Safaricom no longer outsources offshore, to launch innovation hub

Five years ago, there was a heated debate online; both twitter and FB. Kenya developers, led by the late Idd Salim complained that Safaricom was busy paying lip service on its support of local tech ecosystem, yet it was busy outsourcing its work to India.

There was a lot of acrimony and pointing of fingers but at the end of the day, Safaricom admitted that it was going to be engaging more with the local tech community. Of course, one of the jobs that went to one of the noise makers had to be recalled and finished by “Indians” after the guy took the deposit and failed to meet the timelines or deliver the final products. That guy has since been mute about Safaricom giving work; locally or otherwise. These are harsh lessons learnt on both sides.

Last week, Safaricom launched its sustainability report; it is one way for them to tell us how awesome they are. The report contained very detailed impact that it has in the country but if you are a dev, the question would be, does Safaricom still outsource to offshore companies? No.

“We have not outsourced any of our work off-shore.  As per our recently released Sustainability Report, we worked with 1,094 suppliers and spent a total of just under KES 76.8 billion on products and services between 1st April 2015 and 31st March 2016. 

We continue to favour local suppliers where feasible, and are satisfied with the weighting towards Kenyan companies achieved during the year, with 84% of our providers being local,” said Bob Collymore, Safaricom CEO.

Some of the companies taking a big chunk of the money are probably those we have never heard of; they are quietly doing their work and increasing their pie. For the tech companies  who would like to deepen this relationship or increase a share of the pie, what should they do? Collymore answers:

“Our current “customer first” strategy is driven by finding out what our customers require and creating solutions to meet these needs. We continue to explore partnerships around this strategy as well as around our three key innovation pillars (Health, Education and Agriculture). We are open to working with players in the technology sector to develop and take to market solutions that are in line with these pillars”

 

Launching innovation hub

Friday last week, Safaricom announced that it will launch its innovation hub, which usually is a cheaper way to access R&D. Safaricom has been supporting local innovation hubs, both financially and through bandwidth. I am yet to understand why it has taken this route, given the outcomes of other innovation hubs, including that announced by Equity Bank in 2011. Read the first two stories.

“We’ve also announced a new Innovation Hub, which will operate independently and will provide a space for developers to focus on innovation and research around mobile-based technology solutions, while at the same time driving our innovation agenda,” he added.

Apart from the innovation hub, Safaricom has the venture capital Spark fund. You will remember it with the controversial funding of a company that jetted in a month before……gave power to a few black people aka painting it to political correctness, then won. It gave the fund the right to say its all Kenyan. I am sure it has now improved.

The fund has invested in companies like Sendy, Eneza, Lynk, and mSurvey. Safaricom partnership with Little cab, which is meant to take on Uber, is probably its most famous investment.

 

////

 

 

Do local, smaller companies stand a chance at Safaricom?

For the better part of this month, we have been treated to stories of blackmail and extortion at Safaricom. While that is the bigger story, the amounts that were paid to suppliers were out of reach for many. Think of Scangroup and sh. 2.1b for media services, Huawei and sh 800m for Mpesa platform upgrade and God knows how much more for network services.

For many, this provided a platform to entrench our belief that business at Safaricom is done by a small clique of men (haven’t heard of many women paid these figures, maybe one). There is also another group that wondered, how can these guys be talking about these figures when I can barely make payroll or hit target revenues? Others wondered how to get into this business and make some money.

Given that Safaricom provides a wide array of services, and the CEO has been quoted saying how they welcome new suppliers, I sought to know whether local companies can break into these clique of big money or the talk is just like Kenyan politics, where we are told to wait our turn forever.

To get some of these things on record, its always good to get it from the guy making promises, you just never know, you may break it big at Safaricom.   I posed some questions to Bob, in the hope that he will shed some more light for those looking to get into Safaricom supply chain. Read on…..

  1. What does it take to do business with Safaricom?

We typically partner with like-minded companies who uphold the same values and those who can do their part in ensuring that they enable us to achieve our strategic objectives.

We borrow heavily from the UN Global Compact, who call for companies to align their strategies and operations in line with universal principles on human rights, labour, environment and anti-corruption, and take actions that advance societal goals. This means that we take a zero tolerance approach to issues like corruption or ethical misconduct.

2. Over the years, how many local companies have benefitted from doing business with Safaricom?

If you had asked this question 15 years ago when Safaricom started operations, our response would have been just a small handful, as the network was managed by a significant number of foreign technology suppliers.

Since then, we have made a conscious effort to engage in mutually beneficial and sustainable relationships with local business partners in an environment of equity, mutual respect and honesty. We are committed to growing Kenyan businesses and offer preferential support to innovative local businesses. We also invest in heavily in building local expertise in the critical mobile sector – and this includes everything from partnering with local universities to ensure talent is equipped with the right skills to enabling the growth of the small business owner.

We currently work with 830 local companies who form 84 percent of our supply chain.

We have many examples, but companies such as Linksoft, Broadband Communications, Netsol and Adrian (who started literally from scratch years ago) have now grown on the back of Safaricom’s business to become multi-nationals operating across several countries in East and West Africa.

