Inside the mind of a hacker 

Saturday March 18 2017

Some do it for the money, while others are

Some do it for the money, while others are thrilled by the fame of unlocking a tough task or simply the nuisance value. But what exactly goes on in the mind of a shadowy hacker? . FILE PHOTO | NATION MEDIA GROUP 

More by this Author

It could be the defacing of more than 100 government websites in January 2012 by a hacker believed to be from Indonesia or the attacks in August that year of the website of the now defunct ICT Board —  ironically the patron of online activity in Kenya. Then in 2013 there were reported attempts to infiltrate the Independent Electoral and Boundaries Commission systems. A year later, the Twitter account of the Kenya Defence Forces (KDF) was taken over by a group called Anonymous. The July 2014 attack also tampered with the Twitter account of then KDF spokesman, Major Emmanuel Chirchir.

And when police busted a ring of cybercriminals two weeks ago, it would emerge that many more local institutions have been hit: the Kenya Revenue Authority (KRA), the National Transport and Safety Authority (NTSA), a number of banks, a supermarket chain and universities among others. In all these incidents the suspected hackers involved have either remained in the shadows, come out to openly declare their achievements or have been arrested by the authorities.

But what motivates hackers? From the series of hacks targeting Kenyan social media accounts, websites and institutions, where billions of shillings have been stolen, and multiple interviews with cyber security experts, Lifestyle has come up with the five things that go on inside the mind of a hacker.


1. Insiders are a hacker’s dream

An IT expert who has been training companies on how to avoid cyber-attacks for the last four years revealed that the support staff in most firms are the weakest links.

Mr David Kanyanjua, the CEO of Three Quality Services based in Nairobi’s Westlands, said that companies overlook some employees while training their workers about online security, which leaves a gap that hackers exploit.

“You will find that a company has a few guys trained on security here and there. But staff at the reception, for example, know nothing about security. And whatever they are doing is related to the company, because there are e-mails and everything is done on the internet,” explained Mr Kanyanjua.

“As a hacker, I will not go for the IT people. I will go for the receptionist. I’ll go for the marketing people in the field. Once you have access to one person who is doing anything on the network, including the receptionist, or even a security guy who might have a computer or maybe doing a few things, you can have access to the entire organisation,” he added.

Mr Kanyanjua warned workers against allowing any strange flash disk to be inserted in their computers, saying it was one of the preferred methods of gaining access to a company network.

Following the arrest of 19 people in a suspected hacking ring two weeks ago, some staff at KRA were arrested for being part of the ring — knowingly or unknowingly. Detectives said some could be witnesses in the case where massive hacking took place.

Ms Samson Wanjohi, a technology expert known for creating the ShulePro software that manages students’ marks in schools, said carelessness is a contributor.

“When some employees are used as prosecution witnesses, it means some guy somewhere accepted giving out a password without knowing it; or the password was stolen,” he said.

Besides staff, people using a service from an institution like a bank can also be the gateway, according to Mr Wanjohi.

“A hacker finds someone at a bank, tells them they’ll pay if given the password. That person has no idea the system is actually logged. So, security goes as far as the user. If he or she is a bad or stupid person, it becomes a problem,” he said.


2. Getting a job at the firm you attacked is an option

Sometimes hackers prefer taking up jobs in the companies they have hacked. One example is Nicholas Allegra, a 19-year-old who bothered Apple so much about his skill for discovering bugs in the operating system of its iPhone devices that they hired him in 2011.

Allegra, using the name Comex on Twitter, mastered Apple’s operating system so well that he developed a system, called JailBreakMe, that iPhone users could execute and afterwards they could install any programme they wanted in the phone.

Twice, Apple changed their operating system to lock him out but he always found a chink in their armour. Forbes magazine used various clues to track him down for an interview. The magazine published his story in August 2011 and revealed that Allegra had taught himself about Visual Basic, a programming language, at the age of nine.

“By the time I took a computer science class in high school, I already knew everything,” he said. The same month, Apple offered Allegra a job, though he quit in October 2012.

After police arrested a suspected hackers’ ring in Nairobi recently, a section of Kenyans also felt that, given their computer mastery, they should be hired by the government.

“Some of these good hackers should serve their punishment by working for the government instead of going to jail. Kenya could use all the help it can get in cyber security especially in government installations,” stated Faustin Mwendwa on the Nation Facebook page where the story was shared.

“These brainees (sic) don’t belong in jail, utilise their knowledge in enhancing cybersecurity otherwise conning from Kamiti is going pro,” said Lucy Mbugus on the same platform.

According to Mr Gilly Gathogo, a cyber security trainer and consultant at Three Quality Services, having a number of jobless computer gurus poses a risk to the economy.

“There are those who have been trained and they don’t have a job. That group, you don’t know what they’re doing; because they have the skills, they have the tools. That’s another challenge. We have a silent minority of people who have been trained and they don’t have jobs,” he said.


3. The tougher the ‘job’, the greater the respect

Just like in robbers’ gangs, it appears that the more sophisticated a hack is, the more respect the perpetrator receives from peers. One of the suspects being probed by police in Nairobi, Lifestyle has learnt, earned respect after taking credit for a major hack, after which a ring of West African hackers enlisted his services, particularly to assist in credit card fraud.

According to a friend of the suspect, who spoke to Lifestyle in confidence, the hacker’s skills made him a much sought-after man, making it hard to hire his services.

On the internet, there exist a number of forums where hackers exchange ideas and there appears to be a pecking order. The person with more useable credit cards, more cracked passwords, more mind-boggling discoveries on how to bypass one system or another, more flair in getting the way around the latest updates by technology companies ranks higher.

