RSS

Category Archives: grad school

NIC Bank’s Data Breach,Hack and subsequent Extortion

Allow me to write this post as a letter to NIC Bank, I feel  despite the numerous times I have advised them to rectify their security to better protect us,their users, its simply gone to deaf ears.Well here goes.

NIC

Dear NIC Bank,

How are you? Hope you are well. This days when I wake up every morning I have developed a routine I read all my tech blogs, check my email and check my NIC bank portal for fear of breach, for fear that my hard earned shillings may have been skimmed by some hungry hacker or even worse my data may have been sold on silk road. I know many wonder why am still banking with you if all I do is complain, I mean if you constantly argue with your spouse then its better walking out and sparing yourself the agony, but like a cocaine addict am hooked, am hooked to your seamless banking process, the short cues in banking halls, the cute banker chics you guys have, the asset finance and off course the online banking portal that has proved to be your Achilles heel.

If you have been reading my blog you may be aware I have written 2 posts the first one NIC-BANK’s poor Ebanking System and possible security Flaws dated 24th April 2014  and the second NIC-BANK’s improved Ebanking System subsequent to my Exposé  dated 11th November. In the first I alerted you of the gaping holes in your security.  I also expressed my fear that someone else may have found this flaw and not being as noble as me, exploited it for profit.  I was pleased when a few months later I noticed you had bumped up your security and added OTP to the online portal. But if you remember I mentioned that this may be a little to late, I wrote in part

To begin with if indeed the data they served was compromised they they should have purged the entire username password combo provided, instead they only solved the issue of passwords. The problem with this is a keen to a naked woman only covering her boobies, the rest of her is available for your ocular pleasure. The same applies if I had a set of pswd and usernames and the pswds change without the usernames changing then am already at first base if I had the old data. The next thing would be a clever combination of hacking tactics ranging from social engineering, actual key logging on the device to harvest the apps password and generating an OTP afterward, sitting on the data and joining all those IRC chats on the dark web and tor that list exploits on major brand software and the just cleverly generating the OTPs for your self etc

Fast forward to a couple of days ago, wifey called me up at work and informed me that there were a couple of guys arrested on the grounds of extorting cash for data. Allow me to speak a little about the 2 hacker guys, first I condemn heavily their extortion of money for data. The 2 guys asked for 200 bitcoins from this we can see this guys aren’t exactly noobs but also we can see that they are just average hackers. Allow me to explain why

There exists a market on the dark web, the other part of the internet where Google doesn’t even dare go, where all the hackers meet and chat exchange tools etc. I remember the first time I showed wifey the dark web she was blown away by the level of sophistication there, I mean if you think of the internet we use as  5/10  then the dark web is 10/10. This is the first place where kids grow up worshiping Anonymous and the Lulz, the place where lizard squad was born and their skills sharpened. Back to said market, its called Silk road, silk road buys anything from weapons to kiddie porn.Its like the wild wild west of the Internet. So Where am I going with this..allow me to indulge you and generalize as well. Kenyan Banks should be aware that there are guys out there who wont send you an email and ask for cash, there are guys who will sell hacked data, attack vectors etc on silk road and then from there the Chinese or Russians will get a hold of it and wreck havock, the things that this guys can do is even beyond the scope of this blog.

Long story short, the 2 guys will probably be found guilty right, they will end up in kamiti and get Anally raped and we will forget about the whole thing. One or two guys will get fired and new ones hired they will come with bravado and a big solex padlock to lock the server rooms. But do you think anything will be done.Look at the stock price following the hack, did it even dip a point,NO,look at the ques did they even shrink by a fraction,No.

This banks need to be monitored by the Central Bank, not only on banking practices but also on security,its all good that CBK protects your cash from fraudulent manipulation by the banks but that shouldn’t end there, they should protect Wanjiku from Chinese hackers who had a cluster setup in their house with enough brute force power to use said data hacked by the 2 to make them millions. Kenya has to wake up to the fact that the rest of the world has invested billions on cyber security and are still getting  hacked (look at sony,xbox etc) what do you think will happen when this hackers discover easy targets in Kenya/Africa? You will see several hacking rigs being setup and the smart ones wont even move from their desk, the 4 fiber connections to Kenya make remote hacks even easy.

