Days ago, when I was researching and talking to information security experts on an article on Kenya’s online banking security and Africa CERT and cybersecurity, one of the experts asked why there was such low reportage of security vulnerabilities within the ISPs. As usual, I said the best thing was to deal with specific and recent case.
The recent case involves the Safaricom network. Just in case you are new to the whole cyber security lingo, you can read these articles on basics of Phishing, how to respond to phishing, difference between an exploit and vulnerability, how hackers can use your Internet Protocol (IP) address to carry out phishing attacks and computer viruses and other malicious software.
Now that we have gotten that out of the way, here we go….
On June 3, 2013, the Indian Computer Emergency Response Team (CERT) reported that there was a “Phishing Attack via Safaricom Network – IP Address 220.127.116.11″ The report was sent to Kenya CERT, which coordinates such incidences and informs the affected ISP.
The report described the problem as “IP Address 18.104.22.168- which is being used to perform Phishing attack to …….. Bank Ltd in Bombay India”
“Phishing is the act of attempting to acquire information such as usernames,passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
Once a phishing attack occurs, the goal for the organization is to get the phishing site shut down as quickly as possible. This limits the window of opportunity in which the phisher can collect personal information. With any phishing attack, organizations should take three steps (or hire a firm to take these steps for them).”
I wrote to Safaricom seeking clarification, whether they had taken action on the reported vulnerabilities. Here is the answer I got.
We do not have IP 22.214.171.124, but we have……
The…….site had been compromised, however this was due to weak security controls on the client side. The….. team picked this up and took remedial actions to fix this.
However, we continue to review and improve our security posture, as the threats evolve.
I have removed the IP they said it is on their network, I have maintained the IP they have denied. I am told Safaricom’s legal department is under instructions to crack down on those who write “not very nice stuff” and I am sticking to my lane because I have neither the legal fees nor the interest in advancing the jurisprudence.
Anyway, after Safaricom denied the IP, I did a Whois search on the owner of the IP and this is what I got; the AFRINIC details indicate that the IP belongs to Safaricom.
For the sake of clarity, Safaricom has two other IPs that are vulnerable and another one that is targeted, and if you count 300 sites per IP, you are looking at 900 sites. These are Kenya’s key infrastructure sites, you know the kind that would make you cringe just thinking that someone has a backdoor or a chance to attack. Think banks, government agencies etc.
I am told those security vulnerabilities are yet to be fixed, and because the intention was not to expose Kenya’s key infrastructure to further attacks, that is why I have left out the other IPs.
By the way, as you may have read in the links, someone having your IP can’t do anything, that is if they are not hackers or infosec, Safaricom clarified that they host thousands of sites, which I doubt but they confirmed that they can even host 300 sites on a particular IP.
This means that if one client has no security controls, they can affect all the others and if the server is penetrated, it can affect all the sites. You can read about virtual hosting here.
Remember the 103 government websites that were hacked? Here is the story.
To understand the security challenges, I spoke to two people who are well versed in the area. One gave me an example of how he had misconfigured a server and was busy spamming everyone and the host, abroad of course, alert him and suggested that if he doesn’t fix the problem, the service will be taken offline.
My other question was whether an IP being hijacked or a website being vulnerable was a reflection of competency on the side of Safaricom tech security department. The feeling was that the fact that the IP was being used in phishing and was reported meant that Safaricom security team had not detected or had neglected to take action, therefore exposing the other sites hosted there to vulnerabilities.
So, why did it take long for Safaricom to fix the flaws?
Another info sec contact told me that Safaricom tech team is intellectually arrogant, you know the kind of people who you can never teach or tell anything? I imagine the people with lots of money the the “ka-techie” is trying to prove that they know stuff. So in case of information on vulnerabilities, keep it to your self.
Ideally, as the articles shared at the beginning indicate, Safaricom should have a way to inform its clients to take action immediately, with timelines on when site will be taken down, two weeks after the reports, nothing had been done.
What about KE-CERT?
Their role is just to inform, not do anything else. They don’t even have guidelines on when a vulnerability can be exploited after the report, they say that the ISP must confirm they have fixed it, which means it can be eternity.
So, how do ISPs know that they are compromised?
Apart from the KE- CERT, the Kenya Internet Exchange Point maintains a Honeypot, which is:
“A trap set to detect, deflect, or in some manner counteract attempts at unauthorized use ofinformation systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.” You can read more about honeypots here
It is one of the ways that the IXP increases its value to the ISPs and content providers peering at the exchange. A network is able to monitor security attacks and vulnerabilities on its network and take action.