KPMG recently found that the value that Safaricom created for the Kenyan society in one year (2015) was estimated at around 10 times greater than the actual financial profit the company made in the same period. This was measured in actual impact on small Kenyan businesses who now exist solely because of Safaricom.

  1. How are the procurement procedures? (Pre-Qualification, Distribution of work to panel of approved suppliers, Evaluation of work)

At Safaricom we have an open invitation to any supplier who wants to be considered for business with us in a relevant areas. That is why we have published on our website, comprehensive information on how to do business with us. In addition, the applications for pre-qualification are all done online on a robust platform which has automated much of the evaluation and scoring with a fully auditable document trail.  See  http://www.safaricom.co.ke/about-us/suppliers.

Sometimes if a specific business need is identified, we will put out a Request for Proposals, which seeks to invite all qualified suppliers to bid for the work. Once received, these are examined for suitability to the request, after which we go through a rigorous process involving several steps of review, pitching and qualification to identify the right partner for the job.

We then vet the partner to ensure they meet the basic criteria; this includes examining their track record for human rights, criminal activity or ethical misconduct. At this stage, it is not uncommon for a supplier to meet all commercial criteria but to be disqualified because there is evidence that they have not met some of the ethical guidelines. Contracts will then only be offered to the supplier for their consideration once all these factors have been satisfied.

Once on boarded, our performance management process is equally open and transparent to the suppliers. All our contracts contain service level standards that the supplier is supposed to achieve, and the performance reviews are done according to these agreed standards. Our review process includes a feedback stage where we sit with the supplier and the agree the level of performance that has been achieved and the improvements that are necessary.

This process is overseen by Supply Chain Management Department and the supplier gets formalized feedback to help them in continuous improvement. This system has enabled suppliers to gain useful feedback to improve their systems and processes.

  1. What would you say to businesses wishing to do business with Safaricom?

As local company committed to this market, we have a deep appreciation for Kenyan businesses and are keen to enable their growth in any way we can. I am pleased that there is growing community of like-minded companies who have joined the local chapter of the Global Compact, as well as the fact that many more have committed to not work with any company black-listed by the government. We absolutely will not work with any companies that have known track records for unethical behaviour.

///

Safaricom internal audit leak deepens further

It is not everyday that the CEO of Safaricom calls a press conference to complain about blackmail and extortion. Being the telecom giant it is, you would expect it to be insulated against such acts and also expect that the person(s) doing this have to be ballsy, politically connected or both.

In the last two weeks, the leaked internal audit by KPMG dealt with the sh. 2.1 billion pay out to ScanGroup for various media services and then emerged that the bigger battle was more about the lost tender by Transcend media and then the bigger fight over frequencies allegedly led by lawyer Kenneth Kiplagat and his drive to have the report well publicised.

Oliver Mathenge has done a nice analysis on how and who may have leaked the report and the motivation. Manwa Magoma had written why Safaricom may be a target; he also serialised the tweets for those allergic to long reads. John Kamau covered why Transcend Media lost its tender.

From the media advert placed by Safaricom, it was clear that the matter will drag for long. Bob Collymore, Safaricom CEO indicated that the matter had been reported to the police and given that the leaked report was hard copy, we can only wait and see whether the police will arrest the culprits.

It was also clear that heads will have to roll. Safaricom insisted that the report was only draft and the mentioned employees were yet to be given a chance to respond, but the die might be cast for employees mentioned. No matter how good the defence is, this one may be hard for the people adversely mentioned.

This whole saga has left everyone at Safaricom on edge, people holding the trigger have become twitchy because everything is under the microscope. Whatever decision taken from now on, it may not be fair but will look justifiable.

Safcom advert

ScanGroup also felt the need to explain why sh. 2.1 billion was not a lot of money, given that the company handles sh. 33 billion business annually. Here is the advert.

WPP advert

The question of risk

Sometimes back, I had a conversation with an American company with a huge contract with the government, and they are milking the public. I wanted to know more how they select local partners and the answer was that they depend on media coverage, the more you are covered, in good light I presume, the more you are likely to get partnership.

I suggested that the selection process may be flawed because there are so many companies doing good work but not necessarily covered in the media. The argument is that they need to calculate the risks and a known and famous company offers lesser risks.

Back to the Safaricom story, different companies have a different way of calculating risk and for Safaricom, Transcend’s adverse media coverage was a risk they were not willing to take. Maybe they didn’t want to be caught up in the same trajectory but we may never know. We may never know the actual reason for the tender decline but maybe soon enough, given the trends.

Risk is a double edged sword; the same way companies seek to defend themselves, it can also be an excuse to exclude certain parties from the bidding process. This is where that discretion clause in those tender documents comes in.

Even in government tendering, the issue of risk is part of the tender documents, but this mainly relates to court cases. The documents ask one to state the cases pending in court or decided, as a way to tell the litigious types or the vexatious litigants. This ground can make you lose your tender, regardless of performance. But do our public institutions cite risk as a reason to decline the tender?

Ethical and corporate governance

This is cited as one of the reasons for the internal audit commission and is also a common reason for some tenders to be declined, and there are several court cases pending on that front.