Some hackers even use the social media to brag about their exploits, where they are known to use fancy nicknames.

Calvin Ogalo, one of the suspects arrested during the recent high-profile police operation, was respected because he was allegedly involved in some of the toughest “jobs”. But it appears there was an adrenaline rush pushing him to be more and more adventurous — never mind he had been arrested a number of times earlier and had pending court cases. The hackers are also said to have formed a local and international network. In the recent case in Nairobi, among the suspects detained were 52-year-old American Larry Peckham II and Ms Denise Huitron, 32. Police are investigating the pair’s alleged contact with cyber criminals based in Spain, France, Moldova, and Belgium.

Some of the suspects arrested for transnational

Some of the suspects arrested for transnational crimes including drug trafficking and cybercrime last week. PHOTO| WILLIAM OERI | NATION

There is also always room for bragging, it seems. In March 2013, Mr Alex Mutungi Mutuku, one of those arrested recently, posted on Facebook detailing the procedure of obtaining the Daily Nation e-paper. Readers usually have to pay to read the complete version of the paper online but he demonstrated how to beat the firewall. He said he had created the e-paper hacking mechanism through a programme he came up with when he was a first-year student at the University of Nairobi.


4. Making money while at it

The end game for most hacking activities is to make money, and often the path to riches is not straightforward.

Speaking to Nairobi News in June last year, Mr Bruce Donovan — who is the regional manager for computer security firm ESET East Africa — revealed that remotely blocking computers is the commonest way through which hackers make money.

The attack happens through what is called ransomware, where a hacker locks your computer and makes a message flash on the screen that unless you pay them, you will lose all the data.

“Ransomware remains one of the most prevalent forms of internet threats and prevention is essential to keep users safe. Therefore, users should keep their operating system and software updated, use a reliable security solution with multiple layers of protection, and regularly backup all important and valuable data at an offline location,” Mr Donovan said.

Part of their money-making schemes also include obtaining sensitive information from a company then contacting them with a threat to release the material — as one of the arrested people is suspected to have done before.

But because some firms prefer to jealously guard their information, the tactic does not work for all hackers, according to Mr Kanyanjua.

“Most of the times, companies will not respond. Companies don’t want to accept they’ve been hacked. But if hackers were to declare how many companies they’ve hacked today in Kenya, you’ll be shocked,” he said.

Besides ransomware, hackers are also obsessed with how to make money by forging credit cards.

CNBC, a US-based television channel that focuses on business news, last year published the observations of a “white-hat” hacker whose job is to break into computer systems of various companies, upon invitation, to check for vulnerabilities.

Mr Billy Rios said that once hackers get access to user’s confidential information, they log on to the victim’s online banking account and cart away the savings.

He also revealed that hackers have created databases of credit card information where anyone can buy and use elsewhere, adding that he had heard of hackers who have stolen medical information then got services in a hospital using another person’s insurance.

To stem this, Mr Wanjohi urged Kenyans to be vigilant.

“So long as the user — who is basically a door to the computer — is not careful at all, then vulnerabilities are there,” he told Lifestyle.

Kenyan banks are estimated to have lost at least Sh20 billion to hackers, which is proof that criminals targeting local facilities mean business.

Part of the problem, Mr Kanyanjua said, is that many institutions like to keep mum when their systems are attacked.

Just like in robbers’ gangs, it appears that

Just like in robbers’ gangs, it appears that the more sophisticated a hack is, the more respect the perpetrator receives from peers. PHOTO| FILE| NATION MEDIA GROUPNATION MEDIA GROUP

“They will not tell you directly that they’ve been hacked. We do an assessment then in the process you realise there are some strange people in their systems. So, most of the cases when we do our assessments, we end up finding that they’ve been hacked in one way or another. You know, hacking is quite broad,” he said.

Some of the suspects arrested in Nairobi recently have more than one criminal case against them, mostly related to hacking. With cash bail terms ranging from Sh20,000 to Sh700,000 among those arrested, it means a hacker will need a supply of cash to ensure he is out to continue with his business as the trial continues.

However, the government proposes stiffer penalties against hackers, which may see the cash bails rise. The Cyber Security and Protection Bill 2016, which is still in Parliament, proposes to jail hackers for up to five years.

“A person who, without authorisation intentionally accesses in whole or in part, a computer system or network, commits an offence and is liable on conviction to a term of imprisonment not exceeding five years or to a fine not exceeding one hundred thousand shillings or both,” says part of the Bill, drafted under the watch of ICT Cabinet Secretary Joe Mucheru.


5. Bitcoin is often a hacker’s first choice currency

How Bitcoins are generated and how they become money is a subject that only a few people can understand, given that it needs a computer to generate a Bitcoin. But considering the fact that the currency moves online without leaving a clear trace, it appears to be the most preferred mode of exchange among hackers.

In criminal case against one of the suspects arrested two weeks ago, Mr Mutuku, police say that the accused demanded money in Bitcoins from NIC Bank in December 2014. The prosecution alleges that Mr Mutuku and his co-accused wanted 200 Bitcoins or else they would publish confidential information they had obtained after hacking into the bank.

Mr Mutuku has denied the charges, but according to Mr Wanjohi, who occasionally posts on Facebook to educate users on how to keep hackers at bay, most hackers are keen not to leave tracks.

“They don’t want to leave a digital footprint of themselves,” said Mr Wanjohi, adding that what often gives away hackers is that they leave logs behind after an attack, which is traced back to them.