How 103 Kenya govt sites were hacked

Sunday January 22 2012

For a skilled hacker, this would take about a whole year to do. To hack 103 sites is a lot of work.

Photo/FILE For a skilled hacker, this would take about a whole year to do. To hack 103 sites is a lot of work.  

By KAHENYA KAMUNYU

We spoke about it last year, and this year, it has happened again.

Yes, against every imaginable possibility, 103 government web sites were hacked by an individual calling himself Direxer. (READ: Massive cyber attack hits 100 State websites)

Let’s put that into scale. For a skilled hacker, this would take about a whole year to do. To hack 103 sites is a lot of work.

But in this case, it happened at the same time and it was by one person. It seems it was all an issue of carelessness.

So, how is it possible that the government’s digital security is so bad, yet they should be at the forefront of this war?

Shared services

The experience suggests that, all the 103 government web sites were hosted on the same server. If that was the case, it was the biggest mistake in the scenario.

From an economic point of view, it might seem that the administrators imagined they could save a lot of money by cramming everything into one server.

From a functional point of view, the sites would end up being very slow, and at times inaccessible.

From a hacker’s point of view, once one of the sites is compromised, all of them would be exposed to the same fate, since it would take one hole to open up the entire server to the world.

The hacker must have therefore found a hole and managed to exploit it to hack all the sites.

The government at this juncture needs to invest in a lot more equipment and skills to ensure that this does not happen again.

Sharing of resources is a welcome idea, but 103 sites on one server is on the extreme side.

Password

Last year, when the police web site was supposedly hacked, it turned out that someone just logged into the server and changed its contents.

The person came into physical contact with the machine, typed in the user name and password and in less than 30 seconds, was already inside.
On investigation as to how that could have happened, it was found that the password that allowed access to the administrator account was not only very simple, but the only one.

Moreover, everyone who worked inside that facility knew it.

That user name and password combination is probably the easiest to figure out since in most of the cases, the server is delivered with a default password.

While the use of one simple password makes it easier and convenient for the administrators to manage machines without having to remember numerous passwords, it also means that anyone who knows this could log in and do whatever they want.

And that’s eventually what happened. It also means that there was no way of telling who had logged into the machine since the log files in such a scenario would simply indicate that the administrator had logged in and made the changes.

To create accountability, every administrator needs to have a user name and password unique to them.

They should not know any other administrator’s password. That way, it becomes easier to find out which account was compromised.

Digital forensics

This is a largely undervalued discipline in trying to recover from a hack attack.

It is undervalued because everyone wants to simply jump into the solution without considering the accountability part of it.

Digital forensics is about investigating a machine or a network to find out how it was attacked, establish the person who hacked it, and use the acquired evidence to hold the person legally accountable.

In Kenya, the only people using digital forensics are in the private sector. This investigative process is important, but yet, there are no public sector registered digital forensics experts.

The government needs them desperately. In today’s world, a digital forensics expert is as important as a pathologist.

The intelligence community needs to have an active digital department that is able to pre-empt digital attacks on one front, and forensically identify culprits on the other.

While pre-empting an attack is the most difficult thing you can do, since you never know when it’s coming, the only other fall back would be in forensics.

There is a lot of room for improvement by the government, but there is a need for a new set of ideas and improvement of infrastructure to ensure that such easy hacking does not happen again.