Whether there were valid reasons on the ethical front, details will surely emerge.

The big question still remains, can smaller companies be part of Safaricom chain?

/////

 

 

 

Safaricom launches sh. 90 million VC Fund- the questions….

Yesterday, Safaricom launched sh. 90 million Venture Capital fund, aimed at local startups seeking to scale. You can read the story I did here or Kachwanya’s take that the fund is a game changer or this one from Techmoran.

You can also read a recent posts, some of them deal with terms such as vulture capital, which I will discuss below. Read it.

These stories assume that many people know what VC is but for the sake of those not used to tech jargon, here is what Wikipedia defines VC: “Venture capital (VC) is financial capital provided to early-stage, high-potential, growth startup companies. The venture capital fund earns money by owning equity in the companies it invests in, which usually have a novel technology or business model in high technology industries, such as biotechnology and IT.”

The launch by Safaricom is no mean feat, its better than the others who have the money but don’t do anything about it. But please don’t be fooled to think that Safaricom is doing it as CSR, no, there is the foundation for that; this is business.

For the keen observer, the fund is not targeting the startups with fancy ideas but no market traction, I think Safaricom has learnt from the professional startup gurus who have hoped from one competition to another for the last four years, usually regurgitating same ideas and “winning” the money in the process. The fund is targeting early stage startups who are seeking to scale, just like its defined.

This works well for Safaricom, because if you have a mobile app that is already having subscribers, gaining traction and all you need is the platform to scale, then you have an opportunity. So, if you want a share of the sh. 90 million- starting from 6m to about 23m per startup, then you better launch the product already.

 

images

 

If you speak to many companies seeking to scale, 6million can go along way, especially if the company was bootstrapped. For the companies that start with VC money, the story is different; theirs is a different struggle.

When I heard that Safaricom was setting up a VC fund, I had all these questions that most of us have, given the experience in the kenyan market.

1. Safaricom has previously been accused of stealing ideas once startups, individual developers pitch them, is this a way of redressing that, and making it a legitimate way of taking ideas into products that the market can take?

2. There has been a problem of Vulture Capital or predatory capital, how will Safaricom ensure that it doesn’t fall into this category?

3. Safaricom recently partnered or bought out MLedger (no clear story), did it motivate this venture or what role did this play?

4. There are very few successful exits in the local market, how is Safaricom planning around that?

5. Safaricom has been working with the local hubs, what role will the relationship play or how will it change?

6. Safaricom has been working in the innovation space for a few years, what are some of the lessons?

What did Safaricom have to say about my questions?

Here are the answers from Nzioka Waita, Director – Corporate Affairs

Safaricom has previously been accused of stealing ideas once people pitch them, is this a way of addressing that?

In a lot of instances, the ideas we receive are concepts that people have pulled off the Internet and thus not worth the paper they are written on. There is no case of any serious developer having engaged with us and having had their IP stolen or compromised because we simply don’t do such things. The Spark Venture Fund is being set up to provide funding for companies that are at late seed to early stage growth stage. The idea is to provide them with much needed capital so that they can continue to grow and provide solutions for the market.

There is a problem of vulture capital or predatory capital how will Safaricom ensure that it is not in this category?

We are a local company keen to support and nurture other local companies to grow. We do not see the issue of vulture or predatory capital becoming an issue.

 

Vulture capital

 

Safaricom recently bought out a start-up, did that motivate this venture or what role did the acquisition have?

Last week we announced that we had launched the product M-Ledger, a M-Pesa accounting tool, in partnership with Dynamic Data Systems. We invested in their IP and now offer the app for free on both our app store and on the Android store. Our involvement included assisting Dynamic Data to develop and commercialize their solution for the market. This was a classic case of having a solution that meets a critical market need and we are keen to partner with other companies who are willing to deliver the same kind of proposition.

There are very few successful exits in the market how is Safaricom planning around that?

The reason there are few documented cases of exits is because typically there are few companies worth buying because they have not matured enough to consistently meet the markets needs. That is what we are looking to turn around. We aim to create successful businesses with a bias in ICT mobile application development. If these businesses are successful and serving market needs adequately there will be no shortage of exit opportunities to bigger PE funds or other types of investors.

Safaricom has been working with local hubs what role will that relationship play or how will it change

We hope to extend that relationship and remain a close partner for the local hubs.

Safaricom has been working on the innovation space for the last few years, what are some of the lessons?

Innovation is part of our DNA and over the years we have tried various strategies to try and create a viable innovation ecosystem in Kenya. It’s been a long journey – with several hard lessons learnt along the way about how to do it – but we see this fund as the opportunity to push Kenya’s technology start-up into its next phase of growth by providing it with the funding that they would typically not be able to source.

///

Help Kenyan students with disability get to 5m

Safaricom will donate Ksh. 5 million to match the views on this video. It is the story of young Susan, her struggle and acceptance of living with visual impairment. It is very moving. Watch the kids in the field as they prepare for a sprint and the kids in the computer lab.

