RSS

NIC Bank’s Data Breach,Hack and subsequent Extortion

Allow me to write this post as a letter to NIC Bank, I feel  despite the numerous times I have advised them to rectify their security to better protect us,their users, its simply gone to deaf ears.Well here goes.

NIC

Dear NIC Bank,

How are you? Hope you are well. This days when I wake up every morning I have developed a routine I read all my tech blogs, check my email and check my NIC bank portal for fear of breach, for fear that my hard earned shillings may have been skimmed by some hungry hacker or even worse my data may have been sold on silk road. I know many wonder why am still banking with you if all I do is complain, I mean if you constantly argue with your spouse then its better walking out and sparing yourself the agony, but like a cocaine addict am hooked, am hooked to your seamless banking process, the short cues in banking halls, the cute banker chics you guys have, the asset finance and off course the online banking portal that has proved to be your Achilles heel.

If you have been reading my blog you may be aware I have written 2 posts the first one NIC-BANK’s poor Ebanking System and possible security Flaws dated 24th April 2014  and the second NIC-BANK’s improved Ebanking System subsequent to my Exposé  dated 11th November. In the first I alerted you of the gaping holes in your security.  I also expressed my fear that someone else may have found this flaw and not being as noble as me, exploited it for profit.  I was pleased when a few months later I noticed you had bumped up your security and added OTP to the online portal. But if you remember I mentioned that this may be a little to late, I wrote in part

To begin with if indeed the data they served was compromised they they should have purged the entire username password combo provided, instead they only solved the issue of passwords. The problem with this is a keen to a naked woman only covering her boobies, the rest of her is available for your ocular pleasure. The same applies if I had a set of pswd and usernames and the pswds change without the usernames changing then am already at first base if I had the old data. The next thing would be a clever combination of hacking tactics ranging from social engineering, actual key logging on the device to harvest the apps password and generating an OTP afterward, sitting on the data and joining all those IRC chats on the dark web and tor that list exploits on major brand software and the just cleverly generating the OTPs for your self etc

Fast forward to a couple of days ago, wifey called me up at work and informed me that there were a couple of guys arrested on the grounds of extorting cash for data. Allow me to speak a little about the 2 hacker guys, first I condemn heavily their extortion of money for data. The 2 guys asked for 200 bitcoins from this we can see this guys aren’t exactly noobs but also we can see that they are just average hackers. Allow me to explain why

There exists a market on the dark web, the other part of the internet where Google doesn’t even dare go, where all the hackers meet and chat exchange tools etc. I remember the first time I showed wifey the dark web she was blown away by the level of sophistication there, I mean if you think of the internet we use as  5/10  then the dark web is 10/10. This is the first place where kids grow up worshiping Anonymous and the Lulz, the place where lizard squad was born and their skills sharpened. Back to said market, its called Silk road, silk road buys anything from weapons to kiddie porn.Its like the wild wild west of the Internet. So Where am I going with this..allow me to indulge you and generalize as well. Kenyan Banks should be aware that there are guys out there who wont send you an email and ask for cash, there are guys who will sell hacked data, attack vectors etc on silk road and then from there the Chinese or Russians will get a hold of it and wreck havock, the things that this guys can do is even beyond the scope of this blog.

Long story short, the 2 guys will probably be found guilty right, they will end up in kamiti and get Anally raped and we will forget about the whole thing. One or two guys will get fired and new ones hired they will come with bravado and a big solex padlock to lock the server rooms. But do you think anything will be done.Look at the stock price following the hack, did it even dip a point,NO,look at the ques did they even shrink by a fraction,No.

This banks need to be monitored by the Central Bank, not only on banking practices but also on security,its all good that CBK protects your cash from fraudulent manipulation by the banks but that shouldn’t end there, they should protect Wanjiku from Chinese hackers who had a cluster setup in their house with enough brute force power to use said data hacked by the 2 to make them millions. Kenya has to wake up to the fact that the rest of the world has invested billions on cyber security and are still getting  hacked (look at sony,xbox etc) what do you think will happen when this hackers discover easy targets in Kenya/Africa? You will see several hacking rigs being setup and the smart ones wont even move from their desk, the 4 fiber connections to Kenya make remote hacks even easy.

