Hackers and the Cyber Security in Kenya

Written by

When Hackers visited our utumishi kwa wote (police) website, it took a question from a reporter @Larrymadowo for the spokesman of the police to realize that their website had been hacked. Then the response was first and furious, shoot the hacker on site ..yeah the laptops and computers on site..

Ok the jokes aside who are hackers and why do they do what they do?

Hackers are individuals who intrude into others system /websites without permission in search of information (hacking). They can be categorized into three groups depending on the degree of their ability to commit cyber crimes. Beginners are generally just curious past time individuals or kids, doing it for fun. The intermediate and advanced where the advanced hackers are difficult to trace.

Most of the time hackers identify systems that are vulnerable after which they make attempts to break the password. If successful, then you can guess what is next. The problem with Kenyan police website is that the hackers did not have to do a lot to get the password. It was like a public property, by googling “filetype:txt kenyapolice + password”  and you have everything.

Hellooo! Who is in charge here. The tech guys at the Police Department or the Government tech department  or even tech company charged with responsibility of managing such websites should know better. That was like leaving personal house key lying down on the door for anyone curious enough to use.

How hard is it to choose a strong password?

I start with the warning,  although passwords are a common form of authentication there are several programs attackers can use to help guess or “crack” passwords, but by choosing good passwords and keeping them confidential, you can make it more difficult for an unauthorized person to access your information.

Here are a few tips on how to do it:

  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Don’t use words that can be found in any dictionary of any language.
  • Develop a mnemonic for remembering complex passwords.
  • Use both lowercase and capital letters.
  • Use a combination of letters, numbers, and special characters.
  • Use passphrases when you can.
  • Use different passwords on different systems.

Check more on the hacking process done brilliantly by @iddsalim here

The internet changed the ways people communicate, the way Governments store their information and it has become a popular resource for communicating. Internet is accessible by almost everyone  and that has changed the definition of the National Security. In the modern error National Security is now more than guarding against the physical threats.  That is why it is a bit scary to hear that  the police spokesman  Mr. Eric Kiraithe had no idea  of what was going on with their website.

Many of us will take solace that in case of the Police website the content is not that deep or sensitive.  Mostly what is there is about information which are already in the public domain anyway and the hackers were just having fun. First dedicating the site to Mark Zuckerberg the CEO of Facebook and later directing the message to Ocampo the ICC prosecutor . But it would be a different case if the other Government websites with sensitive information like KRA or Banks were to be the target

That brings me to the issue of the Government investment on cyber security or lack of.  Wanjiku captured the debate that started after the hacking of the police website and how the PS for Information and Technology Dr. Ndemo responded

After the thread went on for some time, Ndemo responded

“It is not true that the Government does not want to use some of the best

brains in the country.  It is actually difficult to attract the best

brains to Government at the current salaries considering our level of

development.  Several adverts in E-Government go without serious

responses.  We cannot create a special class of salaries since it would

create discontent in the entire civil service.

Create discontent in the entire civil service! Are you kidding me? We are talking about security here for the heaven sake. Personally I think it should be a priority even if it means paying people  doing it more than the President, just do it. How did the Government manage to pay Rengera huge amount of money without creating the so called discontent, and to make it worst without any tangible results to show for it….

In case of emergency, how do you get out of the hacked mess

Here is the  brief Rescue Mission path

Take your site offline temporarily . Contact your hosting company and ensure the site is taken offline temporarily. I would assume some department of the Government is handling the hosting, May be Kenic , or is it ICT Board or ?

The next step is to clean up the pages or codes and the database. At this point the assumption is you had backed up website files and database.

Damages

Time to try to figure out the damage done..what was the hacker after? Sensitive Information or just being there for the sake of it. Look for the  modified files or newly added on the web server How about the unknown user accounts.

Recovery

Complete reinstallation of the OS would be the best way out here. Then use the saved backup to restore your site

Reporter in Trouble

So Larry Madowo angered so many internet security experts in Kenya with his comment which was completely taken out of context.  He was accused of saying that there are no Internet Security experts in Kenya. To say the truth,  I did not know that they are that many. Here are the Larry’s twitter postings, and I can’t see where the anger is coming from

First post

@Larrymadowo : I need to speak to an online security expert who is in town pap! Anybody?

After sometime with nobody responding

@Larrymadowo : So there’s absolutely no internet security expert in this town who wants to talk to me? :(

Article Categories:
Internet · NEWS

Comments

3 comments
??o?l sn?dlop?
??o?l sn?dlop?

nice post ... just about the strong passwords i will go by Kerchoff's principle-fundamental principle in (in)security - you must assume your enemy has the details of your system ..most of the websites in kenya are common cmses  wordpress,joomla,drupal to access the website cpanel is yourwebsite.com/wp-login.php for worpress to be on the safe side one has to make sure no one can get access to this URL maybe something like yoursite.com/helloworldocampo ..he/she might have the pass but not URL

@jke
@jke

Kenya, a country where most civil servants are still relying on hotmail & yahoo! accounts - for the lack of a better alternative. We need data discipline, FOSS at all Gov. institutions and a fund to pay for all this. Imo, a lot of of projects have failed simply due to missing discipline in terms of maintaining hardware and inadequate software. GoK officials need to learn how to express their needs / how to identify them and directly ask for them - and tell their donors what they want (not just agree because it comes for free). Free and open software! Only reliable business laptops with good cooling. And a national data grid. And yes, there are qualified security experts in Kenya. In fact, I've never seen any other country with so many quafilied academics and those who are experts without a stupid paper. It's just that anyone with a Mercedes is more appreciated than someone who has an academic title from varsity (yes, that place with freequently rioting students). As for the police hack: that website was so stupid, kudos to the person who "hacked" it. About time someone outlined the reason why it shd be taken offline. Or did anyone seriously make use of it in the past? Ati, "reporting crimes that do not require urgent action"?

Mbugua Njihia
Mbugua Njihia

In this day and age, if you cant be found online, you don't exist. I followed the comments on the Skunks list on how guys were "baying for a piece of Larry". Where were they? I saw his tweet asking for the experts and in as much as i know a couple of these fellas, it was interesting to see how it eventually turned out.

Menu Title