The big deal is not the Ksh 5 million, Safaricom can donate that, the issue is raising awareness on issues of disability and getting more people to provide information and services that cater for the needs of those living with disability.

The video coincided with the launch of a revamped Safaricom website that has made technical and content tweaks to ensure that people living with visual impairment can access services as well as anyone else can.

For instance, photos should be as descriptive as possible, so that those using assistive technology can have the same info or create the same image as anyone else. Think about the radio or magazine programs; there are those that will give shallow information and there are those that that delve deep into descriptions, make you paint the image in your head and in the end, the intended impact is clearer.

Pupils at the Thika School for the Blind use computers. Technology provides immense opportunities for teachers and students.

Pupils at the Thika School for the Blind use computers. Technology provides immense opportunities for teachers and students.

 

Why should we care?

There are those who argue that every site has its audience and if the people living with disability cannot access, well, maybe they should stick to braille. The video above will also share the plight of students sharing text books and how technology has bridged that gap. If all sites made the teaks, then more people should access this information and its benefits.

Yes, the first is bridging the technology gaps; of the eight schools for special needs in Kenya, only Thika School for the Blind has access to computers; and even then, the lab caters for 100 students. The other schools will have to hope that one day, they will share the benefits of technology. Hopefully soon.

When you think of call to innovation, who does it target? Imagine if the students and graduates living with disability had the same opportunities to create cool applications? Maybe they will come up with applications that can be used globally. If you think of the saying that its only the wearer of the shoe who knows where it pinches, maybe there would be ground breaking collaborations. Of course, just like in Kenya’s tech community, many ideas fail, before one idea ends up to be the one, but at least the chances are there.

There is also the issue of increased employment opportunities; if the students are exposed to technology early, they can get new ideas to earn a living and in this era of technology, no one cares much so long as you can deliver on the other end.

Exposure also means that students learn code and programming early and can therefore take that route if interested. For those who remember Idd Salim, the late blogger and developer, those who went to Starehe with him knew that all what he wanted to do was computer stuff, and that is what he became. Nowadays many schools offer computer lessons for students. For many people, the internet is a well of opportunity; online publishing, open source collaborations etc…..

 

Braille is the common mode of communication, which means if you can't read or write braille, communication is tough. Emails provide an opportunity for better communication.

Braille is the common mode of communication, which means if you can’t read or write braille, communication is tough. Emails provide an opportunity for better communication.

 

Step by step

Two years ago, I had a chance to train young men and women from Africa Youth With Disability Network. The training was mainly on using online media. The best part about the training was that I learnt how to appreciate even the small changes that people make in order to embrace people living with disability.

The excitement of posting the first blog post, tweet or Facebook is the same for a person living with disability, as well as the able bodied person. But while an able bodied person doesn’t have to struggle so much

Anyway, go ahead and watch the video 🙂

Book review: Money, Real quick- the Mpesa story

About three weeks ago, Safaricom held a function to celebrate the book  “money, real quick” which relates to Kenya’s use of mobile money, commonly known as Mpesa. The reason why I say celebrate is because the book was launched in 2012 in Italy and has been available on the kindle and Amazon.

The book was sponsored by Rockefeller Foundation and was written by Nicholas Sullivan, a senior fellow at Fletcher school and Tonny Omwansa, a lecturer at the University of Nairobi.

The book was commissioned to provide a journalistic narrative driven story as well as highlight the impact Mpesa has had in the  country and the region. The book makes a very easy read and is very detailed, aside from a few areas where the story jumps back and forth and introduces topics with no details but you get the details later. Some of the stories were not tight enough, like the way the story of the iHub is told, I felt it should have been knitted better.

Moving on…..

When I saw the invite, I remember thinking, these will be the same stories of Mpesa, how Vodafone came to rescue us, this poor person, this farmer, this who bla bla….. you can insert your own Mpesa stories, rinse and repeat.

Then I remembered that I have always had all these Mpesa questions that I needed the book to answer. I am not sure whether you have similar questions but here is my list;

1. How exactly did Mpesa idea germinate?

I am sure we have all heard of the cases in court with business people and most notably Faulu Kenya, which is well addressed in the book.

The book traces the origin of Mpesa idea to series of workshops and meetings between Kenya’s finance sector players, telcos (vodafone, Safaricom reps), government types and all sorts of people. The role of DFID, British government donor arm is well underscored in their financing and follow up.

The book confirmed my perception, there is no way any Kenyan or individual entity can claim a piece of the pie while the initial investment was made by the British government and Vodafone. They gambled on an idea and it paid off.

Compare this to the countries who demand that the US government should not control the internet through the ICANN. The US government invested heavily in the development of the internet and it will take time for the US to let ICANN go. You can read more about ICANN here and here.

So, for those thinking that they can lay future claim to development of Mpesa, get the book and get a hint. Accept and move on….

2. What happened to the deal between Safaricom and Equity Bank over Mkesho?

Safaricom and Equity had developed a nice product for the mass market and the deal seemed like a union made in heaven, given the two companies’ huge marketing budgets and their ability to ride the mass market.