So in parting NIC go ahead sentence them,sure cast stones on them but don’t forget you are to blame for what is happening/ what will happen

 

Advertisements
 
3 Comments

Posted by on January 16, 2015 in code, grad school, hack, idd sallim

 

Tags: , , , , , ,

NIC-BANK’s improved Ebanking System subsequent to my Exposé

A couple on months ago (7 months actually) I wrote a post on the security flaws on the Ebanking portal that NIC bank uses,If you didn’t read it then feel free to click here>>. I had actually taken it down following issues it had raised. The blog got over 150K views (whey do you expect when Robert Alai gets their hand on it) and my phone went crazy for days after that.Needless to say there were accusations of hacking thrown my way, I was sternly  reminded of the new cyber  laws in Kenya had been amended and I was facing jail term if I was found guilty. Needless to say no one went to jail, and my exploit actually put them on the spot from concerned customers. Thats a synopsis basically and in no way what I wanted to talk about.

store_nic

Lets talk 7 months later and what had changed. If you bank at NIC Bank ,and I encourage you to if you don’t, then you will have noticed they deactivated ALL old passwords they had issued or that had been generated by users. This was necessitated by the risk of someone else (key word someone else) having used the exploit to get usernames and passwords. NIC bank has now moved to a more secure username and OTP (one time password) combination. The vendor they chose was ActivID® an established IT solutions company. In a nut shell here is how their new security system works.

HID Global’s ActivID® soft tokens provide  strong authentication for remote users accessing corporate IT systems and consumers logging on to online services, without the need to distribute hardware tokens. You can use either the web,mobile or pc soft token generators. I will talk about the mobile one since I am a mobile guy after all. Mobile Soft Token – A user wishing to access the online banking portal, uses the Mobile Token App to generate a One-Time Password. The application can be PIN protected.

It is licensed per user, and licenses can be used across multiple personal mobile devices. Once you download the app on your phone customer service asks you for your licence that is generated the first time you launch the app and they use this to link to your account. Subsequently you simply launch the app, provide the pin you set to protect  the app and it immediately generates a One time Password, that expires in 60 seconds if not used or the lifetime of the login session to the online banking platform if used. The app works totally offline  and all the OTPs are internally generated so no fear of remote agents intercepting it.

2014-11-11 15.38.49

 

The Mobile Token App is available for all leading mobile devices including Apple® iPhone® and iPad®, Android™, BlackBerry®, and many other Java 2 Platform, Micro Edition (J2ME) -enabled devices.

That covers security on your end (username password combo), but what about the actual portal.Well that’s a tricky one. First because of the nature of a vended system. Patches are rarely awarded on need basis. Secondly the flaw I pointed out was a complete mis config that has since been corrected, thirdly the servlet is only as secure as you make it, if you get social engineered then too bad.

While this issues have been solved I still believe they would have listened to more of what I had to say. To begin with if indeed the data they served was compromised they they should have purged the entire username password combo provided, instead they only solved the issue of passwords. The problem with this is a keen to a naked woman only covering her boobies, the rest of her is available for your ocular pleasure. The same applies if I had a set of pswd and usernames and the pswds change without the usernames changing then am already at first base if I had the old data. The next thing would be a clever combination of hacking tactics ranging from social engineering, actual key logging on the device to harvest the apps password and generating an OTP afterward, sitting on the data and joining all those IRC chats on the dark web and tor that list exploits on major brand software and the just cleverly generating the OTPs for your self etc

But I guess it works for now right, the system admins who caused the glich have since been fired maybe, Temenos has made their money on new modules T24 at NIC uses, muggles have a new app they can floss to their equity bank friends and feel all secure that they are savvy. I guess everyone is happy except me. I am not, I am still online daily looking at other poorly setup systems to advice. So in between grad school, code, subaru runs and this you know what i will be doing

Someone used to say: Wazi back to code, so I end it there.

