Thus Spaketh Idd Salim

Secure Server Room

Yes. We all fear to speak about it.

At least those of us with no balls. [No offence to my female readers. You have 2 eyeballs.]. But without

I have faced a lot of negative bile [double-double for effect] from Paranoid company execs and what we call puSysAdmins [HelloWorld-Solex-Sysadmins who believe in FingerPrint scanners and cameras and padlocks, ignoring the real security threat. The Transport Layer.] every time I have spoken about insecure banking systems and insecure banking technologies that make it easy for  all the current Bank Fraud we see in Kenya.

Some examples include :

• Data records being deleted and Digital Money disappearing. Like we saw in PostaPay where money was entered manually in the DB and then DELETED after you withdrew from an Agent. Zero Trace. Millions lost. Sabotage from IT? Maybe. Orders from greedy and unscrupulous management? I think so.
• Illiterate ‘IT Managers’ being trusted with posts and responsibilities whose security requirements and implications they know nothing about.
• Companies being awarded IT-Security related tenders because of ‘Knowing Someone’ and not because of ‘Knowing Something’
• Spaghetti ‘Computer PornGrammers’ writing insecure code and thinking that just putting a sign that says ‘Site Secured by Thawte’ on a HTTP site with no cert-trace at all will scare hackers shitless. The ‘Mbwa Kali Kuliko Nacet’ way of thinking.

A group of my friends and I wanted to start SOBHA (Starehe Old Boys Hackers Association) in 2009, but after receiving sanctions from the THEN Safaricom Management and being seen as an enemy by many [sanctions lifted now thanks to inevitable sanity and kumea thanks to Nick and Bob - Not forgetting @rimbui], we decided it was not the right time to do that in Kenya. Or East Africa. It is better and more acceptable to start a ‘Give-Kibera-Girls-Pads-via-Facebook-and-Twitter-aka-TwitPad’ than to address the REAL issues affecting IT.

But then comes the challenge. Skill level. Pure and Euber hackers. People who can write their own exploits. People who have written their own NetworkLevel/CountryLevel virus interceptors. Let us get ONE thing clear and out there. If you cannot Code, you CANT be a hacker/IT security guy. You can’t be a lesbian if you are not female. End of. There are no two ways about. Haking si Kuboil maji. If you can’t code in at least C, Python, C++ or Java, then the closes you will ever come to a PenTester is a PenisTester.

Just like any other IT branch in Kenya, the Security line of IT disciplines is slowly getting plagued by me-toos. Script kiddies who just download Nessus/Satan, BT and other hacker toys and have bookmarked PacketStorm and Astalavista then call themselves Hackers. An insult to the profession.

Back to code…

Wazi.

Spot the difference.

It is the Madaraka week in Kenya and after all the ‘potatolization’ I witnessed on Tuesday night, it is back to code. Focused code.I have finished 6 Ovistore apps over the last month. 5 are LIVE and 1 is under review. Pesa kwa wheelbarrow. Also I have Xema, Moca and TumaSMS Version 2 to do. So, I will not be taking any side, top or bottom projects. Hata kama wewe ni nani, from next week Monday.

Focus is the name of the game. And no, I did not just realize this. It just took a PUSH to make me commit to this mantra.

The push came in on Monday last week when a client X I was working for on a project Y as a lead developer (Vagueness, despite being a pussy-blogger’s technique, opted for to protect the client) got a call from a Telco Z with instructions to REMOVE me from their developers team and terminate my contract, or risk being disconnected from all Telco-Related services. They were warned and asked to take the warning seriously. Unbeknownst to the client and me, The telco has me on a personna-no-grata high-security-risk people blacklist.

My God! I was mortified. Another deal goes done the drain just because someone somewhere soils their pants at the very mention of the name ‘Cdr Idd Salim’. It was flattering to the ego. The fact that someone somewhere has sleepless nights because of me. #noHomo. But it was affecting the bottom-line. I could not decide whether to laugh or cry. Whether to mull over the utter ignorance and paranoia, or just to just accept what we can’t change. We deliberated as a company and decided to CHANGE what we cant ACCEPT! This is no longer funny.