Michael Joseph has given an account of how the deal went south, how Equity decided to compete with Safaricom after the idea to split the money 50-50 went sour. Get the book and read about the tech innovation contest and who thought the other had no business in technology but marketing. It will surprise you 🙂

I am sure you all know that Equity Bank has applied for a Mobile Virtual Network Operator (MVNO) to roll out services in 11 African countries in conjunction with Airtel. Maybe Equity is making good its intention to compete with Safaricom and push to the region, in a way that Airtel has been unable to do, at least in the Kenyan market.

The book has juicy details from MJ.

 

Unknown

 

3. Interoperability with other mobile money providers

The book gives the history of mobile money in Kenya and the players. It talks about issues of favouritism that government bodies have extended to Safaricom and how it dealt with them. It talks about the Central Bank regulations and dances around the issue of transferring money across the board.

4. Konza technopolis, silicon savannah, ….

Most of the books on Kenyan tech have tend to always mention Konza, that is why I expected it. The writers talk of BPO growth and how Konza will catalyse it. I guess they missed the memo that Kenyan BPO is dead and the ICT marketing bodies have moved to other sexy topics like managed services…

The book talks about Konza in detail and says all those things people say….. nothing new.

Overall the book makes a nice read especially with the history of Kenya’s financial sector, definitions like what is last mile and first mile….. and of course it has all the key buzz words; bottom of the pyramid, towards financial inclusion, and banking the unbanked, among others.

The book is priced £9.99 and $2.99 and I think the paper back is available locally.

From Social Media Campaign to Action

Once is a while, Kenya’s social media or online constituency is touched by various causes. The most famous was Kenyans4Kenya and the most recent was Bring Zack back Home campaign.

For some reason, both were led by Safaricom; either because of their strong Corporate Social Responsibility or the sheer number of the zeros in their annual results. It may also be because they have the numbers in terms of subscribers and their advertising budget is to boot. Whatever the reason, it is good.

Naturally, when money is concerned, there are those who contribute, those who just ask questions, the skeptics who see the eating opportunities and those who obsess with details on how the thing will work 10 years later. Some do all the above and others do none, and it is still ok.

So, for this post, we will talk about Bring Zack Back home, which was mainly calculated to build a spinal injury rehabilitation centre. Currently none exists in Kenya and a trip to South Africa and the attendant costs can run into tens of millions.

This will be a rehabilitation centre, not a hospital per se, it is not taking away the work done at the hospitals. It is the place people can learn how to deal with the sudden or gradual loss of spinal use, learn how to use the wheelchair, families can get support on how to care for loved ones and most of all, where people can get rehabilitated.

Some of these things sound so alien, until you meet people and families living with these challenges or until you fundraise to go abroad and wonder why these services are not available locally.

For this day, I decided to go to Isinya and see how the project is going, the building is standing on a 12-acre piece of land and is expected to include ultra modern facilities most notable; a gym and media centre.

BZBH

 

 

The initial target was Sh 250 million and 73 million was raised. Eight million went into taxation because most of the donations were via airtime and Mpesa. Safaricom tried to negotiate with KRA about waiver but they hit a dead end. To raise the money, Zack pushed his wheelchair from Nairobi to Namanga, cheered by well wishers.

The construction has already began, and it is projected that well wishers will continue contributing, to make it a reality.

Unknown

 

Here is Zack welcoming William Ruto, the deputy president to the ceremony. For some reason, Zack didn’t look very jovial but again, he probably was unwell.

Zack gave a very sober speech and had requests to Ruto:

  • Having special lanes for wheelchair users
  • Dealing with fumes from poorly maintained cars; how can the government help this?
  • Sh 8 million was paid to the Kenya Revenue Authority, how can the government intervene?
  • Waiver be extended to the construction
  • Sh 176 million still outstanding and it would be nice if government chipped in

 

Unknown-5

 

Ruto took the stage and after platitudes, he promised several things, key among them:

  1. The government will pay for personnel, assist in management and running of the facility
  2. He donated sh. 3 million from his salary and
  3. Government to contribute 30 million of which 10 million will go to KRA to pay taxes
  4. After his generous donation, Industrialist Manu Chandaria announced that he would  give 30 million too

It would have been nice if Ruto had given 50 million, maybe Chandaria would have been drawn in and match the 50 million, which is good. My only hope is that Chandaria will not demand the naming rights, I hope he is satisfied with his name in Kenyatta University and Nairobi hospital. Given that the public participated heavily, it wouldn’t be nice to just name it after one person.

Unknown-1

 

For me the day was capped by a poem by this girl, who addressed the challenges faced by school kids in wheelchair, like taking long to carry out chores that seem mundane to an able bodied person.

It was a day to witness what the power of giving can do, and the stories made it all seem like the rehabilitation center should have been there ages ago.

//

 

Cyber Security in Kenya: Safaricom hosting

Days ago, when I was researching and talking to information security experts on an article on Kenya’s online banking security and Africa CERT and cybersecurity, one of the experts asked why there was such low reportage of security vulnerabilities within the ISPs. As usual, I said the best thing was to deal with specific and recent case.