 
Leave a comment

Posted by on November 11, 2014 in Uncategorized

 

Hands on with Tuma Pesa –The MPESA companion

Hands on with Tuma Pesa –The MPESA companion

It’s happened to every MPESA user, you urgently need to send money to someone but you don’t have the number off head, just in your Address book, So you end up navigating to your Phonebook, copying the number, navigating back to your app drawer launching the SIM Tool Kit and pasting the number when prompted.

But that’s too much work and often we simply tempt fate and end up sending money to the wrong Number. What about PayBill Numbers and their respective accounts? Well that’s even worse, you copy the PayBill name and account somewhere on a piece of paper maybe and you key them in one by one into MPESA when prompted. You manually have to keep track of all the PayBill numbers and accounts so you can refer to them when you want to use them.

What if you didn’t have to do all that, What if it was as easy and convenient for you as downloading an app that takes care of all you Numbers, PayBills and Accounts? Well, that is what TumaPesa is all about. To use TumaPesa simply download from google play store or click on the following link [TumaPesa Mpesa Companion].

How does it work? Easy, let me walk you through the 3 key features that make TumaPesa revolutionary. Upon install you get a slide introduction of how to use the app. It highlights the key features of the app and directions of use as explained below.

  1. TumaPesa loads all your contacts and formats them for you in a nice intuitive list that can be searched by name or number. All the contacts are pulled from both Sim Card and Phone Memory.

 

Say I want to send cash to Savvy Kenya, well I simply search for her name, click on it and the SIM Tool Kit is opened. In addition to this her Number is copied to the clip board and a pop up of her details appears on the top right corner with her Name and Number. You can transact safely and securely without the fear of sending money to the wrong number

2014-10-24 07.17.15

 

 

2014-10-24 07.14.01

  1. For contacts you send money frequently you have the option of saving them by long pressing on a contact name and they automatically get stored in the Favorites Tab and a star appears next to them indicating they are now in favorites

2014-10-24 07.17.57

2014-10-24 09.15.17

3. For PayBill numbers and accounts you can save a list of them in the PayBill section of the app and use them whenever you need.

2014-10-24 07.09.54

 

2014-10-24 07.09.25

For PayBill numbers you can edit them by long pressing a PayBill Entry, this will allow you to edit,Delete or share

2014-10-24 08.12.40

 

 
2 Comments

Posted by on October 27, 2014 in code

 

Tags: , ,

So Begineth Graduate school

I guess the blog name was after all correct, I mean calling a blog ending campo while still in campo and retaining said name after was a tricky bargain, I got varied comments and was tempted to change it, but still stack to the original. Any who I went back to Grad school a few months ago. I was tempted to either go back to JKUAT and do Msc in Computer Systems or stick to Msc TID in Strathmore. I ended choosing the later, and so began my new life in graduate school. The course is  if offered under the Safaricom Academy at ILab at Strathmore Universitydummybanner

So what exactly is Safaricom Academy and why am I enrolled. Well for me the journey began around 2011, that was when Safaricom academy was started if am not wrong. They uploaded the course modules online and I fell in love with the units immediately I mean It wasn’t like the boring math I was used to at JKUAT or the flimsy excuse  for CS either. This was content I was yearning for. I knew then that this is what i would do after Undergrad. You can see the course content here>> Well I malizad Campo around 2012 May, but by then I was already knee high  into Software Development. I had started working with the Late Idd Salim and as you all may know he was the code lord. He taught me a most of the things in the course  content and in less than a year I had already done several vertically scalable projects in USSD,SMS,Android,J2ME,Symbian,web etc. So I missed the 2012 and 2013 intake. so when the 2014 intake was announced I was balls in.

Strathmore has a rigorous recruitment for this course,well first you have to apply obviously, then they do shortlisting and after that they send emails for people to avail themselves for Practical Interviews. The Pracs are primarily code sessions with a little bit of math,English and general logic (Psychometric if you will). After this the next is shortlisting and then an oral Interview after which if you are selected you receive an invitation email to the programme. Its currently offered in both Full time and part Time. The full time students are mostly under scholarship from Safaricom. I am in the part time class (5.30 to 8:30), this class is a little different  since we have to pay for our tuition per module. Module cost is around 115K. There are 7 total modules (115K*7 =805K)..Starthmore is pricey I know don’t even get me started on this.

