Days ago, when I was researching and talking to information security experts on an article on Kenya’s online banking security and Africa CERT and cybersecurity, one of the experts asked why there was such low reportage of security vulnerabilities within the ISPs. As usual, I said the best thing was to deal with specific and recent case.
The recent case involves the Safaricom network. Just in case you are new to the whole cyber security lingo, you can read these articles on basics of Phishing, how to respond to phishing, difference between an exploit and vulnerability, how hackers can use your Internet Protocol (IP) address to carry out phishing attacks and computer viruses and other malicious software.
Now that we have gotten that out of the way, here we go….
On June 3, 2013, the Indian Computer Emergency Response Team (CERT) reported that there was a “Phishing Attack via Safaricom Network – IP Address 197.248.5.52″ The report was sent to Kenya CERT, which coordinates such incidences and informs the affected ISP.
The report described the problem as “IP Address 197.248.5.52- which is being used to perform Phishing attack to …….. Bank Ltd in Bombay India”
“Phishing is the act of attempting to acquire information such as usernames,passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
Once a phishing attack occurs, the goal for the organization is to get the phishing site shut down as quickly as possible. This limits the window of opportunity in which the phisher can collect personal information. With any phishing attack, organizations should take three steps (or hire a firm to take these steps for them).”
I wrote to Safaricom seeking clarification, whether they had taken action on the reported vulnerabilities. Here is the answer I got.
Dear Rebecca,
We do not have IP 197.248.5.52, but we have……
The…….site had been compromised, however this was due to weak security controls on the client side. The….. team picked this up and took remedial actions to fix this.
However, we continue to review and improve our security posture, as the threats evolve.
regards…..
I have removed the IP they said it is on their network, I have maintained the IP they have denied. I am told Safaricom’s legal department is under instructions to crack down on those who write “not very nice stuff” and I am sticking to my lane because I have neither the legal fees nor the interest in advancing the jurisprudence.
Anyway, after Safaricom denied the IP, I did a Whois search on the owner of the IP and this is what I got; the AFRINIC details indicate that the IP belongs to Safaricom.
For the sake of clarity, Safaricom has two other IPs that are vulnerable and another one that is targeted, and if you count 300 sites per IP, you are looking at 900 sites. These are Kenya’s key infrastructure sites, you know the kind that would make you cringe just thinking that someone has a backdoor or a chance to attack. Think banks, government agencies etc.
I am told those security vulnerabilities are yet to be fixed, and because the intention was not to expose Kenya’s key infrastructure to further attacks, that is why I have left out the other IPs.
By the way, as you may have read in the links, someone having your IP can’t do anything, that is if they are not hackers or infosec, Safaricom clarified that they host thousands of sites, which I doubt but they confirmed that they can even host 300 sites on a particular IP.
This means that if one client has no security controls, they can affect all the others and if the server is penetrated, it can affect all the sites. You can read about virtual hosting here.
Remember the 103 government websites that were hacked? Here is the story.
To understand the security challenges, I spoke to two people who are well versed in the area. One gave me an example of how he had misconfigured a server and was busy spamming everyone and the host, abroad of course, alert him and suggested that if he doesn’t fix the problem, the service will be taken offline.
My other question was whether an IP being hijacked or a website being vulnerable was a reflection of competency on the side of Safaricom tech security department. The feeling was that the fact that the IP was being used in phishing and was reported meant that Safaricom security team had not detected or had neglected to take action, therefore exposing the other sites hosted there to vulnerabilities.
So, why did it take long for Safaricom to fix the flaws?
Another info sec contact told me that Safaricom tech team is intellectually arrogant, you know the kind of people who you can never teach or tell anything? I imagine the people with lots of money the the “ka-techie” is trying to prove that they know stuff. So in case of information on vulnerabilities, keep it to your self.
Ideally, as the articles shared at the beginning indicate, Safaricom should have a way to inform its clients to take action immediately, with timelines on when site will be taken down, two weeks after the reports, nothing had been done.
What about KE-CERT?
Their role is just to inform, not do anything else. They don’t even have guidelines on when a vulnerability can be exploited after the report, they say that the ISP must confirm they have fixed it, which means it can be eternity.
So, how do ISPs know that they are compromised?
Apart from the KE- CERT, the Kenya Internet Exchange Point maintains a Honeypot, which is:
“A trap set to detect, deflect, or in some manner counteract attempts at unauthorized use ofinformation systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.” You can read more about honeypots here
It is one of the ways that the IXP increases its value to the ISPs and content providers peering at the exchange. A network is able to monitor security attacks and vulnerabilities on its network and take action.
/////
was it the IP being used or the domain? Recently
a website was managing was being used for phishing
bank customers in Germany and it was the bank that communicated.
In most cases the host do not help!
Very interesting, i must say that ignorance will be the demise of many big companies.If your tech team is not up to date with known vulnerabilities and attack techniques then its just a matter of time before a crippling attack is carried out.They should learn from the way big corporates in the US handle attacks.
I wish this whole subject of IT security would be handled with the seriousness it deserves. It certainly isn’t limited to the basic misuse of a service and may (in EA) also include GSM encryption or how ATMs are controlled.
Hi JKE, I have been doing an independent research on GSM security around the region and nothing to write home about. I have a paper which is work in progress and the research caught the audience of someone who funded it. So pretty soon I shall share the findings especially in light of how far mCommerce has proliferated the continent.
You do know an ISP has no control when a developer or site admin leaves a site with insecure credentials ala { admin | password } et al . That’s really all one needs. In such a case, an ISP/host’s action would be a reaction. At which point the hacker would have had a few hours to work with that IP/domain.
As one mentioned, security needs to be taken seriously by everyone as it takes only one weakness to wreak havoc.
The internet is a nasty place and Kenyans should be educated on how to stay safe online. It is TRUE that cyber security is handled with laxity, from ISPs, the government, business organizations, banks and every other entity or so using the internet.
It will one day come rolling down if we don’t take corrective measures, by creating the necessary bodies and legislation combat cyber crime and its vulnerabilities.
First…a very insightful article. I also concur on the issue of KE-CIRT. This is a useless lot. Imagine the government is sitting on a time bomb. LOL
Once two of my clients’ sites were hacked and defaced by the same hacker (going by their signature), both between an interval of hours. They are both hosted on Safaricom’s server. We did some reverse IP Search for other sites hosted on the same server as those and of the about 100 we found, at the time about 15 were similarly defaced. We came to the conclusion that the attack was server side and not really through the websites themselves. We tweeted Safaricom, giving them this info we had found including the sample sites. They tweeted us back telling us to give them our contact details so they could ‘further assist us’. I replied telling them it’s not really ‘us’ they should be assisting, but rather they should address the security threat. Nothing happened for quite a while. My clients prefered to still continue hosting with them. So we re-configured the sites afresh. One was re-defaced a day after. I recreated it a week later. We now sit and await for the second coming of the hackers 🙂
what about “Betyetu bet”