The recent case involves the Safaricom network. Just in case you are new to the whole cyber security lingo, you can read these articles on basics of Phishing, how to respond to phishing, difference between an exploit and vulnerability, how hackers can use  your Internet Protocol (IP) address to carry out phishing attacks and computer viruses and other malicious software.

 

images

Now that we have gotten that out of the way, here we go….

On June 3, 2013, the Indian Computer Emergency Response Team (CERT) reported that there was a “Phishing  Attack  via Safaricom Network – IP Address 197.248.5.52″ The report was sent to Kenya CERT, which coordinates such incidences and informs the affected ISP.

The report described the problem as “IP Address 197.248.5.52- which is being used to perform Phishing attack to …….. Bank Ltd in Bombay India”

“Phishing is the act of attempting to acquire information such as usernames,passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

Once a phishing attack occurs, the goal for the organization is to get the phishing site shut down as quickly as possible. This limits the window of opportunity in which the phisher can collect personal information. With any phishing attack, organizations should take three steps (or hire a firm to take these steps for them).”

I wrote to Safaricom seeking clarification, whether they had taken action on the reported vulnerabilities. Here is the answer I got.

Dear Rebecca, 

We do not have IP 197.248.5.52, but we have……

The…….site had been compromised, however this was due to weak security controls on the client side. The….. team picked this up and took remedial actions to fix this. 

 However, we continue to review and improve our security posture, as the threats evolve.

regards…..

I have removed the IP they said it is on their network, I have maintained the IP they have denied. I am told Safaricom’s legal department is under instructions to crack down on those who write “not very nice stuff” and I am sticking to my lane because I have neither the legal fees nor the interest in advancing the jurisprudence.

Anyway, after Safaricom denied the IP, I did a Whois search on the owner of the IP and this is what I got; the AFRINIC details indicate that the IP belongs to Safaricom.

AFRINIC whois search

 

For the sake of clarity, Safaricom has two other IPs that are vulnerable and another one that is targeted, and if you count 300 sites per IP, you are looking at 900 sites. These are Kenya’s key infrastructure sites, you know the kind that would make you cringe just thinking that someone has a backdoor or a chance to attack. Think banks, government agencies etc.

I am told those security vulnerabilities are yet to be fixed, and because the intention was not to expose Kenya’s key infrastructure to further attacks, that is why I have left out the other IPs.

By the way, as you may have read in the links, someone having your IP can’t do anything, that is if they are not hackers or infosec, Safaricom clarified that they host thousands of sites, which I doubt but they confirmed that they can even host 300 sites on a particular IP.

This means that if one client has no security controls, they can affect all the others and if the server is penetrated, it can affect all the sites. You can read about virtual hosting here.

Remember the 103 government websites that were hacked? Here is the story.

 

Unknown

 

To understand the security challenges, I spoke to two people who are well versed in the area. One gave me an example of how he had misconfigured a server and was busy spamming everyone and the host, abroad of course, alert him and suggested that if he doesn’t fix the problem, the service will be taken offline.

My other question was whether an IP being hijacked or a website being vulnerable was a reflection of competency on the side of Safaricom tech security department. The feeling was that the fact that the IP was being used in phishing and was reported meant that Safaricom security team had not detected or had neglected to take action, therefore exposing the other sites hosted there to vulnerabilities.

So, why did it take long for Safaricom to fix the flaws?

Another info sec contact told me that Safaricom tech team is intellectually arrogant, you know the kind of people who you can never teach or tell anything? I imagine the people with lots of money the the “ka-techie” is trying to prove that they know stuff. So in case of information on vulnerabilities, keep it to your self.

Ideally, as the articles shared at the beginning indicate, Safaricom should have a way to inform its clients to take action immediately, with timelines on when site will be taken down, two weeks after the reports, nothing had been done.

 

images-1

 

What about KE-CERT? 

Their role is just to inform, not do anything else. They don’t even have guidelines on when a vulnerability can be exploited after the report, they say that the ISP must confirm they have fixed it, which means it can be eternity.

So, how do ISPs know that they are compromised?

Apart from the KE- CERT, the Kenya Internet Exchange Point maintains a Honeypot, which is:

“A trap set to detect, deflect, or in some manner counteract attempts at unauthorized use ofinformation systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.” You can read more about honeypots here

 

It is one of the ways that the IXP increases its value to the ISPs and content providers peering at the exchange. A network is able to monitor security attacks and vulnerabilities on its network and take action.

/////

 

Safaricom advantage users and level of service

Few years age, a blogger wrote a blog post, largely addressing the issues faced by Safaricom advantage users. The thrust of the post was that Safaricom neglects its post paid users; they get no promos on double your airtime, they have lesser products etc.

The blog post was stinging and had laid down several issues, which I can’t remember all. It was so bad that the post had to be pulled down/deleted 🙂 some dark forces felt that it painted Safaricom in bad light and at that time, the company he was working was doing business with Safaricom, so it was either his blog post or the job and we all know how easy that decision can get 🙂

That blogpost reminds me a lot, especially when I have issues with Safaricom voice, I always remember that once you commit to pay you bill at the end of the month, you cease to be an important customer that needs to be courted; think of pre paid customers as girlfriends/boyfriends who need continuous impression and the postpaid customers as wives/husbands, who have made their decision and have to put up with whatever problems arise.

