RSS

Category Archives: idd sallim

NIC Bank’s Data Breach,Hack and subsequent Extortion

Allow me to write this post as a letter to NIC Bank, I feel  despite the numerous times I have advised them to rectify their security to better protect us,their users, its simply gone to deaf ears.Well here goes.

NIC

Dear NIC Bank,

How are you? Hope you are well. This days when I wake up every morning I have developed a routine I read all my tech blogs, check my email and check my NIC bank portal for fear of breach, for fear that my hard earned shillings may have been skimmed by some hungry hacker or even worse my data may have been sold on silk road. I know many wonder why am still banking with you if all I do is complain, I mean if you constantly argue with your spouse then its better walking out and sparing yourself the agony, but like a cocaine addict am hooked, am hooked to your seamless banking process, the short cues in banking halls, the cute banker chics you guys have, the asset finance and off course the online banking portal that has proved to be your Achilles heel.

If you have been reading my blog you may be aware I have written 2 posts the first one NIC-BANK’s poor Ebanking System and possible security Flaws dated 24th April 2014  and the second NIC-BANK’s improved Ebanking System subsequent to my Exposé  dated 11th November. In the first I alerted you of the gaping holes in your security.  I also expressed my fear that someone else may have found this flaw and not being as noble as me, exploited it for profit.  I was pleased when a few months later I noticed you had bumped up your security and added OTP to the online portal. But if you remember I mentioned that this may be a little to late, I wrote in part

To begin with if indeed the data they served was compromised they they should have purged the entire username password combo provided, instead they only solved the issue of passwords. The problem with this is a keen to a naked woman only covering her boobies, the rest of her is available for your ocular pleasure. The same applies if I had a set of pswd and usernames and the pswds change without the usernames changing then am already at first base if I had the old data. The next thing would be a clever combination of hacking tactics ranging from social engineering, actual key logging on the device to harvest the apps password and generating an OTP afterward, sitting on the data and joining all those IRC chats on the dark web and tor that list exploits on major brand software and the just cleverly generating the OTPs for your self etc

Fast forward to a couple of days ago, wifey called me up at work and informed me that there were a couple of guys arrested on the grounds of extorting cash for data. Allow me to speak a little about the 2 hacker guys, first I condemn heavily their extortion of money for data. The 2 guys asked for 200 bitcoins from this we can see this guys aren’t exactly noobs but also we can see that they are just average hackers. Allow me to explain why

There exists a market on the dark web, the other part of the internet where Google doesn’t even dare go, where all the hackers meet and chat exchange tools etc. I remember the first time I showed wifey the dark web she was blown away by the level of sophistication there, I mean if you think of the internet we use as  5/10  then the dark web is 10/10. This is the first place where kids grow up worshiping Anonymous and the Lulz, the place where lizard squad was born and their skills sharpened. Back to said market, its called Silk road, silk road buys anything from weapons to kiddie porn.Its like the wild wild west of the Internet. So Where am I going with this..allow me to indulge you and generalize as well. Kenyan Banks should be aware that there are guys out there who wont send you an email and ask for cash, there are guys who will sell hacked data, attack vectors etc on silk road and then from there the Chinese or Russians will get a hold of it and wreck havock, the things that this guys can do is even beyond the scope of this blog.

Long story short, the 2 guys will probably be found guilty right, they will end up in kamiti and get Anally raped and we will forget about the whole thing. One or two guys will get fired and new ones hired they will come with bravado and a big solex padlock to lock the server rooms. But do you think anything will be done.Look at the stock price following the hack, did it even dip a point,NO,look at the ques did they even shrink by a fraction,No.

This banks need to be monitored by the Central Bank, not only on banking practices but also on security,its all good that CBK protects your cash from fraudulent manipulation by the banks but that shouldn’t end there, they should protect Wanjiku from Chinese hackers who had a cluster setup in their house with enough brute force power to use said data hacked by the 2 to make them millions. Kenya has to wake up to the fact that the rest of the world has invested billions on cyber security and are still getting  hacked (look at sony,xbox etc) what do you think will happen when this hackers discover easy targets in Kenya/Africa? You will see several hacking rigs being setup and the smart ones wont even move from their desk, the 4 fiber connections to Kenya make remote hacks even easy.

