Cyber Security report by TESPOK, Serianu is just shoddy

Last year, was the first time I read the Cyber Security report by TESPOK and Serianu, a security company. I remember thinking “why is this report so hollow?” but I thought it was because it was the first year and they didn’t have the materials.

You can imagine the question I asked this time round, when I read this report on TESPOK website. You can read my story for the IT World.

So, what are my issues with the report?

1. Shoddy, sketchy work

If you read the report, the point where you find the statistics, is the honey pot side, which is a security system put in place at TESPOK to capture data from all the ISPs peering or exchanging content at the Kenya Internet Exchange Point.

If you read the other information on areas such as banking, the data is devoid of any statistics or any information that can add value. They may just as well have given this desk research to a journalist and they probably would have come up with a better write up.

The intro is written by a guy from Equity bank, who could at least have alluded to all the fraud and security issues that security experts say Equity Bank is vulnerable to. Not to admit but all that marketing rubbish of how they have the systems in place, even though we know it is a lie.

Some of that info may not be disclosed by if you are security experts, you will have insiders who will indicate how much, say, every bank or at least the major banks are losing to cyber threats.

In short, that report could have been consolidated by the folks at TESPOK, either they are just lazy or they feel that partnering with Serianu given TESPOK more credibility, its an industry body, they needed Serianu to just compile?

 

2. Advertising for Serianu

If you read the report, it has several pages advertising what Serianu does and very minimal or none of what TESPOK does. Again, I ask, who needed who? If TESPOK just needed to advertise Serianu, don’t call it research, call it an advertorial or white paper or something.

 

3. Naming and shaming ISPs

The report talks about ISPs that are prone to malware, again, this is from the Honey pot. The report names the 20 ISPs but doesn’t give their names. When will they ever learn if the information is hidden?

I know that exposing an ISP’s cybersecurity vulnerability affects its bottom line but they will improve if consumers are able to know which ISPs are most secure. Its more like touting yourself as a researcher in media and corruption, then instead of naming the most corrupt media houses, you just give us number one to ten then present the percentages, how does that help us?

Yes, ISPs are members of TESPOK and do not want to be shamed but if you want the ISPs to take the research seriously, then name them, make use of the honey pot and forget these essays that we can google and download.

The closest I got to identifying the ISPs was in the publication of AS numbers for the IPs considered lethal. With the AS numbers I identified Access Kenya, JTL, Safaricom, among others as the culprits.

 

4. Role of KE CERT

I think the best statement was towards the end, when the report says there is a need for a strong CERT in Kenya, this was like a kick to the CCK and their dismal efforts, which you can read on their website.

 

Of course this is just my opinion…….you can read the report and be the judge.

Cyber Security in Kenya: Safaricom hosting

Days ago, when I was researching and talking to information security experts on an article on Kenya’s online banking security and Africa CERT and cybersecurity, one of the experts asked why there was such low reportage of security vulnerabilities within the ISPs. As usual, I said the best thing was to deal with specific and recent case.

The recent case involves the Safaricom network. Just in case you are new to the whole cyber security lingo, you can read these articles on basics of Phishing, how to respond to phishing, difference between an exploit and vulnerability, how hackers can use  your Internet Protocol (IP) address to carry out phishing attacks and computer viruses and other malicious software.

 

images

Now that we have gotten that out of the way, here we go….

On June 3, 2013, the Indian Computer Emergency Response Team (CERT) reported that there was a “Phishing  Attack  via Safaricom Network – IP Address 197.248.5.52″ The report was sent to Kenya CERT, which coordinates such incidences and informs the affected ISP.

The report described the problem as “IP Address 197.248.5.52- which is being used to perform Phishing attack to …….. Bank Ltd in Bombay India”

“Phishing is the act of attempting to acquire information such as usernames,passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

Once a phishing attack occurs, the goal for the organization is to get the phishing site shut down as quickly as possible. This limits the window of opportunity in which the phisher can collect personal information. With any phishing attack, organizations should take three steps (or hire a firm to take these steps for them).”

I wrote to Safaricom seeking clarification, whether they had taken action on the reported vulnerabilities. Here is the answer I got.

Dear Rebecca, 

We do not have IP 197.248.5.52, but we have……

The…….site had been compromised, however this was due to weak security controls on the client side. The….. team picked this up and took remedial actions to fix this. 

 However, we continue to review and improve our security posture, as the threats evolve.

regards…..

I have removed the IP they said it is on their network, I have maintained the IP they have denied. I am told Safaricom’s legal department is under instructions to crack down on those who write “not very nice stuff” and I am sticking to my lane because I have neither the legal fees nor the interest in advancing the jurisprudence.

Anyway, after Safaricom denied the IP, I did a Whois search on the owner of the IP and this is what I got; the AFRINIC details indicate that the IP belongs to Safaricom.

AFRINIC whois search

 

For the sake of clarity, Safaricom has two other IPs that are vulnerable and another one that is targeted, and if you count 300 sites per IP, you are looking at 900 sites. These are Kenya’s key infrastructure sites, you know the kind that would make you cringe just thinking that someone has a backdoor or a chance to attack. Think banks, government agencies etc.

I am told those security vulnerabilities are yet to be fixed, and because the intention was not to expose Kenya’s key infrastructure to further attacks, that is why I have left out the other IPs.

By the way, as you may have read in the links, someone having your IP can’t do anything, that is if they are not hackers or infosec, Safaricom clarified that they host thousands of sites, which I doubt but they confirmed that they can even host 300 sites on a particular IP.

This means that if one client has no security controls, they can affect all the others and if the server is penetrated, it can affect all the sites. You can read about virtual hosting here.

Remember the 103 government websites that were hacked? Here is the story.

 

Unknown

 

To understand the security challenges, I spoke to two people who are well versed in the area. One gave me an example of how he had misconfigured a server and was busy spamming everyone and the host, abroad of course, alert him and suggested that if he doesn’t fix the problem, the service will be taken offline.

My other question was whether an IP being hijacked or a website being vulnerable was a reflection of competency on the side of Safaricom tech security department. The feeling was that the fact that the IP was being used in phishing and was reported meant that Safaricom security team had not detected or had neglected to take action, therefore exposing the other sites hosted there to vulnerabilities.

So, why did it take long for Safaricom to fix the flaws?

Another info sec contact told me that Safaricom tech team is intellectually arrogant, you know the kind of people who you can never teach or tell anything? I imagine the people with lots of money the the “ka-techie” is trying to prove that they know stuff. So in case of information on vulnerabilities, keep it to your self.

Ideally, as the articles shared at the beginning indicate, Safaricom should have a way to inform its clients to take action immediately, with timelines on when site will be taken down, two weeks after the reports, nothing had been done.

 

images-1

 

What about KE-CERT? 

Their role is just to inform, not do anything else. They don’t even have guidelines on when a vulnerability can be exploited after the report, they say that the ISP must confirm they have fixed it, which means it can be eternity.

So, how do ISPs know that they are compromised?

Apart from the KE- CERT, the Kenya Internet Exchange Point maintains a Honeypot, which is:

“A trap set to detect, deflect, or in some manner counteract attempts at unauthorized use ofinformation systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.” You can read more about honeypots here

 

It is one of the ways that the IXP increases its value to the ISPs and content providers peering at the exchange. A network is able to monitor security attacks and vulnerabilities on its network and take action.

/////