So in parting NIC go ahead sentence them,sure cast stones on them but don’t forget you are to blame for what is happening/ what will happen

 

 
3 Comments

Posted by on January 16, 2015 in code, grad school, hack, idd sallim

 

Tags: , , , , , ,

So Begineth Graduate school

I guess the blog name was after all correct, I mean calling a blog ending campo while still in campo and retaining said name after was a tricky bargain, I got varied comments and was tempted to change it, but still stack to the original. Any who I went back to Grad school a few months ago. I was tempted to either go back to JKUAT and do Msc in Computer Systems or stick to Msc TID in Strathmore. I ended choosing the later, and so began my new life in graduate school. The course is  if offered under the Safaricom Academy at ILab at Strathmore Universitydummybanner

So what exactly is Safaricom Academy and why am I enrolled. Well for me the journey began around 2011, that was when Safaricom academy was started if am not wrong. They uploaded the course modules online and I fell in love with the units immediately I mean It wasn’t like the boring math I was used to at JKUAT or the flimsy excuse  for CS either. This was content I was yearning for. I knew then that this is what i would do after Undergrad. You can see the course content here>> Well I malizad Campo around 2012 May, but by then I was already knee high  into Software Development. I had started working with the Late Idd Salim and as you all may know he was the code lord. He taught me a most of the things in the course  content and in less than a year I had already done several vertically scalable projects in USSD,SMS,Android,J2ME,Symbian,web etc. So I missed the 2012 and 2013 intake. so when the 2014 intake was announced I was balls in.

Strathmore has a rigorous recruitment for this course,well first you have to apply obviously, then they do shortlisting and after that they send emails for people to avail themselves for Practical Interviews. The Pracs are primarily code sessions with a little bit of math,English and general logic (Psychometric if you will). After this the next is shortlisting and then an oral Interview after which if you are selected you receive an invitation email to the programme. Its currently offered in both Full time and part Time. The full time students are mostly under scholarship from Safaricom. I am in the part time class (5.30 to 8:30), this class is a little different  since we have to pay for our tuition per module. Module cost is around 115K. There are 7 total modules (115K*7 =805K)..Starthmore is pricey I know don’t even get me started on this.

Coming from a public Uni background to Starth is like getting used to shagging a skinny chic and getting Vera Sidika. The ass overwhelms you at first. Well lets begin with the infrastructure. This guys have neat infrastructure, lets start with where our classes are

BuwX4m_CMAE1k0X

ILAB  is on the 4th floor of the students center.It houses other offices and study areas. Strath has a strict policy on dress code, I cant go to class as I did in undergrad shorts and tees they have a strong inclination towards formal attire and even have Fashion police to enforce it. Secondly there is an obsession with School Ids. I went through years of undergrad without as much as showing my School Id except occasionally on exams, here is quite converse,you need your Id to get into the students Center to move into Phase 1, to board the bus, you need to use Biometric maneno to get into class, Biometric to go to the Lib etc. Their labs are pretty neat also. We have OOP in the Samsung Lab, next to the Oracle Lab, there is an Ericsson Lab on the same floor as well, you get the picture, a far cry from the 100 year old labs at JKUAT.

We are 12 in our class, a small class. So far one guys has quit I guess juggling  class,life and work aint easy. So far  module 1 has OOP in Java,Data Structures in C++,Ethics and Wireless Technologies. The course is served pretty well, however despite the fact that I know OOP in Java inside out I still have to attend classes no exceptions. so I sit down through hours of JAVA,JAVA ME etc bored as hell but this is strath I cant dodge classes and expect to graduate. This aint the Black panther party where rebellion is encouraged

In general its hard running my own start up  (Ujuzi Code) classes, side projects and still finding time for the Mrs, but I guess I have to find a way to make it all work. I owe myself that much.I will blog more on grad school once I get time

 

 
Leave a comment

Posted by on October 7, 2014 in grad school

 

Tags: , ,