As a company, we used our contacts in that telco and called up some senior management fellas and figure out what the problem was. A meeting is to be set. The agenda being to find out if this is an actual concern at the telco, or just a personal vendetta that some can-be-fired-next-week employee has with ‘This dangerous and malicious Salim Hacker Fella’ and his real-estate.

Where has the world come to where someone denies their company potentially massive revenues (like this project promised) just because they don’t like the supplier, albeit the fact that there is 0% risk. The fear is just in the mind. Nothing material. Nothing tangible. Nothing proven. And I am just a WhiteHat trying to pay rent.

I am of more value as a friend, than an enemy. As a resource, than as a black-listed person. Especially given the fact that what is being protected, is still INSECURE and badly needs some fixing. Fixing by real hackers who know needs to be fixed. Not changing the procedure. Fixing. You cannot drain your car of fuel so as to thwart theft. The thieve will just come over with a can of fuel. And you are done for. Hata kama ni vitz.

Just saying.

Back to code.

Wazi.

Don't trust anyone. Even yourself.

This is a PUBLIC INFORMATION post meant to be a warning to would-be fraud victims. The last time I used Mpesa and Hack in the same blog post, well, let is just say (as stacherians of 1998 would put it), ‘nilifixiwa na nikafyonzwa mpaka nikaona sunya’.

A short history: Mpesa web interface works on IE and Xp only. Maybe it still only does.

I shared a simple method (hack) that could make Mpesa work with Safari, Mozilla, Chrome in Windows, Linux and Mac. Wooi! Meetings were called, Emails were sent. I got sanctions and everything a scared person could legally throw to me. Salim was BlackListed as a very dangerous Mpesa Hacker. How did he know all this! And all I did was help. Ohh, the trials we go through! (PS: The sanctions are STILL in place.). Yep! Punished for innovating. And all I hoped for was at least a bamba 50 or 1000 Bonga points. Ohh well!

You wouldn’t believe the amount of FEAR and PARANOIA people can have, when faced with potential security threats, especially when they survive via security through obscurity. It is important to note that I use the word ‘mPesa’ loosely, as this Social Engineering hack would work on Zap, Pap, Tap, yuCash, yuGanda, OrangeMoney and BlueMonkey.

This is a potential attack to the Mpesa users. Not the service, not even the C# mpesa code. So Mpesa jamaas, relaxini bana. Don’t send me those emails again. I am on your side.

So, here goes. As a WhiteHat, I always try to think of potential attack points and them blow the whistle before the real attack is made. Erik Hersman once said, ‘If it works in Africa, it will work ANYWHERE’. I added, ‘If it cannot be broken in Kenya/Nigeria, it cannot be broken ANYWHERE’. This is because we are very cunning, innovative and cold-blood schemers. So, jana, I was working late @iHubKenya and iTosh and Gabbu were discussing this hack. The possibilities are awesome!

So, you receive an SMS : “J1NGA123 Confirmed. You have received Ksh2,400 from CHAMAA HANDSAM 254711234245 on 30/2/11 at 8:13 AM. New M-PESA balance is Ksh4,500″. “Hmmn”, you wonder. “I don’t know this contact. But, praise the Lord. It’s my lucky day!”

Then after a minute or 5, your phone rings. You pick up and they speak. “Hello, this is CHAMAA HANDSAM. I have accidentally sent you Ksh2, 400 which was meant to be sent to my Mum who is VERY SICK in hospital. Please have the fear of the almighty God in you and return at least HALF the money. She is very sick and desperately needs it. Please send to this number ASAP!”

There. No more. the situation has been created. The question is, what do you do? This is a direct attack on 3 human characteristics:

• Gullibility.
• Compassion.
• Fear of God – Spirituality.

The most natural ting to do would be to SEND BACK the money, right? I hear you. You are thinking like a good human being. So did iTosh. So would a very big percentage of Kenyans.

But here comes the Black Hack. The success of the attack is purely based on 2 things that are scaringly true.

