underlie e-commerce have been secured against fraudsters. Case in point is Formation and Validity of Contracts where a contract shall not be denied validity or enforceability solely on the ground that an electronic message was used for the purpose.

It is therefore possible to use digital signatures that provide reliable authentication of documents in computerized digital form. These signatures have been legally recognised. This means that where a law requires a signature of a person, this requirement can be met if an advanced electronic signature is used within the context of a relevant agreement.

The implications of this aspect on e-commerce are wide-ranging. You can electronically sign credit contracts with virtual banks and use virtual letters of credit to conduct business. Other aspects that will enhance e-commerce include Attribution/Retention of Electronic Records and Acknowledgement of Receipts.

On ICT security and forensics, The Act has fundamentally altered the electronic security landscape in Kenya. The notable inclusions include the entrenchment and substantiation of electronic records (or evidence).

Electronic records are now legally recognised and can be retained in their original form. This means that your internet history logs, for instance, can now be used as evidence. Attribution is also now legal in that an e-mail receiver can legally act on the contents of an e-mail after identifying its source.

It is now illegal to gain Unauthorised Access to a Computer System, Modifying Computer Material without Authority, Disclosing Passwords, Committing Electronic Fraud, Publishing Obscene Information and Planting Viruses/Trojans in systems.

There are however some significant omissions that should have been included in The Act. Firstly we must divorce ICT from media and publish a dedicated and detailed ICT Act. Some might argue that ICT and media are converging. My contention is that ICT, being a complicated technology with multi-faceted functions, should be recognised as an independent framework despite its use in the media and other sectors.

Electronic investigation has been given a cold shoulder by this Act. Codes of electronic investigation and evidence handling procedures should have been outlined in more detail.

Information is today’s commodity of choice. This digital property will invariably ignite conflict. It would therefore have been advisable to include an ICT intellectual property framework in this Act. Finally the Amendment Act could have meted stricter penalties for sponsors and perpetrators of child pornography, which is has become a menace in Kenya.

In sum, this Amendment Act is a commendable first step. What should be appreciated is that ICT is dynamic and more legislative and policy work needs to be constantly developed.

How to Catch a Cyber Criminal by Staging

2009-01-24T20:22:00.000+03:00

The traditional village market has been replaced by the global digital market. The internet has transformed trading of goods, services and commodities fundamentally. Kenyans have swiftly embraced technology and once the national fiber and submarine cable infrastructure is in place, expect a boom in electronic commerce.

However the same problems of fraud that were witnessed in the village market have crept into the digital realm. Fraudulent schemes continue unabated even in the internet. Digital thugs are busy attempting to defraud online customers by misrepresentation and deception. These online criminals try to present goods and services that look, as much as possible, like those that legitimate e-commerce merchants offer.

Their access point is usually the website. The website today’s bank counter, the first access point. An e-commerce trader has to be more vigilant than the brick and mortar bank manager. This is because a cyber criminal can easily breach an e-commerce website, commit fraud and leave undetected.

It is therefore vital to counter these web attacks by understanding and using various profiling techniques. One of the most effective is Staging (or posing). This is a profiling technique that can be used to obtain a profile of a financial intruder.

Staging is the manner of website defacement or the way particular files or resources are left once penetrated by the intruder. The habit of leaving deliberate ‘calling cards’, is not common among cyber fraudsters. This is because their motive is to breach e-commerce websites and obtain the data. This can only be achieved by employing a sustained covert connection to the system.

They therefore go to great lengths to cover their tracks. The alteration of a crime scene to confuse or mislead is common and is a good example of staging. The forensic investigator looks for signs that not only indicate the presence of an online fraudster but also of cover-up signs.

Intruders attempt to hide or remove evidence of an intrusion by deleting logs, altering date-time stamps, and installing their own utilities to subvert the operating system. They also use strong encryption to cloak their activities by encrypting data before stealing it, encoding communications between compromised hosts and obfuscating executables.

It is therefore important to identify the absence of the obvious as well as the presence of the obvious online financial intruder tracks. The presence of encrypted packets within a network is evidence of an intrusion. The absence of router network logs is indicative of an intrusion.

Staging is, therefore, a useful profiling technique that can assist our budding local e-entrepreneurs.