In my association with Safaricom voice as a post paid customer, I have had several issues which I have had to suck up or deal with or get over because I am not the only customer and they could care less and as long as I never move providers, then I better stop whining, which I have to 🙂

But the thing about Safaricom that I never understand is why they disconnect calls mid conversation; whether the bill is due or not, I think its just rude, plain and simple.

Sample this:

Its a saturday morning, I have a breakfast meeting with a business contact, I get to the meeting point, but have to tell my contact which Cafe I am at; that was the agreement. Just when I started  that conversation and before I could say where I was, the phone was disconnected; on checking, the phone was dead but that was because my bill was due two days ago and forget that I had 1,000 left of the maximum amount that I could use, and Safaricom had that deposit.

 

So, I sat there wondering whether to send the business contact a call me back, whether to leave the tea and start walking around looking for the person, or to look for a Safaricom shop and pay the bill and this is the point where you curse for not having money on Mpesa.

As I sat there seething with anger and wondering my next cause of action, Dorcas Muthoni walks in; she asks what my problem was and I explained. She laughed for about a minute and then she recounted her own problems and how discontinuation of calls mid conversation angered her, until she discovered the voice bundles, which she doesn’t exhaust and her bill drastically reduced. We agreed that the best thing is to cancel the postpaid contract and get the bundles.

And I felt better after that conversation.

In the meantime, I got a text from the person I was meeting, to say that they have had to rush, I almost asked why they couldn’t call me but hey, I needed them more than they needed me and it was incumbent upon me to sort out my problems. Thats what happens when you want to take five minutes with people who are going to other meetings or had other stuff to do around that venue.

So, after waking up early and getting disappointed, I walked to the Safaricom shop and there was a queue, maybe five people but believe me, it was almost an hour before I got to the counter, I thought it was easy, you guys have my deposit, I still have a k on that deposit, so we can cancel out and subscribe to the new bundle.

Well, that was wishful thinking.

First I was told to write a letter cancelling the old contract, then she went behind the door, took fifteen minutes and came back with a lady called Edith, I think she was the manager or the person who calls the shots.

She explained to me that I have to pay the bill first, write a letter, it goes to credit control, and it will take another two days to reactivate my new bundles. As she is talking, I am getting worked up, you have my money and you are treating me this way? Well that is what policy says.

So, I ask: “What will the credit control do? You have my deposit, and the practice is that you disconnect or if I max on that deposit?” 

She said: “That is the policy, and there is nothing I can do.” 

In my head, I had a few statements that I would have said to that lady but then, she was only a messenger, I am sure Bob Collymore and his team of policy experts do not consult here on some of the insults she has had to endure because of lopsided policies and aggrieved customers who expect Safaricom to treat them better.

In the end, I was having a bad day, I decided to to give her a bad day by unleashing my angry tone and I walked away, to go look for money to pay the bill and come back. But that queue at Safaricom care centre at Sarit always discourages me. Imagine the look I gave her when she said that I have to queue again.

I am not sure Safaricom will take any action for the better but hey…..ranting can make you feel better 🙂

Was the IEBC Network compromised? An insiders view……

In the last few days, many things have been called into question, chief among them, the Independent Electoral and Borders Commission’s (IEBC) network. Many experts thought that it had been hacked, a especially after a Database error was reported. The DB error was multiplying the rejected votes by  eight.

In these emotional cases, one party feels like they know better and would have offered better solutions and the other party wonders where these people were to offer solutions when the process began……the story goes on.

One of the main questions was whether the system underwent a penetration test, commonly known as a pentest, to determine whether it can be hacked. Te answer is yes…..it was pen tested and monitored. You can imagine my relief when an information security expert, who did the pen test, agreed to share findings and the process.

Here is the response I got, verbatim, I have not edited it……. My apologies if its too tech or too boring 🙂

“Last year IEBC reported that they wanted to test if their systems would be hacked, or penetrated into. Personally last year, I had a lot of issues to deal with, I wasn’t well and so I took up the task this January on the second week of the year 2013.

Having fast Internet in the house, the first objective was www.iebc.or.ke.

Like any other Pentester, I had to learn,which services the box was showing to the world,  and the first thing I realized the only port allowed to the world was port 80, not fully secured, cause I could see that it was  on a debian box.

See below

197.248.2.46:80 Apache/2.2.16 (Debian) ( Powered by PHP/5.3.3-7+squeeze14

with internal IP, 10.20.1.10

So the only thing an evil hacker would do here is to try DOS this apache, since the version is vulnerable to Remote Denial Of Server. But thats not for me, I wonna pentest, not break things for fun, like Anonymous Kenya tried to do during the Elections Week. By the way, that was really stupid, and it didn’t work!

So, I also noted that this webserver was not sitting in the same network, IEBC uses, its on a different WAN, suspected Safaricom due to the IP Address. I decided to drop this and adapt like any hacker would do. So the next thing was to look for other domains that had to do with iebc, and some interesting ones came up.

ftp.iebc.or.ke

mail.iebc.or.ke

webmail.iebc.or.ke

Now it was time to go further.