Coming from a public Uni background to Starth is like getting used to shagging a skinny chic and getting Vera Sidika. The ass overwhelms you at first. Well lets begin with the infrastructure. This guys have neat infrastructure, lets start with where our classes are

BuwX4m_CMAE1k0X

ILAB  is on the 4th floor of the students center.It houses other offices and study areas. Strath has a strict policy on dress code, I cant go to class as I did in undergrad shorts and tees they have a strong inclination towards formal attire and even have Fashion police to enforce it. Secondly there is an obsession with School Ids. I went through years of undergrad without as much as showing my School Id except occasionally on exams, here is quite converse,you need your Id to get into the students Center to move into Phase 1, to board the bus, you need to use Biometric maneno to get into class, Biometric to go to the Lib etc. Their labs are pretty neat also. We have OOP in the Samsung Lab, next to the Oracle Lab, there is an Ericsson Lab on the same floor as well, you get the picture, a far cry from the 100 year old labs at JKUAT.

We are 12 in our class, a small class. So far one guys has quit I guess juggling  class,life and work aint easy. So far  module 1 has OOP in Java,Data Structures in C++,Ethics and Wireless Technologies. The course is served pretty well, however despite the fact that I know OOP in Java inside out I still have to attend classes no exceptions. so I sit down through hours of JAVA,JAVA ME etc bored as hell but this is strath I cant dodge classes and expect to graduate. This aint the Black panther party where rebellion is encouraged

In general its hard running my own start up  (Ujuzi Code) classes, side projects and still finding time for the Mrs, but I guess I have to find a way to make it all work. I owe myself that much.I will blog more on grad school once I get time

 

 
Leave a comment

Posted by on October 7, 2014 in grad school

 

Tags: , ,

What I have learnt after 5 Years of coding & Blogging

0-v-u0lyaMUeYx18T-

In 2010 I started this blog.Around the same time I started writing code at Finlays , seems like a long time ago. I am not a big shot blogger of course, I never show up in BAKE but I have maintained daily  4 figure  blog hits since 2011, although in the last 1 year they have increased  with blog searches to Idd Salim leading here, I am no big shot coder as well,I don’t attend meetings at innovation boards,nor will you find me in any Hub (Ihub,nailab, K street Hub etc)  anymore. I have however been the brain child of some of the most amazing software products Kenyans use (Nasiishi Runda Imagine)

I sometimes wonder how different my life would have been had I not taken this road less traveled. One of my philosophies has  always been to  pick the choice that scares me a little. The status quo, the path of least resistance, the everyday routine — that stuff is easy. Anyone can do that. But the right decisions, the decisions that challenge you, the ones that push you to evolve and grow and learn, are always a little scary. I am thinking this because today marks 5 years of the blog known as endingcampo *insert smiley face* With this memorable stage I thought it best to share what I have learnt over the last 5 years.

When I started code back in the day I was given this–> Teach Yourself Programming in Ten Years post to read by my mentor Idd sallim. It made no sense to me but I followed it religiously none the less, didn’t turn out so bad if I say so myself. In the 5 years I have moved from a Junior dev to a Senior  dev. Th distinction here is large and using my personal experience I will try to explain the difference

The Junior Dev Years

This was the stage where I knew it all, PHP,Java,C++ etc….this was the stage where I had more environments setup on my PC  that I did porn. Quoting Jonathan Barronville “You know how to write imperative, functional, event-driven, and object-oriented programs. You not only knows how to write fabulous factory methods, sexy singletons, delicious decorators, and prodigious prototypes,you know when to properly use them (or at least you think you do).” This is the stage where I was comfortable with my tools after all I had really straggled to learn them. I remember with great stupidity arguing years ago with @zacckOS  about using git. I had learnt to use SVN and I felt mimi ndio kusema. I had barely 3 production system in use and I felt like a code God. I looked at Senior developers and System architects and wondered what the fuss was all about. I remember building the EDS for Crown Berger with a collaboration Team from India  and I felt like this guys didn’t know shyt, This was despite the fact that they  got paid per hour while I had to wait for a completion cheque. I didn’t not know what experience was. I was a muggle who thought he was pure blood. I was a staple, you know how you eat ugali and Nyama  before you drink every single  time you order that Pilsner…yes..predictable…that’s what a staple is, I was  too attached to my technologies and productions. Spend an extensive amount of time perfecting my code, thinking about all of the design patterns and principles that apply, writing unit tests (often really useless ones)