So in parting NIC go ahead sentence them,sure cast stones on them but don’t forget you are to blame for what is happening/ what will happen

 

 
3 Comments

Posted by on January 16, 2015 in code, grad school, hack, idd sallim

 

Tags: , , , , , ,

The final Letter to Idd Salim

Dear Idd Salim,

IddSalim

Its pretty hard writing this one…pretty hard,I just got a call from Vodaphone this morning about us guys missing our meeting for the 24th as planned. I had to break it to Clemence that you had passed on,A chill run down my spine as I said that.

I think most people have never known how you and me quite met,and why I called you Beste Mnoma while everyone else called you Salim. Flashing back to 2003 exactly 10 years ago,that was the time we met…actually you were with the other Jaymo (maina) and when you said Jaymo I answered instead,you retorted “wewe nani amekuita…” But that was it for me,you and James were on some weird server configuration maneno. I was barley out of primo the only comp knowledge I had was DOS and writing batch scripts to delete folders in the comp lab,but you still didn’t shun me,you told me there was a language called pearl that had a  similar effect,but I was way busy being a rubble in High school to give a hoot.

After high school was when I got more serious with code,and the first real system I was to write was a car hire website with 5% knowledge of PHP and crappy knowledge of any DB I wrote it and came to show you. You laughed “kijana hii ni nini sasa unanishow”. The damn thing was riddled with SQL injection exploits,bugs,slow db etc….You made me work my ass of for it…and I did and made my first 50K with your mentorship.I remember a pal once asking us why most coders have big heads and we laughed it saying we had a lot on our mind.

Anyone who knew me in college would attest to my love for your work,I always believed you were the Golden standard for code quality. I refused to learn J2ME before android and I remember in 2009 we had a long argument about this..in the legendary shiba kisha ulipe. I told you I would become a great Mobile dev, you always laughed  and said why stop at Mobile….we can be great fiber inakuja Kenya soon.

You were the big brother I never quite had,from YII to CodeIgnitor,when I was stuck I dialed your Number. In college guys thought I was some sort of code Ninja, but truth be told I was just really your Intern. A normal call would be  “Salim manze code ime leta noma” you would reply “kuja Ihub na ukuje na chapaa ya lunch” (you the only one who called money chapaa in the 21st century.

Blogging…ohh dear…we once had an arugment hapo Prestige with you and zack telling me I write like you. “Jaymo huwezi andika blog kama mimi,code kama mimi,kukatia dame kama mimi…kwani huna originality” But I always told you Imitation was the sincerest form of flattery.  And bought  a milkshake and we were good. I always made reference of you kwa Blog,and Idolized your posts.When I was finally man enough to do it on my own I came to you and asked “Salim sasa ju naeza andika code poa,unaona nikuwe coder kama wewe?” You minimized your windows and said “If you need me to hold your hand  you are not ready…code sio Mkate kijana,but inaweza kupatia mkate” And with that Jaymo the coder was born…from wining hackathons,to handling some of Kenya’s Bluest of the Blue chip companies. I hacked, and also got into trouble like you. I left Ihub over personal differences with people but we still used to talk.

The one thing I never quite will forget about you was how you would make my hardest of work look like Hello world..When I wrote a query and it run at 1 sec you rewrote it and it ran at 0.16 seconds. When I called you and told you to start using Fedora instead of Ubuntu you pimped your Ubuntu and made my  fedora look like windows XP. And how can I forget the ladies…a nerd is still a nerd, when I ogled you would be “Aiii dame sio shell script..talk politely and she may grant you root access to her drive V,where you can run bang bang or repeat finger.Na from that unaweza Man Mount alafu Man Dump au kama wewe ni sys admin kama wa safaricom unaweza Man Date”

Last week before you died You gave me code ya the project you were working on to test for you and finish up on some modules,I should  have known you were unwell,I should have noticed you weren’t Jovial,But I was busy being me,and for that brother I feel like I failed you and ask you forgive me.

I will miss you bro…I will…but you taught me well,and I will carry on the legacy you left. the shoes are big to fill,but I will be a master coder…you wait and see

 
3 Comments

Posted by on September 26, 2013 in 254, code, idd sallim