By now my target had become the mail server, since these others reflected to the domain from Safaricom. By this time I hadn’t picked the Google’s domain, vote.iebc,or.ke

So I started to focus on the mail box, and realized it was sitting in IEBC office, Anniversary Towers, Nairobi. Heck, yes, I was on the right track.

So the first thing was to know which floors, but with high security it was getting harder. Several social engineering attempts and I got near 16th floor and saw that the machines on the LAN were on Windows, and Symantec as AV.

(Am trying not go technical on this post, bear with me.)

So the first step was to get a VPS servers and upload a Malware client and prep  a Malware server, tested it on Virtual Machines at the comfort of my home for around two weeks, until i got the dropper working right. I needed to make sure I own atleast one workstation, then propagate my attack from there.

Am not going to bore you on how I got my malware into the IEBC internal network and I had a lot of time scanning and probing for services on this infrastructure, but I was in, and fully in change of the machine I had hacked into. Luckily this workstation I had got into wasn’t getting switched off at night, but I worked hard to make sure that in case the owner decides to reboot, my code would still connect back via port 443 to my VPS server in UK. A few days I was able to update my Malware server, and I was ready to test a reboot, and I ran it.

The connect-back came back just fine. This was tested during lunch hour around February, just before 14th.

Now, it was time to look for a more info, the amount of machines and infrastructure was overwhelming, but I had all the time in the world.

Below is an Internal Scan of  10.1.2.1-254 scan of SMB Service

10.1.2.2:445 is running Unix Samba 3.5.10-125.el6 (language: Unknown) (name:BVRFTP01) (domain:BVR)

10.1.2.3:445 is running Unix Samba 3.5.10-125.el6 (language: Unknown) (name:BVRFTP02) (domain:BVR)

10.1.2.4:445 is running Unix Samba 3.5.10-125.el6 (language: Unknown) (name:BVRFTP01) (domain:BVR)

10.1.2.76:445 is running Windows Server 2008 R2 Standard 7601 Service Pack 1 (language: Unknown) (name:BVRMCV01) (domain:BVR)

10.1.2.77:445 is running Windows Server 2008 R2 Standard 7601 Service Pack 1 (language: Unknown) (name:BVRMCV02) (domain:BVR)

10.1.2.78:445 is running Windows Server 2008 R2 Standard 7601 Service Pack 1 (language: Unknown) (name:BVRMCV03) (domain:BVR)

10.1.2.79:445 is running Windows Server 2008 R2 Standard 7601 Service Pack 1 (language: Unknown) (name:BVRMCV04) (domain:BVR)

10.1.2.80:445 is running Windows Server 2008 R2 Standard 7601 Service Pack 1 (language: Unknown) (name:BVRMCV05) (domain:BVR)

Just by luck, I bumped into an email, via *.PST, that had an attachment with information about the RTS, and the name of the machine in IEBC infrastructure and also the one in BOMAS and DR. I wont share the IPs of these initial machines, but the systems hostname as known by the network was results.iebc.or.ke.

Breaking into this was easy, via php vulnerabilities and also that it was still using simple passwords, and also the developers common mistakes of leaving SQL dumps on the webroot. Got in added a user on the system by end of February. Then I started going for the system at BOMAS. Lucky me, it was windows, much more easier. By this time it was almost at the start of March, and an IEBC official called me and told me to send my CV over for recruitment as a contractor.

By this time, I hadn’t told them how far I had gone with the test, but by the time I told them about it, and also with what they saw I can do, I was up for the job.

Now one thing I gotta clarify is that, when I got to Bomas on the first day, I picked some serious vulnerabilities that I couldn’t pick when I was attacking the network from remote and we realized with the set up at BOMAS any bad guy who would get a chance to hook up into the network would definitely break into the main server, and therefore mess up with how the results were getting in via APN.

I did my Internal Assessment within 48 hrs of no sleep. and did my report, and it was too late to fix some of the vulnerabilities, cause if it was attempted, there would be system failures. Next day, was elections day.

The only options was to monitor for any form of attack, within and from Safaricoms VPN. I did set up the Network Intrusion System and also Hosts Intrusion Detection systems and also changed the simple passwords, blocked the SQL server from the network and March 4th found me getting things to work. By mid 4th, all was ready.

Now, due to sensitivity of issues, I will not copy the incident report here or with any details, but I wish to specify we had two attacks, all of them ran on the initial step, reconnaissance and by the time scanning had started, I had hammered the attack, and all was okay.

The other issue, was a bug on a php script that was querying addition info to DB, and also a /var/log, that was not partitioned adequately.

So, a lot of rumors spread by some countrymen, meant to bring up chaos, (sorry it dint work, Kenyans, we are peaceful), saying that the systems were hacked were completely ridiculous, since we monitored every traffic, any binary and service that ran on both Servers and the major machines, We also monitored any laptop, computer that got hooked on the network, for any type of polymorphic type of attack, network scanning or a form of Advance Persistent Threat etc

It was a hell of a week, but we did it.”

 

Ends