When Hackers visited our utumishi kwa wote (police) website, it took a question from a reporter @Larrymadowo for the spokesman of the police to realize that their website had been hacked. Then the response was first and furious, shoot the hacker on site ..yeah the laptops and computers on site..
Ok the jokes aside who are hackers and why do they do what they do?
Hackers are individuals who intrude into others system /websites without permission in search of information (hacking). They can be categorized into three groups depending on the degree of their ability to commit cyber crimes. Beginners are generally just curious past time individuals or kids, doing it for fun. The intermediate and advanced where the advanced hackers are difficult to trace.
Most of the time hackers identify systems that are vulnerable after which they make attempts to break the password. If successful, then you can guess what is next. The problem with Kenyan police website is that the hackers did not have to do a lot to get the password. It was like a public property, by googling “filetype:txt kenyapolice + password” and you have everything.
Hellooo! Who is in charge here. The tech guys at the Police Department or the Government tech department or even tech company charged with responsibility of managing such websites should know better. That was like leaving personal house key lying down on the door for anyone curious enough to use.
How hard is it to choose a strong password?
I start with the warning, although passwords are a common form of authentication there are several programs attackers can use to help guess or “crack” passwords, but by choosing good passwords and keeping them confidential, you can make it more difficult for an unauthorized person to access your information.
Here are a few tips on how to do it:
- Don’t use passwords that are based on personal information that can be easily accessed or guessed.
- Don’t use words that can be found in any dictionary of any language.
- Develop a mnemonic for remembering complex passwords.
- Use both lowercase and capital letters.
- Use a combination of letters, numbers, and special characters.
- Use passphrases when you can.
- Use different passwords on different systems.
Check more on the hacking process done brilliantly by @iddsalim here
The internet changed the ways people communicate, the way Governments store their information and it has become a popular resource for communicating. Internet is accessible by almost everyone and that has changed the definition of the National Security. In the modern error National Security is now more than guarding against the physical threats. That is why it is a bit scary to hear that the police spokesman Mr. Eric Kiraithe had no idea of what was going on with their website.
Many of us will take solace that in case of the Police website the content is not that deep or sensitive. Mostly what is there is about information which are already in the public domain anyway and the hackers were just having fun. First dedicating the site to Mark Zuckerberg the CEO of Facebook and later directing the message to Ocampo the ICC prosecutor . But it would be a different case if the other Government websites with sensitive information like KRA or Banks were to be the target
That brings me to the issue of the Government investment on cyber security or lack of. Wanjiku captured the debate that started after the hacking of the police website and how the PS for Information and Technology Dr. Ndemo responded
After the thread went on for some time, Ndemo responded
“It is not true that the Government does not want to use some of the best
brains in the country. It is actually difficult to attract the best
brains to Government at the current salaries considering our level of
development. Several adverts in E-Government go without serious
responses. We cannot create a special class of salaries since it would
create discontent in the entire civil service.
Create discontent in the entire civil service! Are you kidding me? We are talking about security here for the heaven sake. Personally I think it should be a priority even if it means paying people doing it more than the President, just do it. How did the Government manage to pay Rengera huge amount of money without creating the so called discontent, and to make it worst without any tangible results to show for it….
In case of emergency, how do you get out of the hacked mess
Here is the brief Rescue Mission path
Take your site offline temporarily . Contact your hosting company and ensure the site is taken offline temporarily. I would assume some department of the Government is handling the hosting, May be Kenic , or is it ICT Board or ?
The next step is to clean up the pages or codes and the database. At this point the assumption is you had backed up website files and database.
Time to try to figure out the damage done..what was the hacker after? Sensitive Information or just being there for the sake of it. Look for the modified files or newly added on the web server How about the unknown user accounts.
Complete reinstallation of the OS would be the best way out here. Then use the saved backup to restore your site
Reporter in Trouble
So Larry Madowo angered so many internet security experts in Kenya with his comment which was completely taken out of context. He was accused of saying that there are no Internet Security experts in Kenya. To say the truth, I did not know that they are that many. Here are the Larry’s twitter postings, and I can’t see where the anger is coming from
@Larrymadowo : I need to speak to an online security expert who is in town pap! Anybody?
After sometime with nobody responding
@Larrymadowo : So there’s absolutely no internet security expert in this town who wants to talk to me? :(