The Pre Senior Dev Years

I learnt there is a difference between having a ton of knowledge and being experienced. It took me a while to understand that, but the difference is quite interesting I must say.I have worked on Banking Systems, Teleco integrated systems, consumer based Systems, Enterprise systems, Module integration etc…And I slowly became a Senior Dev. After working for people I decided to setup shop on my own and founded Ujuzi <Code/>. I now had junior coders under me..young-lings who thought they were Yoda. As a  more experienced coder I  learnt how to break the less experienced in order to shape them based on the experience I had gathered.

I had the foolish assumption that the stuff that I was building were well architected…they were far from that. I have gathered lots and I can share just a few things here to benefit someone starting out


 

1. Design

– As a Junior  dev I was all  about opening my IDE and building what the client asked for. But this is as wrong as taking out your dick and straight out over looking that foreplay.All I made sure was that the client was happy and that their requirements were met. As long as the poorly designed code produced the output requested by the client, all was good and everyone was happy. As a pre senior Dev I have learnt to take advantage fully of the design phase. I currently take 2-3 weeks simply doing designs,both system and UI designs. When it comes to UI I always use my designer to build the entire UI and  then use simulation tools to present to the client before the actual work begins. On system design I have learnt to account for system architecture,networking and security , monitoring and accounting for emergency Database rollbacks  and faulty transaction handling and importantly making sure one bad config on a key module component does not screw everything

2. Process

Process is usually how to start from point A to Z with at most efficiency.This is where project management, planning, and project management tools come into play. working with great people such as Mbugua Njihia I have learnt the power of tools like Trello on SDLC. An in depth understanding of QA  is also key

3. Source Code Management

When it comes to code management nothing can beat Git and or GitHub. This comes in handy when you have to commit code and also do rollbacks in case someone in the team messes with a module if you are collaborating. And also in the event of loss or damage of Hardware then you can easily rollback to your last commit and continue with the work

4. Testing

Writing Tests is always important when it comes to both Production and staging levels. The development should always be test driven TDD instead of final product driven (Does that make sense?? 🙂 ) Test Driven Development.


Learning from Jonathan Barronville:

 

Many junior developers  know folks with “Senior” as a prefix or “Architect” as a suffix of their title whom we feel are less knowledgeable (in terms of programming-related skills) than them. One interesting characteristic of many of these folks though is that they have been around for a long time, worked for many companies (not necessarily), made many mistakes, learned from their mistakes, et cetera. However, unlike junior developers, they might not know every language, environment, and/or technology out there. Instead what they do is they make themselves experts in a few areas (usually one or two, as far as I have seen), and instead of learning every language, environment, and/or technology out there, they pick maybe one or two languages, environments, and/or technologies, and make themselves true experts in those.

What does it mean to be a true expert in a language, environment, and/or technology? In my dictionary, a true expert in anything, is simply someone who is an expert, by not only knowing and understanding their domain at an expert level (inside and out, that is), but through years of experimentation and making use of such expertise. In other words, in my humble opinion, any developer with the time and commitment can become an expert in, say, a language like C# in maybe about a year (keep reading, keep reading), but to become a true expert like the honorable Jon Skeet or Commons Ware, it takes years.