• Kenyans always have at least 2-5k in their Mpesa Balance. Incase of emergencies.
• When faced by am ‘emergency situation’, people will give the benefit of doubt to the ‘victims’. Those ‘less fortunate than them’. This will make the target SEND the money to the unfortunate CHAMAA HANDSAM more-or-less immediately. Without checking their REAL Mpesa balance.
• Most people do not check to see the Mpesa Source. As long as an SMS ‘syntactically looks’ like an Mpesa SMS, it passes. No SMS Source verification (A VERY GAPING security hole in some of the local Payment processors. Ahem!).

So, being the compassionate human being you are. You send them the cash. And two things will happen:

• Mpesa responds with a warning that you don’t have enough credit to send that amount. Lucky you!!
• You get educated. The street way!

Back to code…

Wazi.

Hacked? How about stoned?

And so, last Friday after Salat Jumaa, Teddy and his kambasam groupie called me and invited me to with them to Naivasha, CrayFish. I was in the middle of code, but decided to take this as a good chance to take a break from Anastacia (My Ubuntu 10.10 Laptop) and first of all, I backed up all my systems, including ProjectX4 on my cloud, incase someone broke in and stole my stuff.

All safe, I left with them. At night, my phone went dead as I had no charger, so for the first time, I was off the net for over 24 hours.

On Sunday evening, I returned to the city, tired but rejuvenated. I charged my phone and opened the holy 4 (twitter, gmail, ArsenalTimes and Facebook). The I read a tweet. ‘Kenya Police Website Hacked. Again.’

“Hmmmn… Real hackers, at last!”, I smiled. “Now the banks and telcos will take us seriously”. So I decided to open the KP website and check out the hack. ready to be awed and my hackrection slowly hardening and throbbing.

Pffft! Kid stuff. Hacked? Is that hacking? How about we call a Vitz a car while we are at it? The KP website has been a victim of a ‘defacing’. A simple Home Page replacement. That’s all. Any idiot with access could do that. The sysadmin. His friend. His girlfriend. His cat. Anonyone!

I was partly annoyed. But then, the question arose. How did the ‘hacker’ get access to the KP website. So I started digging for e-clues and investigating. And then I found the answer. And i will share it.

Now, in this post, I will openly share some simple kindergarten tricks that a would-be ‘hacker’, hacker or script-kiddie could use to ‘hack’ or, correctly put, deface a low-or-zero website. I have never done this before, but I feel obliged. This information is meant for use by Sysadmins to check just ‘how much’ information their website is leaking to the prying eyes.

Step 1 – Reconnaissance (Information Gathering)

It is now a tired song. And at the risk of sounding like a broken record, I will repeat it: “You are only as strong as your weakest link”. The same applies to security. The most mundane type of reco is looking for all publically available ‘common files’. E.g. .TXT, .PDF, .DOC, .MDB etc. A simple Google search for all the TXT files on the Kenya Police site does the job. Sadly.

Open Sesame

Step 2 – The Hack – (Intrusion, Defacing, Real hacking)

This is step 2. Involves the actual hack and privilege escalation. You did not expect me to share that, did you? In the case of the KP site, the job is already done by now. All the ‘hacker’ had to do was…. you guessed it.. LOGIN!!

Step 3 – Owning

Once in, make sure no one else (externally) can get in. This involves FIXING the holes you found (remove the TXT file above etc or leave it but change the password in the TXT, not the system, lest the admins notice the change). Incase they change the password, install a backdoor or change the code for the login script to accept all valid logins PLUS yours. (Add an OR to the SQL Where clause).

Step 4 – Covering Tracks

This is where people get caught. Not covering tracks. Using direct connections. Assuming ‘no one will notice’. Etc. #IWontShare. Shikweni nyote.

In Retrospect – catching the attackers.

I heard that in a bid to stop further hacking, the police have banned machetes and axes. This is a good step, but we could do it better. The police can use the fact that the ‘hacker’ is inexperienced and still has a hard-on for their website.

• They could setup a honey-pot and lure the assailants back to hack 4, which will prove to be their last.
• They could set-up an IP-logging model of a FAM.

Na mengine mengi.

The US government has setup hacker department for defending the country and pre-empting attacks. It is time the Kenyan government rewarded the elite, don’t you think? We are here. We are capable. We are willing. We are waiting.

Wazi…

Back to code.