 
Leave a comment

Posted by on August 21, 2014 in Uncategorized

 

Why Safaricom is afraid of Sim Overlay Technology proposed by Equity Bank

So hardly 2 days ago I wrote this piece about how winter was coming  MPESA and the looming Mobile Virtual Network Operators (MVNO). and today to my shock the news was back on with safaricom writing a letter to the Central Bank. I suggest you read the earlier link before reading this as it may be coupled to the first post.

taisyssimcards

Equity bank with finserve know for sure no Kenyan will ditch their current safaricom Line in favour of whatever carrier the MVNO will ride on…That is quite elementary my dear watson… so Equity bank is instead opting for a newer technology instead called Sim Ovelay. Let me explain what that is to begin with/. The SIM  is  paper-thin and is embedded with a chip. Users overlay it on their primary SIM card, regardless of the network, and can subsequently receive services from two mobile service providers simultaneously. Its use means Equity Bank does not have to issue its own SIM cards but could ride on the existing ones. The two videos here will demonstrate that:

Safaricom’s major concern is the security of , M-Pesa, which it says would be vulnerable to attacks since the other sim is the one in direct contact to the phone and acts as a medium. You have to hand it to Equity on this though but I agree with them here. since primarily the other Sim is acting as a transport layer to the second one then you can have a denial of service on MPESA if the wrote the code on the card well.

For example they could write code (JAVA code for java card) that responds on external stimuli to to trigger parts of the main operating code to do so selectively say give MPESA bound communication a 30 second delay for deposits and 5 min delay for withdraws. Meaning the STK app that MPESA resides on would time out due to this and you would have to do it over and over again. or cleverly do a count of the tries and if you do 3 retries remove the lag and allow instant communication or after 5 randm retries…I mean I can write said code and I dont even work for them so you can imagine someone whose sole job would be to create the overlay SIM..but then again its a big maybe.

Finserve Africa Ltd was in April granted an MVNO licence alongside Mobile Pay Ltd and Zioncell. Equity Bank plans to use the Finserve licence to roll out mobile banking services independent of any operator. Customers will also be given data and voice services on the network.

 
1 Comment

Posted by on July 3, 2014 in Uncategorized

 

MPESA and the looming Mobile Virtual Network Operators (MVNO)

Once Upon a time there was a monolithic system that was called MPESA, the system was the awe of all, friends and foe,and just like the proverbial story of the 3 little piggies it was targeted by several big bad wolves (YU Cash,Airtel Money etc), but the wolves huffed and puffed but since MPESA was housed in a brick house (At present M-Pesa’s has 15 million users conducting more than 2 million daily transactions, which by some estimates adds up to as much as 60 percent of the country’s gross domestic product.) they couldn’t do shyt…so most the wolves gave up and were content eating scraps as the piggies were safe. But the story doesn’t stop there….far from it….it goes on. The piggies lived in the brick house and grew hard headed….boastful you would say, they failed to innovate, they failed to let anyone in, they viewed everyone with scepticism  and in so doing exposed there weak under belly.

winter_is_coming_w1

But as Game of Thrones taught us ..winter is coming….soon  there would be a bigger hurdle than the wolves they had fought…Enter MVNOs. Basically An MVNO is a wireless communications services provider that does not own the network over which it provides those services to customers.  sasa ni nini hiyo Jaymo? Relax…..As we speak Kenya has licenced three mobile virtual network operators, Finserve Africa, Mobile Pay, and Zioncell Kenya. Of Interest to me here is Equity Bank’s Finserve , this is because Equity Bank is Kenya’s biggest lender with eight million account holders.Equity should be able to make its offerings attractive by providing links to its core banking services, which are not available through M-Pesa. So basically if I have an account with Equity they can quickly deprecate the need for an ATM and instead use a mobile Phone for everything from withdraws,purchases etc

Finserve is not Equity Bank’s first foray into mobile money. It previously partnered with Safaricom on M-Kesho, a banking and savings service that proved to be unsuccessful due to complications over revenue sharing between the stakeholders.   Safaricom has since partnered with Commercial Bank of Africa (CBA) to launch a similar product branded as M-Shwari, which has signed up 7 million subscribers. On the strength of this adoption rate, CBA now claims to have overtaken Equity Bank as the lender with the highest number of retail loans.

I believe the biggest hurdle will be creating products that are  appealing to the ordinary Mwananchi… screw the lipa na MPESA stuff, am talking real world issues like Request for salo advance via Mobile Money, a realtime  fare systems for matatus etc. The second issue will also be an agent network that can rival Safaricom’s this will not happen overnight and will be expensive to roll out.  But lets just wait and see

 
1 Comment

Posted by on June 30, 2014 in Uncategorized